Loading learning content...
Every second, trillions of IP packets traverse the Internet. Each packet begins as a sequence of bytes created by an application, gets wrapped in protocol headers at each layer, travels through potentially dozens of routers, and finally arrives at its destination where the data is extracted and delivered to the receiving application.
But packets don't simply "flow" through the network like water through pipes. At every hop—at the source, at each router, and at the destination—the packet undergoes specific handling operations. Headers are examined, decisions are made, fields are modified, and sometimes packets are discarded, split apart, or reported as problematic.
Packet handling encompasses all the operations that network layer devices perform on packets:
This page provides a complete understanding of what happens to packets as they traverse the network layer.
By the end of this page, you will understand the complete journey of an IP packet through the network, the specific operations performed at source hosts, transit routers, and destination hosts, how TTL prevents infinite loops, how fragmentation handles MTU mismatches, and how ICMP provides error feedback.
Before understanding packet handling, we must understand the packet structure that handlers operate upon. The IP header contains all the control information routers need to make forwarding decisions.
IPv4 Header Fields:
| Field | Size (bits) | Purpose | Handling Implications |
|---|---|---|---|
| Version | 4 | IP protocol version (4 for IPv4) | Must be 4; otherwise discard or treat as IPv6 |
| IHL | 4 | Header length in 32-bit words | Locates payload start; min 5 (20 bytes) |
| ToS/DSCP+ECN | 8 | Quality of service marking | May affect queue priority at routers |
| Total Length | 16 | Complete packet size in bytes | Used for bounds checking, fragmentation |
| Identification | 16 | Fragment group ID | Used to reassemble fragments |
| Flags | 3 | DF (Don't Fragment), MF (More Fragments) | Control fragmentation behavior |
| Fragment Offset | 13 | Position of fragment in original packet | Used for reassembly ordering |
| TTL | 8 | Time To Live (hop limit) | Decremented at each hop; packet discarded if 0 |
| Protocol | 8 | Upper layer protocol (TCP=6, UDP=17) | Demultiplexing at destination |
| Header Checksum | 16 | Error detection for header only | Validated and recalculated at each hop |
| Source Address | 32 | Sender's IP address | Used for replies; does not change (normally) |
| Destination Address | 32 | Receiver's IP address | Used for routing decisions |
| Options | Variable | Optional features (rarely used) | Increases processing overhead |
| Padding | Variable | Align header to 32-bit boundary | Ensures consistent structure |
Visual Representation:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options (if any) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data Payload |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Minimum IPv4 Header: 20 bytes (no options) Maximum IPv4 Header: 60 bytes (with options) Maximum IPv4 Packet: 65,535 bytes (limited by 16-bit Total Length field)
IPv6 significantly simplified the packet header: fixed 40-byte header, no checksum (offloaded to link layer), no in-router fragmentation, and extension headers replace options. This improves router processing speed but changes some handling behaviors covered here.
Packet handling begins at the source host when an application sends data. The network layer constructs the IP packet and prepares it for transmission.
Step-by-Step Source Host Processing:
Important Source Host Considerations:
Path MTU Discovery (PMTUD):
Modern hosts use PMTUD to avoid fragmentation entirely:
This is more efficient than router fragmentation because:
Source Address Selection:
Hosts with multiple interfaces must choose which source address to use:
TCP avoids IP fragmentation by negotiating a Maximum Segment Size (MSS) during connection setup. MSS is typically set to MTU - IP header (20) - TCP header (20) = 1460 bytes for 1500-byte Ethernet MTU. This proactive approach prevents fragmentation issues entirely for TCP connections.
At each router hop, packets undergo a sequence of handling operations. Routers must process packets extremely quickly—high-end routers handle hundreds of millions of packets per second.
Router Packet Processing Pipeline:
Performance Considerations:
Fast Path vs. Slow Path:
Modern routers have two processing paths:
What Goes to Slow Path:
Hardware Forwarding:
High-speed routers use:
IP options (source routing, record route, timestamp) are rarely used because they force slow-path processing, dramatically reducing throughput. Some routers simply discard packets with options. IPv6 replaced options with extension headers, which can still require slow-path processing but are more structured.
The TTL field is one of the most important mechanisms in IP, providing essential protection against routing loops that could otherwise crash the entire Internet.
TTL Purpose:
If a routing misconfiguration creates a loop (Router A sends to B, B sends to C, C sends back to A), packets would circulate forever, consuming bandwidth and eventually overwhelming all routers in the loop.
TTL prevents this:
TTL Behavior:
| Initial TTL | Typical Source | Maximum Hops Possible |
|---|---|---|
| 64 | Linux, most Unix systems | Can traverse up to 64 routers |
| 128 | Windows systems | Can traverse up to 128 routers |
| 255 | Some network equipment, Solaris | Maximum possible value |
| 1 | Link-local protocols (OSPF hello) | Never leaves local network |
| Observed at destination | Diagnostic information | Roughly: initial - hops traversed |
ICMP Time Exceeded:
When a router decrements TTL to 0:
Traceroute Exploits TTL:
The diagnostic tool traceroute (or tracert) uses TTL creatively:
Packet 1: TTL=1 → First router decrements to 0, sends ICMP back
Packet 2: TTL=2 → Second router decrements to 0, sends ICMP back
Packet 3: TTL=3 → Third router decrements to 0, sends ICMP back
...
Result: Each ICMP comes from a different router, revealing the path!
IPv6 Equivalent: Hop Limit
IPv6 renamed TTL to "Hop Limit"—more accurately describing its function. Original TTL was measured in seconds (maximum 255 seconds), but router processing times decreased so much that TTL effectively became hop count anyway.
When packets don't reach their destination, observe the received TTL. If you send with TTL=64 and receive replies with TTL=60, you know 4 hops were traversed. Unexpectedly low received TTL might indicate routing loops (packets circulating before expiring) or very long paths.
Different networks have different Maximum Transmission Units (MTUs)—the largest packet they can carry. Fragmentation allows oversized packets to traverse smaller-MTU links by splitting them into fragments.
MTU Examples:
| Network Type | Typical MTU |
|---|---|
| Ethernet | 1500 bytes |
| IEEE 802.3 | 1492 bytes (with LLC) |
| PPPoE | 1492 bytes (8-byte overhead) |
| Token Ring | 4464 bytes |
| FDDI | 4352 bytes |
| ATM | 9180 bytes (with AAL5) |
| IPv6 Minimum | 1280 bytes |
| Jumbo Frames | 9000 bytes |
When Fragmentation Occurs:
Fragmentation Header Fields:
Fragmentation Example:
Original packet: 4000 bytes (20 header + 3980 data), needs to traverse 1500-byte MTU link:
| Fragment | Total Length | MF | Offset | Contains |
|---|---|---|---|---|
| 1 | 1500 | 1 | 0 | Bytes 0-1479 of data |
| 2 | 1500 | 1 | 185 (1480/8) | Bytes 1480-2959 |
| 3 | 1040 | 0 | 370 (2960/8) | Bytes 2960-3979 |
Reassembly:
Only the destination host reassembles fragments:
Fragmentation is problematic: 1) Each fragment has header overhead. 2) If ANY fragment is lost, the entire original packet must be retransmitted. 3) Fragments can be used for attacks (tiny fragments evade firewalls, overlapping fragments exploit stack vulnerabilities). 4) Stateless firewalls cannot inspect content of non-initial fragments. Modern best practice: avoid fragmentation using Path MTU Discovery.
When a packet finally arrives at its destination, the receiving host performs a series of validation and processing steps before delivering the payload to the application.
Destination Processing Steps:
Protocol Demultiplexing:
The IP Protocol field identifies which Layer 4 protocol should receive the payload:
| Protocol Number | Protocol | Description |
|---|---|---|
| 1 | ICMP | Internet Control Message Protocol |
| 2 | IGMP | Internet Group Management Protocol |
| 6 | TCP | Transmission Control Protocol |
| 17 | UDP | User Datagram Protocol |
| 41 | IPv6 encapsulated | IPv6 tunneled in IPv4 |
| 47 | GRE | Generic Routing Encapsulation |
| 50 | ESP | IPsec Encapsulating Security Payload |
| 51 | AH | IPsec Authentication Header |
| 89 | OSPF | Open Shortest Path First |
| 132 | SCTP | Stream Control Transmission Protocol |
Transport Layer Handoff:
Once the IP layer delivers to the transport protocol:
IP's header checksum covers only the header, not the payload! Data integrity for the payload must be provided by higher layers (TCP checksum, UDP checksum, application-level checksums). This design follows the end-to-end principle—transport layers know best how to protect their data.
IP is a best-effort protocol—packets may be dropped without notification. Internet Control Message Protocol (ICMP) provides a feedback mechanism for reporting errors and diagnostic information.
ICMP Message Categories:
| Type | Name | When Generated | Use |
|---|---|---|---|
| 0 | Echo Reply | Response to Echo Request | Ping response |
| 3 | Destination Unreachable | Packet cannot be delivered | Various codes: network/host/port unreachable, fragmentation needed |
| 4 | Source Quench | Congestion (deprecated) | No longer used |
| 5 | Redirect | Better route exists | Router informs host of better path |
| 8 | Echo Request | Connectivity test | Ping request |
| 11 | Time Exceeded | TTL expired or reassembly timeout | Used by traceroute |
| 12 | Parameter Problem | Invalid header field | Header error notification |
Destination Unreachable Codes (Type 3):
| Code | Meaning | Typically Generated By |
|---|---|---|
| 0 | Network Unreachable | Router (no route to network) |
| 1 | Host Unreachable | Router (network reachable but host not) |
| 2 | Protocol Unreachable | Destination host (no handler for protocol) |
| 3 | Port Unreachable | Destination host (no application on port) |
| 4 | Fragmentation Needed | Router (packet > MTU but DF=1) |
| 5 | Source Route Failed | Router (source routing impossible) |
| 13 | Administratively Prohibited | Firewall (packet filtered by policy) |
ICMP Message Structure:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type-specific Data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IP Header + First 8 bytes of Original Datagram |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The original packet excerpt allows the source to identify which packet caused the error and which transport-layer connection was affected (the first 8 bytes include source/destination ports).
Important ICMP Rules:
ICMP errors are not generated in response to:
ICMP is carried in IP packets (Protocol = 1), so ICMP messages themselves can be lost.
ICMP can be used for reconnaissance (ping sweeps, traceroute mapping) and attacks (ICMP flood, Smurf attacks). Many firewalls limit or block ICMP. However, blocking ICMP "Fragmentation Needed" breaks Path MTU Discovery, causing connectivity problems. Balanced security policies permit essential ICMP while blocking abuse.
Packet handling encompasses all the operations performed on IP packets as they traverse the network—from creation at the source, through routing at each hop, to delivery at the destination. Understanding these operations is fundamental to diagnosing network problems and optimizing network performance. Let's consolidate the key insights:
Module Complete: Network Layer Overview
This module has provided a comprehensive foundation in network layer concepts:
With this foundation, you're prepared for the detailed study of IPv4 addressing, IPv4 protocol specifics, IPv6, and routing protocols in the chapters ahead.
Congratulations! You have completed the Network Layer Overview module. You now understand the network layer's position and purpose, how host-to-host delivery works, the principles of logical addressing, routing fundamentals, and the detailed operations of packet handling. This comprehensive foundation prepares you for in-depth study of IP addressing, IPv4/IPv6 protocols, and routing protocols in subsequent chapters.