When a jigsaw puzzle is manufactured, each piece is numbered on the back so workers can verify completeness and locate any missing pieces. IP fragmentation uses an analogous system: the Fragment Offset field tells the destination exactly where each fragment's data belongs in the original datagram.\n\nWithout Fragment Offset, reassembly would be impossible—fragments could arrive out of order, be delayed by different routing paths, or even be duplicated. The offset provides the essential positioning information that transforms a jumble of fragments back into the original packet.

The Fragment Offset field occupies bits 19-31 (counting from 0) of the IPv4 header—a 13-bit field within the 32-bit word that also contains the Flags field.

Let's trace through a complete fragmentation example to understand how Fragment Offset values are determined.\n\nScenario:\n- Original IP datagram: 4000 bytes total (20-byte header + 3980 bytes data)\n- MTU limit: 1500 bytes\n- Maximum data per fragment: 1500 - 20 = 1480 bytes\n- 1480 must be divisible by 8 ✓ (1480 ÷ 8 = 185)

Step-by-step calculation:\n\nFragment 1:\n- Carries bytes 0-1479 of original data (1480 bytes)\n- Fragment Offset = 0 / 8 = 0\n- More Fragments (MF) = 1 (there are more fragments)\n- Total fragment size: 1480 + 20 = 1500 bytes\n\nFragment 2:\n- Carries bytes 1480-2959 of original data (1480 bytes)\n- Fragment Offset = 1480 / 8 = 185\n- More Fragments (MF) = 1 (still more to come)\n- Total fragment size: 1480 + 20 = 1500 bytes\n\nFragment 3:\n- Carries bytes 2960-3979 of original data (1020 bytes)\n- Fragment Offset = 2960 / 8 = 370\n- More Fragments (MF) = 0 (this is the last fragment)\n- Total fragment size: 1020 + 20 = 1040 bytes

The requirement that Fragment Offset is measured in 8-byte units has critical implications for fragmentation behavior.

Example: MTU that doesn't align naturally\n\nSuppose MTU = 1006 bytes (an odd historical value):\n- Available for data: 1006 - 20 = 986 bytes\n- 986 ÷ 8 = 123.25 (not a whole number)\n- Must round down: 123 × 8 = 984 bytes per fragment\n- Each fragment (except last): 984 bytes of data + 20 bytes header = 1004 bytes\n- 2 bytes of MTU 'wasted' per fragment due to alignment

Fragment Offset alone isn't sufficient for reassembly—fragments from different original datagrams could have the same offsets. The Identification field links fragments belonging to the same original datagram.

Reassembly key = (Source IP, Destination IP, Protocol, Identification)\n\nThe receiving host uses this 4-tuple to group fragments:\n\n1. Fragment arrives with given 4-tuple\n2. Host checks for existing reassembly buffer with same 4-tuple\n3. If found: add fragment to buffer based on Fragment Offset\n4. If not found: create new reassembly buffer\n5. When all fragments received (no gaps, last fragment identified): reassemble and deliver\n\nTimeout consideration:\n\nIf not all fragments arrive within a timeout period (typically 15-60 seconds), the partial datagram is discarded. This prevents zombie reassembly buffers from consuming memory indefinitely.

Understanding Fragment Offset is essential for analyzing network captures. Let's examine how this appears in real tools.

Reading fragment information:\n\n- Identification: Unique ID linking all fragments (6699 in example)\n- Fragment offset: Position in 8-byte units (Wireshark shows raw value; multiply by 8 for bytes)\n- Flags [+]: The '+' in tcpdump indicates More Fragments flag is set\n- frag notation: Shows ID, fragment length, offset in bytes, and '+' if more fragments\n\nWireshark reassembly:\n\nWireshark automatically reassembles fragments and shows:\n- [Reassembled IPv4 in frame: X] - tells you which captured frame contains the complete reassembled datagram\n- [This is fragment N of M] - fragment position\n- The complete datagram appears on the last fragment

A fragment can itself be fragmented if it encounters a smaller MTU downstream. This creates complex scenarios where Fragment Offset values must be carefully computed.

Scenario: Cascade fragmentation\n\nOriginal datagram: 4000 bytes (20 header + 3980 data)\nRouter R1 (MTU 1500): Fragments into 3 pieces\nRouter R2 (MTU 500): Must further fragment each piece

Key observations:\n\n1. Offset addition: When fragment B (offset 185 = 1480 bytes) is further fragmented, its sub-fragments have offsets relative to the ORIGINAL datagram: 1480, 1960, 2440, 2920 bytes.\n\n2. MF flag propagation: The last sub-fragment of fragment A has MF=1 because fragment A was not the last original fragment. Only C3 (last sub-fragment of last fragment) has MF=0.\n\n3. Destination sees all 11 fragments: The receiving host doesn't know about the cascade; it just sees 11 fragments with offsets ranging from 0 to 490 (× 8 = 3920 bytes).\n\n4. Same Identification: All 11 fragments share the same Identification value, enabling reassembly.

Understanding edge cases in Fragment Offset handling is important for both network security and implementation correctness.

Reassembly validation checks:\n\nCompliant IP stacks must validate:\n\n1. No fragment exceeds maximum datagram size:\n - offset × 8 + fragment_data_length ≤ 65,515 (65,535 - 20)\n\n2. Last fragment consistency:\n - If MF=0, this determines total datagram size\n - All fragments must fit within this total\n\n3. No overlaps:\n - Fragment byte ranges must not conflict\n - Modern policy: drop entire datagram on overlap\n\n4. Complete coverage:\n - No gaps between offset 0 and end of last fragment\n - All positions must have data before reassembly

You now have comprehensive knowledge of the Fragment Offset field—the essential mechanism that enables IP datagram reassembly. Let's consolidate with key formulas and takeaways.

What's Next:\n\nWe've examined what the Fragment Offset field does. Next, we'll explore the MF (More Fragments) and DF (Don't Fragment) flags—the control bits that determine whether fragmentation should occur and how to identify the final fragment in a sequence.