IPv4 Header (RFC 791)
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Byte Offset 0
Byte Offset 1
Byte Offset 2
Byte Offset 3
20 Bytes
Version
(4-bit)
IP Header
length (4-bit)
Type of Service (8-bit)
Total Length (16-bit) (in Byte Offsets)
Byte Offset 4
Byte Offset 5
Byte Offset 6
Byte Offset 7
IP Identification Number (16-bit)
R
DF
MF
Fragment Offset (13-bit)
Byte Offset 8
Byte Offset 9
Byte Offset 10
Byte Offset 11
Time to Live (8-bit)
Protocol (8-bit)
Header Checksum (16-bit)
Byte Offset 12
Byte Offset 13
Byte Offset 14
Byte Offset 15
Source IP Address (32-bit)
Byte Offset 16
Byte Offset 17
Byte Offset 18
Byte Offset 19
Destination IP Address (32-bit)
Byte Offset 20
Byte Offset 21
Byte Offset 22
Byte Offset 23
IP Options (variable length…) (if any)
data (variable length…)
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
IP Version Number
Valid values are:
4
for IP version 4
6
for IP version 6
IP Header Length
(4 byte multiplier)
Number of 32-bit words in IP header
minimum value 5 (5 x 4 = 20 bytes)
maximum value 15 (15 x 4 = 60 bytes)
Type of Service
(Used by gateways as a QoS type field) (Most OS's default to 0)
If the first 3 high order bits are 1's, then possible it came from busy router that had to set tags to get through a backlog
Total Length
(No multiplier)
Number of bytes in packet
maximum length = 65,535
IP Identification Number
Uniquely identifies every datagram sent by host, value typically incremented by 1 (AKA Fragment ID)
Flags
R is reserved and must be set to 0
D is Don't Fragment Flag
1=Don't Fragment
0=Can Fragment
MF is More Fragments
1=More Fragments
0=No Fragment or no more Fragments
(frag x:y@z where x is the fragment ID, y is # of bytes (must be divisible by 8) and z is the fragment offset)
(In Ethernet the MTU 1500 should see middle fragments of size 1480 (1480 data + 20 ip header = 1500)
Fragment Offset
(8 byte multiplier)
(Measured in units of 64 bits)
(Max fragment offset 65528 (8191*8) )
Position of this fragment in the original datagram
value is multiplied by 8 to get bytes
Time To Live
IP Protocol
D
Hex
D
Hex
D
Hex
D
Hex
1
0x01
ICMP
9
0x09
IGRP
47
0x2F
GRE
88
0x58
EIGRP
2
0x02
IGMP
17
0x11
UDP
50
0x32
ESP
89
0x59
OSPF
6
0x06
TCP
47
0x2F
GRE
51
0x33
AH
Header Checksum
Covers IP header only
Validated along the path from source to destination
Options
(0-40 bytes; 1st @ 20th byte offset; padded 4-byte boundary)
(Processed by each router as packet passes)
D
Hex
D
Hex
0
0x00
End of Option list
68
0x44
Timestamp
1
0x01
No operation (pad)
131
0x83
Loose source route (security risk)
7
0x07
Record Route (security risk)
137
0x89
Strict source route (security risk)
IPv4 Header (cont.)
Type of Service
(Used by gateways as a QoS type field) (Most OS's default to 0)
Precedence
D
T
R
0
0
0
1
2
3
4
5
6
7
Bit
0
-
2
Precedence
Bit
3
0
=
Normal Delay
1
=
Low Delay
Bit
4
0
=
Normal Throughput
1
=
High Throughput
Bit
5
0
=
Normal Reliability
1
=
High Reliability
Bit
6
&
7
Reserved for future use (Always set to 0)
Precedence
Protocol
TOS Value
1
1
1
Network Control
Telnet
1000
1
1
0
Internetwork Control
FTP Control
1000
1
0
1
CRITIC / ECP
FTP Data
0100
1
0
0
Flash Override
TFTP
1000
0
1
1
Flash
SMTP Command
1000
0
1
0
Immediate
SMTP Data
0100
0
0
1
Priority
DNS UDP Query
1000
0
0
0
Routine
DNS TCP Query
0000
DNE Zone Transfer
0100
NNTP
ICMP - Erros
0000
Telnet
ICMP - Requests
0000
ICMP - Responces
Same as request
Any IGP
0010
EGP
0000
SNMP
0010
BOOTP
0000
