IPv4 Header Structure Explained
Break down the IPv4 packet header field by field, understanding version, TTL, protocol, checksum, and addressing fields.
The IPv4 Header at a Glance
Every IPv4 packet begins with a header that contains routing and control information. The minimum header size is 20 bytes (without options), and the maximum is 60 bytes.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL | DSCP |ECN| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TTL | Protocol| Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source IP Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination IP Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options (if IHL > 5) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Key Fields Explained
| Field | Bits | Purpose |
|---|---|---|
| Version | 4 | Always 4 for IPv4 |
| IHL | 4 | Header length in 32-bit words (min 5 = 20 bytes) |
| DSCP/ECN | 8 | Quality of service and congestion notification |
| Total Length | 16 | Entire packet size including header and data (max 65,535 bytes) |
| Identification | 16 | Unique ID for reassembling fragments |
| Flags | 3 | Control fragmentation (DF = Don't Fragment, MF = More Fragments) |
| Fragment Offset | 13 | Position of this fragment in the original packet |
| TTL | 8 | Hop limit -- decremented by each router, packet dropped at 0 |
| Protocol | 8 | Upper-layer protocol (6=TCP, 17=UDP, 1=ICMP) |
| Header Checksum | 16 | Error detection for the header only |
| Source Address | 32 | Sender's IP address |
| Destination Address | 32 | Recipient's IP address |
TTL: The Hop Counter
The Time to Live field prevents packets from circulating forever in routing loops. Each router decrements TTL by 1. When TTL reaches 0, the router drops the packet and sends an ICMP "Time Exceeded" message back to the sender. This mechanism is what makes traceroute work:
traceroute 8.8.8.8
# Each hop responds when TTL expires for that hop's count
# TTL=1 -> first router responds
# TTL=2 -> second router responds
# ...and so on until the destination
Fragmentation
When a packet is larger than the MTU (Maximum Transmission Unit) of a network link (typically 1500 bytes for Ethernet), routers can fragment it into smaller pieces. The Identification, Flags, and Fragment Offset fields coordinate reassembly at the destination.
Modern networks prefer Path MTU Discovery to avoid fragmentation, using the DF (Don't Fragment) flag and ICMP "Fragmentation Needed" messages to find the smallest MTU along the path.
Protocol Field Values
| Value | Protocol | Use Case |
|---|---|---|
| 1 | ICMP | Ping, traceroute, error messages |
| 6 | TCP | Web, email, file transfer |
| 17 | UDP | DNS, video streaming, gaming |
| 47 | GRE | Tunneling |
| 50 | ESP | IPsec encryption |