jump to navigation

The basics of network packets January 19, 2011

Posted by Tournas Dimitrios in Linux.

For administering a Linux box , setting up a SOHO network or create a web application you don’t have to be a network expert , I have to admin that I’m not either a network expert , but at least the basic concepts of networking have helped me many times to explain / resolve some weird problems I came across . It helps… especially in troubleshooting scenarios for example when your program cannot connect to the database due to network or firewall misconfiguration .

This article assumes that you already know what an Ethernet network is and how to set up a small LAN (local area network) . It will just outline how the communication occur on a network from the perspective of the packet structure . Do not expect from this article to make you a protocol engineer , it took me 8 months to read  Tanenbaum’s book ( Computer networking ) and believe me I have only scratched the surface of this huge topic . I am a visual person and most of the time a picture speaks a lot more to me than a bunch of words, so here is a simple diagram that explains the basics of a TCP/IP network packet:

A little more detailed version of this diagram I drew up in my notebook when I was taking a networking class . I still find myself drawing it on a white board when someone asks me a network question.

The “Level” labels above refer to the different layers of the OSI model. It is helpful to think about a network packet as a present, wrapped in multiple boxes. The outermost box corresponds to level 2 in the OSI model (Data Link layer) and it is the one containing the physical addresses of the source and the destination machines. A typical level 2 device is a network switch.

Inside this big box is the level 3 (Network layer) box that contains the IP address of the computer sending the packet and the one that it is directed to. An example of a level 3 device is a router.

The next box is the one that identifies what port the packet originated from and the number of the port that the destination computer should receive the data on. The port number ultimately determines what application is responsible for processing the data. For example, a packet coming on port 21 means that it is an ftp request and that the ftp daemon on the machine should process it. This box corresponds to level 4 on the OSI model – the Transport layer. A PIX firewall is a typical level 4 network device.

And the innermost box of the packet is the “present” itself – the data. This is what was needed to be delivered from one computer to another on the first place and the rest of the boxes were just the means to accomplish this.

The different network devices and computers open the different boxes and read the information they carry as needed. For example, it is helpful to remember that routers strip the Data Link layer to find out the destination (the IP) address of the packet. Then they reconstruct that layer with a new destination physical address – the MAC address of the next hop on the network and with their own MAC address as the source address. This process repeats until the packet reaches its destination.

I have been asked many times by web programmers how to find out the MAC address of the machine that made the original request . As you can see now- this is impossible. The TCP/IP packet that reaches the web server will only contain the MAC address of the last router that processed the frame.

Basic network concepts :

Layering is an important conceptual tool that helps us to organize, understand, and deal with the complexity of network architecture. The idea is to divide the network’s functions into layers. Each layer makes use of the services of the layer below it to provide a set of specific services for the layer above it.
An logical representation of the network architecture can be seen below .

Beginners are often confused about the difference between the network and transport layers , previous picture makes the distinction clear. The network layer carries on a conversation with its peer network layer on the next hop, whereas the transport layer carries on a conversation with its peer layer on the final destination. To put it another way, the transport layer behaves as if it were directly connected to its peer layer and is unaware of the actual path that its data takes through the network. The network layer, on the other hand, is concerned with choosing the path that the data takes and, as such, is involved with processing at each hop. Note from the figure that routers do not necessarily even have transport layers.


Encapsulation is an fundamental term in network architecture , as data travels down the stack on its way to the network cable or other media, each layer adds a header and, possibly, a trailer to the data. We say that each layer encapsulates the data from the previous layer.The picture below  illustrates how data for a TCP session moves  through the stack. The data that, say, the user types in at the console is encapsulated by the application layer, which adds an application header. When the encapsulated application data enters the transport layer, it is encapsulated into a TCP segment by the addition of a TCP header. Similarly, when the TCP segment arrives at the network layer, IP adds its own header, encapsulating the TCP segment into an IP datagram. Finally, when the IP datagram gets to the interface layer, the Ethernet driver encapsulates it in an Ethernet frame by adding a header and trailer.

Of course there is a lot more to network packets and protocols than this. But the simple diagram above is good enough to give you a basic idea and to get someone started in the field of networking.


1. praveen - July 16, 2011

hi, really very helpful to me. Thanks for providing such articles. If possible please provide the description of the type of IP address and also subnet masks.

tournasdimitrios1 - July 16, 2011

Networking is a huge topic , I’ll try to compress the whole IP-address subject in a future article .

2. spkr322 - November 18, 2012

Hello Sir
with the headers added in each layer can u also specify the size of each header added also to make it much clear about the MTU also

tournasdimitrios1 - November 19, 2012

The absolute limitation on TCP packet size (IPv4) is 64K (65535 bytes) , but practicality this is far larger than the size of any packet we will see , because the lower layers (e.g. ethernet) have lower packet sizes . The MTU (Maximum Transmission Unit) for Ethernet , for instance , is 1500 bytes . Some types of networks (like Token Ring) have larger MTUs , while other have smaller MTUs . With the advent of jumbo frames , there is no real specified maximum , and the maximum varies depending on the hardware and driver . As every node (routers , switches .. )in the “communication chain” should be capable to handle large MTU’s , we should be very carefully when raising this value (nothing guarantees us that publicly nodes can support these values ) . My first suspect when dealing with high packet drops (netstat -s | grep retransmited) is to check my Ethernet’s adapter defined MTU value .
On linux the following command can customize MTU’s value :

==== Temporarely =======
ifconfig ${Interface} mtu ${SIZE} up
ifconfig eth0 mtu 2000 up
=== For continuous (after reboot) add the following  =====
vi /etc/sysconfig/network-scripts/ifcfg-eth0

The TCP/IP header size of the IPv4 packet is 20 bytes , and that of the IPv6 packet is 40 bytes. IPv4 offers an option to increase the header size . An IPv6 packet can have an extension header.

3. Xiang Wang - July 3, 2015

Very helpful:)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s