An IP packet (Datagram) consists of a header and a payload. The header size for IPv4 is variable( it’s size can be minimum of 20 bytes to maximum of 60 bytes), whereas the header size of for IPv6 is fixed to 40 bytes. We will discuss only on IPv4 header in detail in this article.
The header part of IP packet contains the information about source IP, destination IP , TTL etc which is necessary for routing and delivery of the packet. The payload contains the Upper layer headers(TCP, UDP, HTTP etc) and the user data.
Below is format for an IPv4 Header.
Version(4 bits): This field defines the version of the IP. The value is 4 (0100 in binary) for IPv4 .
Internet Header Length(4 bits): As the size of an IPv4 header is variable, we need to specify the size of the header. So, this field defines the total size of the IP header in 4-byte words (or 32 bit words).
When options field is not used in the header, the value of this field is 5 to represent 20 bytes(5 * 4-byte words= 20 byte ). Please note that 5 is the minimum value for a correct IP header.
When option fields are used up to its maximum, the size of the header is 60 bytes. To represent this, the value of HLEN is 15 (15*4-byte words= 60 byte). Please note that 15 is the maximum vale for a correct IP header.
TOS(8 bits): This field defines how a packet should be treated once it reaches a device, and consists of 2 parts. The first part(6 bits) is called DSCP( Differentiated Service Code point ) and the last part(2 bits) is called ECN (Explicit Congestion Notification).
Note:-The first 3 bits of the DSCP is called Precedence.
Total length(16 bits): This field specifies the total size of the IP packet (including header and payload) in bytes. So, the maximum size of the IP packet can be (2^16)-1= 65535 bytes. Practically, all the networks/hosts are not capable of handling such a large datagram, so the size of the packet is generally very less than this. All devices are required to be able to handle datagrams of size up to 576 bytes.
Identification(16 bits): This is a unique value assigned to a packet, which helps in reassembling the fragments of the packet at the destination device. All the fragments of a single packet must have same Identification value.
Flags(3 bits): The first bit is reserved or not in use(must be ‘0’), the second bit is called DF( Don’t Fragment) and the last bit is called MF(More Fragments). This field is generally used in Fragmentation.
DF( Don’t Fragment) : If DF bit is set to 1 and the processing device needs to fragment the packet, then the packet is discarded. Then, the processing device sends an ICMP error message to the source. This is used for Path MTU discovery and also when the destination does not have enough resources to handle the reassembly of the fragments.
MF(More Fragments): If the value of this bit is 0, then it may be an unfragmented packet or the last fragment of an fragmented IP packet. If the value of this field is 1, then it means the packet has been fragmented and there are more fragments after this one.
Fragment offset(13 bits): This field represents the relative position of this fragment with respect to the beginning of original unfragmented IP packet in units of 8 bytes.
TTL(8 bits): TTL(time to live) is the number of hops/routers a packet can traverse before it is discarded. The idea behind TTL is to restrict a packet from traversing the internet/network infinitely if there is a loop. Each hop/router is going to decrease the TTL value by 1 if the packet traverses through it.It is a 8 bit value in IPv4 header, so the maximum value of TTL can be 2^8-1=255.This field is called “Hop Count” in IPv6 Header.
When a device or computer is sending a packet to a destination, it sets a particular value for TTL in the IP header. Then the intermediate hops/routers decrease the TTL value by 1 . When the TTL value reaches to 0, the packet will be discarded and an ICMP TTL exceeded message is sent to the source of the packet.
Protocol (8 bits): This field defines the upper layer protocol used above the network layer. The network layer does the multiplexing and demultiplexing for several upper layer protocols(for example TCP, UDP, ICMP etc). This “Protocol” field contains a number associated with upper layer protocol. These protocol numbers are managed by IANA( Internet Assigned Numbers Authority). Below is the protocol numbers of some commonly used protocols.
ICMP: 1 TCP: 6 EIGRP: 88 VRRP: 112
IGMP: 2 UDP: 17 OSPF: 89
As this field consists of 8 bits, the maximum protocol number can be 2^8-1=255.
Checksum (16 bits): This field is used for error detection in IP header. Please note that this checksum is calculated only for the IPv4 header, not for the entire packet. So, if there is any error in the payload(data portion) of the packet, then this field will not be able to detect it.
The checksum is the one’s complement of one’s complement sum of all 16-bit words in the header. The sender device calculates the checksum and puts it in the header filed. When the receiver device receives the packet, it does the calculation of checksum. If there is a mismatch, then the packet is discarded.
Note: If a router is changing any field of the IP header, then it needs to re-calculate the checksum and update it in the header before sending it to the next hop. As each router is going to decrease the TTL value by one, so the checksum field is updated at each and every hop the packet travels through.
Source IP address (32 bits): This field carries the source IP address of the packet. If NAT has been implemented on any device on the patch to the destination, then this field may change. Otherwise, this field remains the same till the packet reaches to the destination.
Destination IP address (32 bits):This field carries the destination IP address of the packet. If NAT has been implemented on any device on the patch to the destination, then this field may change. Otherwise, this field remains the same till the packet reaches to the destination.
Options (up to 40 bytes): As the name suggests, this field is optional(not often used)and variable part of the IPv4 header. Whenever used, its size can be maximum of 40 bytes, which makes the header size to 60 bytes.
Below is the capture of an IPv4 packet from wireshark tool. Here, the total header length is 20 bytes as there is no option fields.
Here is another capture of an IPv4 packet, whose header length is 28 bytes as options fields are used.