Packet
Network Packet
The fundamental unit of data on the internet — a small chunk of bytes with a header containing source/destination addresses and routing information, and a payload containing the actual content being transmitted.
All internet communication is packet-switched. When you load a webpage, the server doesn't send the entire page as one stream — it breaks it into packets, each typically up to 1500 bytes (the Ethernet MTU). Each packet has an IP header (source IP, destination IP, TTL, protocol) and a transport header (TCP/UDP ports, sequence numbers). Packets from the same data stream may take different routes through the network and arrive out of order. TCP reassembles them in order; UDP delivers them as-is. This architecture makes the internet resilient — packets route around failures automatically.
Packet structure: header and payload
Every IP packet consists of two parts. The header contains control and routing information — source address, destination address, protocol type, time to live, and flags. The payload contains the actual data being transported, which is itself typically a transport-layer segment (a TCP segment or UDP datagram) with its own header containing port numbers and sequence information. The payload of the TCP/UDP segment then contains the application data: an HTTP request, a DNS query, a chunk of a file transfer. This nesting of headers is called encapsulation — each layer adds its own header when sending and strips it when receiving.
Anatomy of an IPv4 packet header
| Field | Size | Purpose |
|---|---|---|
| Version + IHL | 1 byte | IPv4 (4) or IPv6 (6); header length in 32-bit words |
| DSCP / ECN | 1 byte | QoS marking; Explicit Congestion Notification |
| Total length | 2 bytes | Size of packet including header, in bytes |
| Flags + Fragment offset | 3 bytes | DF bit, MF bit; position in original packet if fragmented |
| TTL | 1 byte | Decremented at each router hop; packet discarded at 0 |
| Protocol | 1 byte | TCP=6, UDP=17, ICMP=1, OSPF=89 |
| Header checksum | 2 bytes | Integrity check for header fields only |
| Source IP | 4 bytes | Originating host address |
| Destination IP | 4 bytes | Target host address |
| Payload | Up to ~1460 bytes | TCP/UDP segment or other upper-layer data |
Fragmentation
When a packet is larger than the MTU of the next link in its path, the router must fragment it — split it into smaller pieces that each fit within the MTU. Each fragment gets its own IP header with the Fragment Offset field indicating its position in the original packet and the More Fragments (MF) bit set on all but the last fragment. The destination host's IP stack reassembles the fragments into the original packet before passing it to the transport layer. Fragmentation is generally avoided in modern networks: it wastes processing on both the fragmenting router and the reassembling host, and if any fragment is lost the entire original packet must be retransmitted. TCP prevents fragmentation by negotiating an MSS smaller than the path MTU.
How routers forward packets
When a router receives a packet, it examines the destination IP address and performs a longest prefix match against its routing table — the most specific matching route wins. A packet for 10.1.2.50 might match a default route (0.0.0.0/0), a summary route (10.0.0.0/8), and a specific route (10.1.2.0/24); the router forwards via the /24 entry. The router then decrements the TTL by 1 — if TTL reaches 0, the packet is discarded and an ICMP "Time Exceeded" message is sent back to the source. This TTL mechanism prevents routing loops from circulating packets indefinitely. The router rewrites the Layer 2 (Ethernet) frame header for the outgoing interface but leaves the Layer 3 IP header unchanged (except for TTL decrement and header checksum recalculation).
Packet vs frame vs segment vs datagram
These terms describe the same data viewed from different protocol layers. A segment is the TCP unit — a chunk of the byte stream with sequence numbers and acknowledgement fields, created by the transport layer. A datagram is the UDP equivalent — an independent unit with no ordering or reliability guarantees. A packet is the IP unit — a segment or datagram encapsulated with an IP header containing source and destination addresses, traversing routers. A frame is the Layer 2 unit — a packet encapsulated with a MAC address header for transmission across a single network segment (Ethernet, Wi-Fi). Frames are created and consumed at each hop; packets persist end-to-end; segments and datagrams persist end-to-end within a connection.
Packet capture tools
Wireshark is the most widely used packet capture and analysis tool — it captures live traffic on a network interface and decodes every protocol layer, displaying fields from the Ethernet frame down to the HTTP payload. It supports hundreds of protocols and powerful display filters. tcpdump is the command-line equivalent, invaluable for capturing on remote servers without a GUI: tcpdump -i eth0 port 443 captures all TLS traffic on the primary interface. Both tools require administrative privileges. Captured packets are saved in PCAP format and can be shared for offline analysis. Wireshark's "Follow TCP Stream" feature reassembles a complete session from captured packets, making it straightforward to see the full contents of an unencrypted connection.
Packet loss causes and effects
Every router along a packet's path has a finite queue. When the queue fills — due to congestion or a slow downstream link — the router drops packets. TCP responds by slowing its send rate (congestion control) and retransmitting, adding round-trip time of latency per lost packet. UDP simply loses the data — critical for real-time applications. Even 0.5% packet loss can reduce TCP throughput by 30–50% on a high-latency link. Tools like ping and traceroute measure packet loss and per-hop latency. Common causes include Wi-Fi interference (packets corrupted and discarded), buffer overflow at congested routers, and faulty Ethernet cables or transceivers generating CRC errors.
Frequently Asked Questions
Why does the internet use packets instead of a continuous stream?
Packet switching lets network infrastructure be shared efficiently. Each packet routes independently — around congestion or failures. Circuit switching (traditional telephony) reserves a fixed path for the whole call, leaving capacity idle when silent. Packets let millions of users share the same cables simultaneously.
What is packet loss and why does it matter?
Packet loss occurs when packets are dropped by overloaded routers or corrupted on a wireless link. TCP retransmits lost packets, adding latency and cutting throughput. UDP doesn't retransmit — packet loss directly breaks voice, video, and gaming. Even 1% loss noticeably degrades TCP performance.
What is the difference between a packet and a frame?
A packet is Layer 3 (IP) — it carries IP addresses and traverses routers. A frame is Layer 2 (Ethernet/Wi-Fi) — it carries MAC addresses within a single network segment. Each router strips the incoming frame and re-encapsulates the packet in a new frame for the next hop. The packet persists end-to-end; frames are rewritten at each hop.