Ethernet gets a frame from one machine to the next machine on the same local network. IP gets a packet from any machine anywhere to any other machine anywhere. This week you read the IPv4 header field by field and understand how routing works.
Theme
The IPv4 header is 20 bytes (minimum) of addressing and control information prepended to every IP packet. It contains the source IP address, the destination IP address, a time-to-live counter that prevents packets from looping forever, a protocol field that tells the receiver whether the payload is TCP or UDP or ICMP, and several fragmentation fields. You will read all of these from a real capture this week. You will also learn subnetting: how a 32-bit IP address gets split into a network portion and a host portion, and why your home router separates your private address space from the public Internet.
Reading (~60 minutes)
- Stevens TCP/IP Illustrated Ch 3 ("IP: Internet Protocol"): the IPv4 header field by field; routing
- Kurose & Ross Ch 4 §4.1-4.3 ("Overview of Network Layer", "What's Inside a Router?", "The Internet Protocol"): IP addressing, CIDR, NAT
- Optional: RFC 791, §3.1 (Internet Header Format): the authoritative byte-level spec for the IPv4 header
Lecture outline (~2 hours)
Section 1: The IPv4 header
A minimum IPv4 header is 20 bytes:
| Field | Size | Meaning |
|---|---|---|
| Version | 4 bits | 4 for IPv4 |
| IHL | 4 bits | Header length in 32-bit words (min 5 = 20 bytes) |
| DSCP | 6 bits | Differentiated Services Code Point (QoS marking) |
| ECN | 2 bits | Explicit Congestion Notification |
| Total Length | 2 bytes | Length of the entire IP packet (header + payload) |
| Identification | 2 bytes | Used with fragmentation |
| Flags | 3 bits | DF (Don't Fragment), MF (More Fragments) |
| Fragment Offset | 13 bits | Position of this fragment in the original datagram |
| TTL | 1 byte | Time to Live: decremented by each router; packet dropped at 0 |
| Protocol | 1 byte | 6 = TCP; 17 = UDP; 1 = ICMP |
| Header Checksum | 2 bytes | Covers the IP header only (not the payload) |
| Source IP | 4 bytes | Sender's IP address |
| Destination IP | 4 bytes | Recipient's IP address |
| Options | 0-40 bytes | Rarely used; IHL > 5 indicates options are present |
In Wireshark: expand "Internet Protocol Version 4" in the packet detail pane to see each field decoded.
Section 2: IPv4 addressing and CIDR
- An IPv4 address is 32 bits, written as four decimal octets:
192.168.1.100 - CIDR notation:
192.168.1.0/24means the network uses the first 24 bits as the network address; the remaining 8 bits identify hosts within the network - Subnet mask:
/24corresponds to255.255.255.0 - To determine whether two addresses are on the same subnet: AND each address with the subnet mask; if the results match, they are on the same network
Example: Is 192.168.1.50 on the same subnet as 192.168.1.200 with mask /24?
192.168.1.50 AND 255.255.255.0 = 192.168.1.0192.168.1.200 AND 255.255.255.0 = 192.168.1.0- Same result: yes, same subnet. Traffic stays local; no router needed.
Private address ranges (RFC 1918):
| Range | CIDR | Typical use |
|---|---|---|
| 10.0.0.0-10.255.255.255 | 10.0.0.0/8 | Large private networks |
| 172.16.0.0-172.31.255.255 | 172.16.0.0/12 | Medium private networks |
| 192.168.0.0-192.168.255.255 | 192.168.0.0/16 | Home and small office networks |
Private addresses are not routable on the public Internet. Your home router uses NAT (Network Address Translation) to map your private addresses to a single public IP address.
Section 3: TTL and routing
- TTL (Time to Live): the sender sets a TTL (typically 64 or 128). Each router that forwards the packet decrements TTL by 1. If TTL reaches 0, the router drops the packet and sends an ICMP "Time Exceeded" message back to the sender.
- TTL prevents packets from looping forever in case of routing loops
- TTL is also the mechanism traceroute uses: it sends packets with increasing TTL values (1, 2, 3...) and collects the ICMP Time Exceeded responses from each hop
Routing:
- A router has a routing table: a list of network prefixes and the next-hop router (or local interface) for each
- When a packet arrives, the router performs longest-prefix matching: it picks the routing table entry whose network prefix is the most specific match for the destination IP
- Default route (0.0.0.0/0): the catch-all route; forwards packets to the upstream router when no more-specific route matches
Section 4: Fragmentation
- Maximum Transmission Unit (MTU): the largest payload size a link can carry. Ethernet MTU is typically 1500 bytes.
- If a router needs to forward a packet larger than the MTU of the outgoing link, it fragments the packet into smaller pieces
- The DF (Don't Fragment) bit in the IP header, when set, tells routers NOT to fragment the packet. If fragmentation would be needed, the router drops the packet and sends an ICMP "Fragmentation Needed" message back to the sender.
- Modern protocols use Path MTU Discovery (PMTUD) to avoid fragmentation: they send packets with DF set and adjust their size based on ICMP feedback.
- Fragmented packets are rare in normal captures because PMTUD works. If you see fragmented packets, something is misconfigured.
Section 5: IPv6 overview
- IPv4 has 2^32 (~4 billion) possible addresses. IPv6 has 2^128.
- IPv6 addresses are 128 bits, written as 8 groups of 4 hex digits:
2001:0db8:85a3:0000:0000:8a2e:0370:7334 - IPv6 simplifies the header (no fragmentation at routers, no checksum), adds auto-configuration, and is gradually replacing IPv4
- NET-101 focuses on IPv4 because most captures students will analyze in the near term are IPv4. NET-201 covers IPv6 in depth.
Labs (~90 minutes)
Lab 3-1: IPv4 Header Fields (labs/lab-3-1-ipv4-headers.md)
Independent practice (~7 hours)
- Read Stevens Ch 3 in full; annotate the header diagram with your own notes
- Practice subnetting: for each of the following addresses and masks, find the network address, broadcast address, and number of host addresses:
10.0.0.50/8,172.16.4.25/16,192.168.10.100/24,10.10.10.10/30 - Load
fundamentals-http-get.pcapin pcap-tools. Look at one of the IP headers. What is the TTL value? What protocol number is in the protocol field? What does that number mean? - Look up the "ip.ttl" Wireshark display filter. Apply
ip.ttl < 10to thetall-100-frames.pcapcapture. How many packets have very low TTL values? - Read RFC 1918 §3 (just the address-range table). Why does the document standardize these ranges rather than letting each network choose any private range they want?
Reflection prompts (~30 minutes)
- NAT lets thousands of devices share a single public IP address. What are the practical problems with NAT for protocols that embed IP addresses in their payload (like some VoIP and FTP protocols)?
- TTL decrements at each router. The original IP specification says TTL is measured in seconds, not hops. Why did the meaning change to "hops" in practice?
- The IPv4 header has a checksum, but the Ethernet frame has a CRC, and TCP also has a checksum. Why do multiple layers each have their own error-detection field?
- Your laptop has a private IP address (192.168.x.x). When you connect to a web server, the server sees your router's public IP address, not your private one. Is this a problem for any application? (Think about logging, geolocation, abuse blocking.)
- IPv6 has been "coming soon" since the 1990s. What explains the very slow adoption despite IPv4 address exhaustion?
What comes next
Week 4 introduces ICMP: the control-plane protocol that IP uses to report errors and carry diagnostic information. You will see how ping and traceroute work at the packet level.