Two Parts: Header and Payload
Every IP packet consists of two sections. The header contains control information that routers and hosts use to process and forward the packet: source and destination addresses, length, protocol identifier, TTL, and more. The payload contains the data being transported — typically a TCP or UDP segment, which in turn contains application data like an HTTP request, a DNS response, or a chunk of a file transfer.
Routers read only the IP header. They look at the destination IP address, perform a routing table lookup, decrement the TTL, update the header checksum, and forward the packet. They do not read the payload — they have no interest in what application data is being carried. This separation of concerns is fundamental to the internet's design: the network layer moves packets without needing to understand the application data inside them.
A packet captured with a tool like tcpdump or Wireshark shows both sections. Wireshark decodes the IPv4 header field by field and then decodes the payload recursively — first as a TCP segment, then as HTTP or TLS within it. Understanding the header fields is essential for reading packet captures, configuring firewalls, and diagnosing network problems.
IPv4 Header Fields
| Field | Size (bits) | Purpose |
|---|---|---|
Version | 4 | IP version — always 4 for IPv4 |
IHL | 4 | Internet Header Length — size of the header in 32-bit words (minimum 5 = 20 bytes) |
DSCP | 6 | Differentiated Services Code Point — QoS priority marking for traffic classification |
ECN | 2 | Explicit Congestion Notification — signals network congestion without dropping packets |
Total Length | 16 | Total packet size in bytes including header and payload (max 65,535) |
Identification | 16 | Unique ID assigned to each original packet; all fragments share the same ID |
Flags | 3 | Bit 0: reserved; Bit 1: DF (Don't Fragment); Bit 2: MF (More Fragments follow) |
Fragment Offset | 13 | Position of this fragment's data within the original packet (in 8-byte units) |
TTL | 8 | Time To Live — hop counter decremented at each router; packet discarded at zero |
Protocol | 8 | Identifies the transport protocol in the payload: 6=TCP, 17=UDP, 1=ICMP |
Header Checksum | 16 | Error-detection checksum of the header only; recalculated at each hop (TTL changes) |
Source IP | 32 | IPv4 address of the sending host |
Destination IP | 32 | IPv4 address of the intended recipient |
The minimum IPv4 header size is 20 bytes (IHL = 5, meaning 5 × 4 = 20 bytes). Optional fields (IP options) can extend the header up to 60 bytes, but options are rarely used in modern networks. The 20-byte fixed header is what you will encounter in virtually all real-world traffic.
How TCP Wraps Inside IP
When TCP sends data, it creates a TCP segment containing a TCP header followed by application data. This entire TCP segment becomes the payload of an IP packet. The IP header's Protocol field is set to 6 (TCP), telling the receiving host's network stack to pass the payload up to the TCP handler.
The TCP header adds another 20 bytes minimum, containing source and destination port numbers, sequence number, acknowledgment number, flags (SYN, ACK, FIN, RST, etc.), window size for flow control, checksum, and urgent pointer. An HTTPS request therefore has at minimum: 14-byte Ethernet frame header + 20-byte IP header + 20-byte TCP header + TLS record header + application data. The actual payload of an HTTP request may be small, but the overhead of headers in each layer is what makes small packets inefficient — one reason protocols try to batch data into larger transfers.
UDP is simpler: its header is only 8 bytes, containing source port, destination port, length, and checksum. The Protocol field in the IP header is 17 for UDP. DNS queries over UDP are compact — a typical DNS query is well under 100 bytes total including all headers.
Fragmentation: When a Packet Is Too Big
Fragmentation occurs when a router needs to forward a packet that exceeds the MTU (Maximum Transmission Unit) of the outbound link. Standard Ethernet has an MTU of 1,500 bytes. If a packet is 3,000 bytes and the outbound interface is Ethernet, the router must split it into two fragments of 1,500 bytes each.
Each fragment gets its own IP header copied from the original, with modified fields. The Identification field is the same in all fragments (allowing reassembly). The Fragment Offset field indicates where in the original packet this fragment's data begins. All fragments except the last have the MF (More Fragments) flag set. The last fragment has MF clear, signaling the end.
Fragmentation is handled by the destination host, not intermediate routers. The destination buffers incoming fragments and reassembles them into the original packet once all have arrived. If any fragment is lost, the entire original packet must be retransmitted — fragmentation makes packet loss more costly. For this reason, modern TCP implementations use Path MTU Discovery (PMTUD) to avoid fragmentation entirely.
MTU: The Maximum Packet Size
Path MTU Discovery (PMTUD) is the mechanism TCP uses to find the largest packet size that can traverse the entire path without fragmentation. The sender sets the DF (Don't Fragment) bit in the IP header, signaling that the packet must not be fragmented — if it is too large for a link, the router should drop it and send an ICMP Type 3 Code 4 (Fragmentation Needed) message back to the sender, indicating the link's MTU.
The sender receives this ICMP message, reduces its packet size accordingly, and retransmits. This process converges on the path MTU — the smallest MTU of any link along the path. For most internet paths, this is 1,500 bytes (standard Ethernet). VPN tunnels have lower effective MTUs because the VPN encapsulation adds its own headers — a common value for VPN-encapsulated traffic is 1,400–1,460 bytes.
PMTUD breaks when firewalls block ICMP. When the Fragmentation Needed message is dropped, the sender never learns to reduce its packet size, and connections using large packets hang or perform very slowly — a phenomenon called a PMTUD black hole. This is one reason blanket ICMP blocking is harmful to network performance.
Frequently Asked Questions
What is inside an IP packet?
An IP packet has a header and a payload. The header contains control fields — source IP, destination IP, TTL, Protocol, Total Length, and others — that routers use to forward the packet. The payload carries the transport-layer segment (TCP or UDP), which in turn carries application data.
What is the maximum size of an IP packet?
The Total Length field is 16 bits, allowing a theoretical maximum of 65,535 bytes. In practice, packets are limited by the path MTU — typically 1,500 bytes on Ethernet networks. Packets must be fragmented or reduced in size if they exceed the MTU of any link along the path.
What is MTU?
MTU (Maximum Transmission Unit) is the largest packet a network link can carry without fragmentation. Standard Ethernet MTU is 1,500 bytes. VPN tunnels have lower effective MTUs due to encapsulation overhead. Path MTU Discovery allows TCP to automatically find the correct MTU for a given path.
What is packet fragmentation?
Fragmentation occurs when a packet is larger than the MTU of an outbound link and the router splits it into smaller pieces. Each fragment has the same Identification value and a Fragment Offset indicating its position. The destination reassembles the fragments into the original packet.
What does the TTL field in an IP packet do?
The TTL field is an 8-bit hop counter decremented by 1 at each router. When it reaches zero, the router discards the packet and sends an ICMP Time Exceeded message back to the source. This prevents packets from circulating forever. Traceroute exploits this by sending packets with incrementally increasing TTL values to map each hop.
What is the Protocol field in an IPv4 header?
The Protocol field is an 8-bit value identifying the transport-layer protocol in the payload. Common values: 1 = ICMP, 6 = TCP, 17 = UDP, 41 = IPv6-in-IPv4, 50 = ESP (IPsec). The receiving host uses this to pass the payload to the correct transport handler.