101
0/241
Loading content...
Within the IPv4 header, three bits wield enormous influence over packet handling. These Flags bits—comprising Reserved, Don't Fragment (DF), and More Fragments (MF)—determine whether routers can break packets into pieces, whether Path MTU Discovery works, and how destination hosts know they've received all fragments.\n\nThough tiny in size (just 3 bits out of the 160-bit minimum IPv4 header), these flags are referenced in almost every packet processing decision in the modern Internet. Understanding them deeply is essential for network engineering, troubleshooting, and security analysis.
By the end of this page, you will master the IPv4 Flags field completely: the purpose of each bit, how DF enables Path MTU Discovery, how MF identifies fragment sequences, the interaction between flags and Fragment Offset, and practical implications for packet filtering and security.
The Flags field occupies 3 bits in the IPv4 header, immediately preceding the 13-bit Fragment Offset. Together, these 16 bits form the second half of the third 32-bit word in the header.
| Bit Position | Name | Meaning when 0 | Meaning when 1 |
|---|---|---|---|
| Bit 0 (MSB) | Reserved | Normal (expected) | Reserved for future use (RFC deprecated: was 'Evil Bit' in April Fools RFC 3514) |
| Bit 1 | DF (Don't Fragment) | Fragmentation allowed | Do not fragment this packet; return ICMP error instead |
| Bit 2 (LSB) | MF (More Fragments) | Last (or only) fragment | More fragments follow this one |
Binary representation examples:\n\n| Flags Value | Binary | Meaning |\n|-------------|--------|---------|\n| 0x0 | 000 | Normal packet, may be fragmented, this is complete datagram |\n| 0x1 | 001 | Reserved bit set (unusual, may indicate error) |\n| 0x2 | 010 | DF set - do not fragment |\n| 0x3 | 011 | Reserved + DF (unusual) |\n| 0x4 | 100 | More fragments follow (this is a fragment, not the last) |\n| 0x6 | 110 | DF + MF - Don't fragment AND more fragments (unusual combination) |
RFC 3514, published April 1, 2003, humorously proposed using the reserved bit to indicate 'evil' packets—malicious traffic would set this bit, allowing firewalls to efficiently filter attacks! While a joke, it remains fondly remembered in networking circles. In practice, the reserved bit should always be 0.
The Don't Fragment (DF) flag is the most strategically important of the three bits. When set to 1, it instructs routers: "If this packet is too large for the next hop, do not fragment it—instead, drop it and send an ICMP error."
Why use DF flag?\n\n1. Enable Path MTU Discovery — Setting DF forces ICMP feedback when packets are too large, allowing the source to discover the optimal packet size.\n\n2. Avoid fragmentation overhead — Fragmentation adds headers, increases loss probability, and consumes router resources. DF prevents this.\n\n3. Ensure atomic delivery — Some applications require packets to arrive whole or not at all. DF guarantees no silent fragmentation.\n\n4. Security considerations — Fragmented packets can evade firewalls. DF ensures packets are inspected as complete units.\n\nDefault behavior:\n\nModern operating systems set DF=1 by default for TCP traffic (to enable PMTUD). UDP and ICMP typically have DF=0 unless explicitly set by the application.
The DF strategy only works if ICMP 'Fragmentation Needed' messages can reach the source. Networks that block ICMP cause 'black holes' where DF packets are silently discarded without feedback. This is why experienced engineers NEVER block ICMP Type 3 messages at firewalls.
The More Fragments (MF) flag signals whether additional fragments follow the current one. It's the mechanism that identifies the end of a fragment sequence.
| MF Flag | Fragment Offset | Interpretation |
|---|---|---|
| 0 | 0 | Complete datagram (no fragmentation) |
| 1 | 0 | First fragment of fragmented datagram |
| 1 | 0 | Middle fragment (not first, not last) |
| 0 | 0 | Last fragment of fragmented datagram |
How destination uses MF flag:\n\nThe receiving host uses MF to determine when reassembly is complete:\n\n1. First fragment arrives (Offset=0, MF=1):\n - Create reassembly buffer\n - Store fragment's data starting at position 0\n - Note: more fragments expected\n\n2. Middle fragments arrive (Offset>0, MF=1):\n - Add to reassembly buffer at offset × 8 position\n - More fragments still expected\n\n3. Last fragment arrives (Offset>0, MF=0):\n - Add to reassembly buffer\n - Calculate total size: offset × 8 + data_length\n - Mark reassembly as having received final fragment\n\n4. Check for completion:\n - If all bytes from 0 to total_size are present → reassemble\n - If gaps remain → wait (or timeout and discard)
The last fragment (MF=0) may arrive before middle fragments. The receiving host cannot assume fragments arrive sequentially. It must buffer all fragments and only reassemble when BOTH conditions are met: the last fragment (MF=0) has arrived AND there are no gaps in the reassembly buffer.
Understanding all valid and invalid flag combinations helps in packet analysis and security assessment.
| Reserved | DF | MF | Offset | Valid? | Interpretation |
|---|---|---|---|---|---|
| 0 | 0 | 0 | 0 | ✓ | Normal unfragmented packet, may be fragmented if needed |
| 0 | 0 | 0 | 0 | ✓ | Last fragment of a fragmented datagram (DF was 0) |
| 0 | 0 | 1 | 0 | ✓ | First fragment, more to follow |
| 0 | 0 | 1 | 0 | ✓ | Middle fragment, more to follow |
| 0 | 1 | 0 | 0 | ✓ | Unfragmented packet, MUST NOT be fragmented (PMTUD) |
| 0 | 1 | 0 | 0 | ⚠ | Last fragment with DF set (logically inconsistent) |
| 0 | 1 | 1 | any | ⚠ | Fragment with DF set (should not exist—who fragmented it?) |
| 1 | any | any | any | ⚠ | Reserved bit set (unusual, should be 0) |
Analyzing suspicious combinations:\n\nDF=1 with Offset>0 or MF=1:\nThis combination means "this is a fragment, but don't fragment me." It's logically inconsistent—if DF was set when fragmentation occurred, fragmentation should have been blocked. This may indicate:\n- Packet crafting/attack tools\n- Implementation bugs\n- Tunnels that strip/add headers incorrectly\n\nReserved bit = 1:\nShould never be set in normal traffic. May indicate:\n- Network testing tools\n- Malformed packets\n- Rare experimental usage\n- The source is jokingly referencing RFC 3514's "Evil Bit"
Unusual flag combinations should trigger security alerts. Legitimate traffic follows predictable patterns: DF=1 for unfragmented TCP, DF=0 for fragmented traffic with consistent MF patterns. Anomalies often indicate reconnaissance, attacks, or severe misconfigurations.
The DF flag is the cornerstone of Path MTU Discovery (PMTUD), the mechanism by which hosts learn the optimal packet size for a given path without trial and error.
1234567891011121314151617
ICMP Type 3 (Destination Unreachable), Code 4 (Fragmentation Needed) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Type=3 | Code=4 | Checksum |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Unused = 0 | Next-Hop MTU |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Internet Header + 64 bits of Original Data Datagram |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Next-Hop MTU: The MTU of the next-hop network. The source should use this value for future packets to this destination. Note: Original IP header is included so source can identify which packet/connection triggered the error.TCP MSS adjustment:\n\nWhen PMTUD discovers a smaller path MTU:\n\n1. Route cache updated: "Path to 10.0.0.50 has MTU 1400"\n2. For new TCP segments: MSS = 1400 - 40 = 1360 bytes\n3. Existing connections may retransmit in-flight data at new size\n4. Application sees no change—TCP handles transparently
Linux: ip route show cache shows discovered PMTUs\nWindows: netsh interface ipv4 show destinationcache\nThis cache indicates where PMTUD has found path restrictions.
The DF and MF flags have significant implications for firewall and security device operation. Understanding these is critical for security engineering.
Modern firewall approaches:\n\n1. Virtual reassembly: Firewall tracks fragment state and logically reassembles for inspection without actually storing complete datagrams (memory efficient).\n\n2. First-fragment minimum size: Require first fragment to contain complete transport header (20+ bytes of data beyond IP header). Drop tiny first fragments.\n\n3. Drop all fragments: At network perimeter, simply block all fragmented traffic. Legitimate modern traffic should use PMTUD with DF=1 and not fragment.\n\n4. Fragment rate limiting: Allow limited fragment rate to prevent DoS while permitting legitimate (rare) fragmented traffic.
Consider blocking inbound fragmented IP traffic at the network perimeter. Modern applications and protocols use PMTUD and should NOT generate fragments crossing the internet. Fragmented inbound traffic is often indicative of attacks, misconfiguration, or legacy applications that need updating.
Let's work through realistic scenarios showing how to interpret flags in packet captures.
1234567891011121314151617
Frame 1: 74 bytes on wireEthernet II, Src: 00:11:22:33:44:55, Dst: 66:77:88:99:aa:bbInternet Protocol Version 4 Version: 4 Header Length: 20 bytes Total Length: 60 Identification: 0x5e7a (24186) Flags: 0x40 (Don't fragment) 0... .... = Reserved: Not set .1.. .... = Don't fragment: Set <- DF=1: PMTUD enabled ..0. .... = More fragments: Not set <- MF=0: Complete packet Fragment Offset: 0 <- Not a fragment Time to Live: 64 Protocol: TCP (6) INTERPRETATION: Normal TCP SYN packet. DF=1 enables Path MTU Discovery.This is an unfragmented, complete packet.ip.flags.df == 1 — Show packets with Don't Fragment set\nip.flags.mf == 1 — Show packets with More Fragments set (non-last fragments)\nip.flags.rb == 1 — Show packets with Reserved bit set (suspicious!)\nCombine with and for complex queries.
The three bits of the Flags field—small in size but enormous in impact—govern critical packet handling decisions across the Internet. Let's consolidate the essential knowledge:
What's Next:\n\nWe've covered how packets are marked for fragmentation. The final piece is understanding Reassembly—how the destination host collects fragments, validates their integrity, handles errors, and reconstructs the original datagram. This completes our comprehensive examination of IP fragmentation.
You now have expert-level understanding of the IPv4 Flags field—its structure, the behavior of each bit, how DF enables PMTUD, how MF signals fragment sequences, and the security implications for packet filtering. This knowledge is essential for network engineering and security analysis.