Every piece of data traveling across a network carries more than just the message itself. Attached to your payload—whether it's an email, a video frame, or a database query—is a carefully structured collection of control information that tells network devices exactly how to handle, route, verify, and deliver that data.

This control information comes in two forms:

• Headers — Control data prepended to the payload (at the front)
• Trailers — Control data appended after the payload (at the end)

Together, headers and trailers transform raw application data into self-describing network units that can traverse complex, heterogeneous networks and arrive intact at their destination. Without them, network devices would have no idea where data came from, where it's going, whether it's corrupted, or how to process it.

A header is a sequence of bytes prepended to data that contains control information required by a specific protocol layer. Headers answer critical questions:

• Where is this data going? — Addressing information
• Where did it come from? — Source identification
• What type of data is this? — Protocol identification
• How should it be processed? — Processing instructions
• Is it valid? — Error detection codes

The Universal Header Structure:

While specific fields vary by protocol, most headers follow a pattern:

1. Addressing fields — Identify source and destination
2. Type/Protocol fields — Identify what's encapsulated inside
3. Length fields — Indicate size of header and/or payload
4. Control/Flag fields — Special processing instructions
5. Verification fields — Checksums or other integrity data

Header Processing Flow:

When a network device receives data, it processes headers in order:

1. Read the outermost header (typically Ethernet at Layer 2)
2. Extract addressing to determine if this data is for this device
3. Read the type field to determine what protocol is inside
4. Strip the header and pass the payload to the next layer
5. Repeat until application data is extracted

This peel-the-onion approach is fundamental to how network stacks process incoming data.

Fixed vs. Variable Length Headers:

• Fixed-length headers (e.g., UDP: 8 bytes) — Simpler parsing, constant overhead
• Variable-length headers (e.g., TCP: 20-60 bytes, IPv4: 20-60 bytes) — More flexible, but require length fields and more complex parsing

Fixed-length headers enable simpler, faster hardware processing. Variable-length headers provide extensibility for optional features.

A trailer is a sequence of bytes appended to data containing control information that must follow the payload. Trailers are less common than headers but serve important purposes:

Why Some Information Goes at the End:

1. Error detection requires complete data — Computing a CRC checksum requires processing all preceding bytes. The result naturally comes at the end.

2. Hardware streaming — When transmitting serially, error-check bits can be computed as data streams through and appended at the end without buffering the entire frame.

3. Framing purposes — Some protocols use trailers to mark frame boundaries.

Where Trailers Are Used:

• Data Link Layer — The most common use. Ethernet frames end with a 4-byte Frame Check Sequence (FCS).
• HDLC/PPP — Include framing and error check trailers
• ATM — Cell error control in trailer

Higher layers (TCP, IP, UDP) generally don't use trailers—they place checksums in their headers, computing them before transmission rather than during.

The Frame Check Sequence (FCS):

The most important trailer in networking is the Ethernet FCS—a 4-byte CRC-32 checksum computed over the entire frame (header + payload). When a frame arrives:

1. The receiving NIC recomputes the CRC over received data
2. Compares computed CRC with the received FCS
3. If they match, frame is accepted
4. If mismatch, frame is silently discarded (no notification to sender)

This provides Layer 2 error detection but not correction or recovery—that's left to higher layers (TCP retransmission, etc.).

The Ethernet frame is the most common Layer 2 encapsulation format on local networks. Let's examine every field in detail.

Ethernet II Frame Structure:

The complete frame consists of:

Field-by-Field Analysis:

Preamble (7 bytes) — Not technically part of the frame, but physically transmitted before it. Consists of alternating 1s and 0s (10101010 pattern) to allow the receiver's clock to synchronize with the transmitter.

Start Frame Delimiter (SFD) (1 byte) — Value 10101011. The final two 1-bits signal that the actual frame data begins next. After this byte, real addressing begins.

Destination MAC Address (6 bytes / 48 bits): The physical address of the intended recipient:

• Bytes 1-3: Organizationally Unique Identifier (OUI) — identifies the NIC manufacturer
• Bytes 4-6: Network Interface Controller (NIC) specific identifier
• First bit: Unicast (0) or Multicast (1)
• Second bit: Globally unique (0) or Locally administered (1)

Special addresses:

• FF:FF:FF:FF:FF:FF — Broadcast (all hosts on local network)
• First byte odd (e.g., 01:xx:xx:xx:xx:xx) — Multicast

Source MAC Address (6 bytes / 48 bits): The physical address of the sender. Same format as destination. Always unicast (first bit = 0); you can't send from a broadcast address.

EtherType (2 bytes / 16 bits): Identifies the protocol encapsulated in the payload:

• 0x0800 — IPv4
• 0x86DD — IPv6
• 0x0806 — ARP (Address Resolution Protocol)
• 0x8100 — VLAN-tagged frame (802.1Q)
• 0x8847 — MPLS (unicast)

If value is ≤ 1500, it's an IEEE 802.3 frame using length field instead.

Payload (46-1500 bytes): The encapsulated higher-layer data (typically an IP packet). Minimum 46 bytes; if actual data is less, padding (null bytes) is added. Maximum 1500 bytes—the Ethernet MTU.

Frame Check Sequence (FCS) (4 bytes): CRC-32 polynomial checksum computed over destination MAC, source MAC, EtherType, and payload. Detects bit errors from noise, interference, or faulty hardware.

The IPv4 header is the workhorse of internet routing. Every packet crossing the internet carries this header (or its IPv6 equivalent). Understanding each field is essential for network professionals.

IPv4 Header Structure (20-60 bytes):

Critical Field Analysis:

Version (4 bits): Value 4 for IPv4. Allows receivers to immediately determine IP version.

Internet Header Length (IHL) (4 bits): Header length in 32-bit words. Minimum 5 (= 20 bytes). Maximum 15 (= 60 bytes). Values > 5 indicate options are present.

DSCP/ECN (8 bits total):

• DSCP (6 bits): Differentiated Services Code Point for QoS. Replaced the older ToS field.
• ECN (2 bits): Explicit Congestion Notification. Allows routers to signal congestion without dropping packets.

Total Length (16 bits): Entire packet size (header + payload) in bytes. Maximum 65,535 bytes. Actual maximum usually limited by link MTU.

Identification (16 bits): Unique identifier for a datagram. Used to reassemble fragments—all fragments of the same original datagram share this ID.

Flags (3 bits):

• Bit 0: Reserved (must be 0)
• Bit 1: Don't Fragment (DF) — Instructs routers not to fragment this packet
• Bit 2: More Fragments (MF) — More fragments follow (0 for last/only fragment)

Fragment Offset (13 bits): Position of this fragment's data in the original datagram, measured in 8-byte units. First fragment has offset 0.

Time to Live (TTL) (8 bits): Hop counter. Decremented by each router. When it reaches 0, packet is discarded and ICMP "Time Exceeded" is sent. Prevents infinite routing loops. Typical initial values: 64 (Linux), 128 (Windows).

Protocol (8 bits): Identifies encapsulated transport protocol:

• 1: ICMP
• 6: TCP
• 17: UDP
• 47: GRE
• 50: ESP (IPsec)
• 89: OSPF

Header Checksum (16 bits): One's complement of header bytes only (not payload). Must be recomputed at every hop because TTL changes.

Source/Destination IP Addresses (32 bits each): Logical addresses for routing. Unlike MAC addresses, these don't change as the packet traverses routers (except in NAT scenarios).

The transport layer provides process-to-process communication. TCP and UDP represent opposing design philosophies: TCP prioritizes reliability while UDP prioritizes simplicity and speed.

TCP Header (20-60 bytes):

TCP's extensive header reflects its sophisticated features: reliable delivery, flow control, congestion control, and ordered streaming.

TCP Flags Explained:

• SYN — Synchronize sequence numbers (connection establishment)
• ACK — Acknowledgment field is valid
• FIN — No more data from sender (connection termination)
• RST — Reset connection (abort)
• PSH — Push data to application immediately (don't buffer)
• URG — Urgent pointer field is valid
• ECE — ECN-Echo (congestion experienced)
• CWR — Congestion Window Reduced (sender slowing down)
• NS — Nonce Sum (protection against accidental/malicious ECN manipulation)

Common Flag Combinations:

• SYN — First packet of three-way handshake
• SYN, ACK — Second packet of handshake
• ACK — Third packet of handshake, and most data packets
• FIN, ACK — Connection termination
• RST — Immediate connection abort

UDP Header (8 bytes):

UDP's minimal header reflects its philosophy: fast, simple, no guarantees.

Understanding how network devices parse headers is crucial for performance optimization and debugging. Let's examine the processing mechanics.

Sequential Parsing:

Headers are designed for sequential processing:

1. Fixed offsets identify critical fields (e.g., EtherType always at bytes 12-13)
2. Type fields indicate what comes next
3. Length fields enable skipping to the next layer

This enables fast hardware processing without complex parsing logic.

The Type-Length-Value (TLV) Pattern:

Many protocols use the TLV pattern for optional fields:

• Type — Identifies what this option is
• Length — How many bytes follow
• Value — The actual option data

Examples: IPv6 extension headers, TCP options, DHCP options.

Hardware vs. Software Processing:

Header Offloading:

Modern NICs perform significant header processing in hardware:

• Checksum offload — NIC computes/verifies IP, TCP, UDP checksums
• Segmentation offload (TSO/GSO) — Application sends large chunks; NIC segments into MTU-sized packets with proper headers
• Receive Side Coalescing (RSC) — NIC combines small packets into larger ones before delivering to CPU
• Header splitting — NIC places headers in one buffer, payload in another for cache efficiency

Parsing Efficiency:

Network stacks optimize header parsing through:

1. Avoiding copies — Headers are read in place, not copied
2. Pointer arithmetic — Offsets calculated, not data moved
3. Early return — Invalid packets rejected at first failure point
4. Batch processing — Multiple packets processed in a single pass (NAPI in Linux)

Header Validation:

Strict validation catches errors early:

• Version field correct?
• Length fields sensible?
• Checksums valid?
• Reserved fields zero?

Invalid packets are dropped immediately, preventing wasted processing.

Headers present both security risks and security opportunities. Understanding header security is essential for network defense.

Header Spoofing Attacks:

Headers can be forged or manipulated:

• IP source address spoofing — Attacker sets false source IP to hide origin or redirect responses (used in DDoS reflection attacks)
• MAC address spoofing — Attacker impersonates another device on local network
• TTL manipulation — Used in traceroute, but also in evasion attacks to make packets die before reaching IDS
• TCP flag manipulation — SYN floods, FIN scans, and other evasion techniques

Defensive Header Inspection:

Header Encryption and Authentication:

• IPsec AH (Authentication Header) — Cryptographically authenticates IP headers and payload, detecting tampering
• IPsec ESP (Encapsulating Security Payload) — Encrypts payload, authenticates packet
• TLS — Operates above transport; headers visible but payload encrypted
• MACsec (802.1AE) — Encrypts and authenticates Ethernet frames

The Privacy Dilemma:

Headers reveal metadata even when payload is encrypted:

• IP addresses reveal communicating parties
• Timing and packet sizes reveal communication patterns
• TCP flags reveal connection state

This is why advanced privacy techniques (Tor, VPNs, traffic padding) exist—to obscure header metadata, not just payload content.

Malformed Header Attacks:

Sending deliberately malformed headers can:

• Crash vulnerable network stacks (historical: Ping of Death, Teardrop)
• Evade IDS systems that can't parse unusual headers
• Exploit parsing vulnerabilities in specific implementations

Headers and trailers are the control information that makes networked communication possible. Let's consolidate the key points:

What's Next:

Now that you understand the specific information in headers and trailers, the next page examines Protocol Data Units (PDUs)—the formal names for encapsulated data at each layer (segments, packets, frames) and how understanding PDUs provides a unified vocabulary for discussing network communication.