IPv4 Packet Header

The IPv4 packet header has quite some fields. In this lesson we’ll take a look at them and I’ll explain what everything is used for. Take a look at this picture:

IP packet header fields

Let’s walk through all these fields:

  • Version: the first field tells us which IP version we are using, only IPv4 uses this header so you will always find decimal value 4 here.
  • Header Length: this 4 bit field tells us the length of the IP header in 32 bit increments. The minimum length of an IP header is 20 bytes so with 32 bit increments, you would see value of 5 here. The maximum value we can create with 4 bits is 15 so with 32 bit increments, that would be a header length of 60 bytes. This field is also called the Internet Header Length (IHL).
  • Type of Service: this is used for QoS (Quality of Service). There are 8 bits that we can use to mark the packet which we can use to give the packet a certain treatment. You can read more about this field in my IP precedence and DSCP tutorial.
  • Total Length: this 16-bit field indicates the entire size of the IP packet (header and data) in bytes. The minimum size is 20 bytes (if you have no data) and the maximum size is 65.535 bytes, that’s the highest value you can create with 16 bits.
  • Identification: If the IP packet is fragmented then each fragmented packet will use the same 16 bit identification number to identify to which IP packet they belong to.
  • IP Flags: These 3 bits are used for fragmentation:
    • The first bit is always set to 0.
    • The second bit is called the DF (Don’t Fragment) bit and indicates that this packet should not be fragmented.
    • The third bit is called the MF (More Fragments) bit and is set on all fragmented packets except the last one.
  • Fragment Offset: this 13 bit field specifies the position of the fragment in the original fragmented IP packet.
  • Time to Live: Everytime an IP packet passes through a router, the time to live field is decremented by 1. Once it hits 0 the router will drop the packet and sends an ICMP time exceeded message to the sender. The time to live field has 8 bits and is used to prevent packets from looping around forever (if you have a routing loop).
  • Protocol: this 8 bit field tells us which protocol is enapsulated in the IP packet, for example TCP has value 6 and UDP has value 17.
  • Header Checksum: this 16 bit field is used to store a checksum of the header. The receiver can use the checksum to check if there are any errors in the header.
  • Source Address: here you will find the 32 bit source IP address.
  • Destination Address: and here’s the 32 bit destination IP address.
  • IP Option: this field is not used often, is optional and has a variable length based on the options that were used. When you use this field, the value in the header length field will increase. An example of a possible option is “source route” where the sender requests for a certain routing path.

Here’s a real life example of an IP packet in Wireshark where you can see how these fields are used:

Wireshark Capture IP Header Fields

I hope this lesson has been helpful to understand the different fields in the IPv4 packet header. If you have any questions, feel free to leave a comment in our forum.

Forum Replies

  1. Hi Hamood,

    Glad to hear it was useful!


  2. Abhishek,
    I would recommend you check out Rene’s lesson on QoS Classification. In this lesson, you will discover that there are all kinds of tools at your disposal to be able to identify, classify, and mark traffic for QoS treatment throughout your network. It is rarely the case, for the reasons you brought up, that a simplistic approach of using just IP addresses is used.

    As for your second question, you are essentially asking about what QoS is meant to do as a whole (so there isn’t a quick, easy answer). The key to getting QoS working properly relies on th

    ... Continue reading in our forum

  3. The text below has also to be corrected.

    _> The first 3 bits are used to define the class and the next 3 bits are used to define the drop probability. Here are all the possible values that we can use:_

    Only 2 bits are used for drop probability, the 6th bit is ignored.

  4. Hello Maodo

    According to RFC2474 it speaks about the DS field:

       Implementors should note that the DSCP field is six bits wide.  DS-
       compliant nodes MUST select PHBs by matching against the entire 6-bit
       DSCP field, e.g., by treating the value of the field as a table index
       which is used to select a particular packet handling mechanism which
       has been implemented in that device.  The value of the CU field MUST
       be ignored by PHB selection.  

    It says that the entire 6-bit field must be used. The bits in question are bits 0 to 5 (a total of six bits

    ... Continue reading in our forum

  5. Hello Muhammad

    The rest of the lesson deals with Per Hop Behaviour. Essentially, this just refers to the way or the behaviour with which each router (per hop) will deal with a packet when it receives it based on the code point values found within the DS field. So when we talk about PHB it really means how the router will handle the particular packet compared to all the rest it receives whenever there is congestion.

    The default PHB has a DSCP value of zero or 000000. Such packets are treated as best effort, meaning, first come first serve. No special treatme

    ... Continue reading in our forum

37 more replies! Ask a question or join the discussion by visiting our Community Forum