1. An overview of the

The Network Layer is the third Layer of the TCP/IP protocol family. It transfers data between devices on the Network. When transmitting data, it adds a header containing the IP address of the destination host and the IP address of the source host to the packets coming down from the transport layer, which are then sent down to the data link layer. When receiving a packet, it unpacks the packet and determines whether the destination IP address in the packet is the local IP address. If so, it removes the header of the IP layer and sends the packet to the transport layer located at the upper level. All TCP, UDP, ICMP, and IGMP data is transmitted over the network as IP datagrams.

Photo by Microchip

2. Mapping between Wireshark and TCP/IP protocol families

Wireshark is a powerful network protocol analyzer. Click a datagram in the packet list, the list information as shown in the figure will be expanded, which are physical layer, data link layer, network layer, output layer and application layer respectively. It corresponds to the five-tier model in the TCP/IP protocol family. After making clear the corresponding relation, it is helpful to network analysis.

3. The IP header

With a general understanding of the concepts of the Network (Internet Protocol) layer, it’s time to explore the structural relationships of IP headers and the role of each field in the header structure diagram.

3.1 IP header structure type declaration

The following structural data type declarations are from the source code ip.h (another ip6.h file, that is, the declaration is ip6 header structure type) file implementation. As you can see, there are data header length, version number, service type, total length, identifier, flag + segment offset, lifetime, protocol, header checksum, source IP address and destination IP address.

/* * Structure of an internet header, naked of options. * * We declare ip_len and ip_off to be short, rather than u_short * pragmatically since otherwise unsigned comparisons can result * against negative integers quite easily, and fail in subtle ways. */ struct ip { nd_uint8_t ip_vhl; /* header length, version */ #define IP_V(ip) (((ip)->ip_vhl & 0xf0) >> 4) #define IP_HL(ip) ((ip)->ip_vhl & 0x0f) nd_uint8_t ip_tos; /* type of service */ nd_uint16_t ip_len; /* total length */ nd_uint16_t ip_id; /* identification */ nd_uint16_t ip_off; /* fragment offset field */ #define IP_DF 0x4000 /* dont fragment flag */ #define IP_MF 0x2000 /* more fragments flag */  #define IP_OFFMASK 0x1fff /* mask for fragmenting bits */ nd_uint8_t ip_ttl; /* time to live */ nd_uint8_t ip_p; /* protocol */ nd_uint16_t ip_sum; /* checksum */ nd_ipv4 ip_src,ip_dst; /* source and dest address */ };Copy the code

3.2 IP header diagram

Graphically draw the structure type (struct IP) declared above in the order in which each member is declared, as shown below.

Image from NMAP

Obviously, ICONS are more intuitive.

3.3 Description of Fields in the IP Header

3.1.1 Version

This field is the first in the IP header structure and specifies whether the IP version number in the packet/packet is IPv4 or IPv6.

3.1.2 Header Length

Header Length field, also known as Internet Header Length (IHL). This field only indicates the length of the IP header. The size of the IP header is variable because the IP header structure contains “optional fields”. Typically, the size of the IP header is 20 bytes. As stated in Section 3.1 of the IP header structure type declaration, the optional fields in the IP header are usually not used.

Because this is also a 4-bit field, the IPv4 header is limited to a maximum of fifteen 32-bit words or 60 bytes.

The normal value of this field (when no options are present) is 5. There is no such field in IPv6 because the header length is fixed at 40 bytes.

The value of IPv6 is 40 bytes. The value of IPv4 is 20-60 bytes.

3.1.3 Type of Service (Type-of-service)

The field consists of two parts. Before RFC2474, the field is divided into Precedence and Type of Service.

The first three bytes are the priority, the last four bytes are the service type, and the last one is unused, reserved and set to 0. However, RFC2474 redefines the 8-bit word in service type field (TOS). The first six digits are used for “differential service (traffic optimization)” and the last two digits are used for “congestion notification”, as shown in the figure above.

3.1.4 Total Length (Total Length)

This field indicates the sum of IP header and data in the IP layer.

3.1.5 Identifiers

Each packet sent over the network is assigned a unique ID. If the size of a packet exceeds the MTU (maximum transmission unit) value, it needs to be split into multiple packets for sending (so-called segmentation), and then the receiver rearranges and packages the received data into a whole. This is based on the fact that the “identifier” field in each packet in the segment has the same value.

3.1.6 Flags

The Flags field occupies 3 bits of space in the IP header structure, i.e. 3/8 bytes. Bit 0 (reserved field, default 0), bit 1, and bit 2 play the following roles:

If a packet exceeds the range supported by the MTU, it needs to be segmented (if it is three segmented). Then for the first and second segmented packets, bit 1=0 and bit 2=1. For the third segmented packet, bit 1=0, bit 2=0. It indicates that the segmented packet is the last one, and there is no segmented packet with the same packet ID following it.

3.1.7 Fragment Offset

This field is used only when the packet is segmented, i.e. Flags median 1 = 0. If the packet is segmented, this field (segmented offset) indicates where the data in the current segmented packet should be placed in the complete packet when the segments are reassembled into one packet (target host – that is, the receiving party).

3.1.8 Time to Live (time-to-live)

Used to indicate how far the packet can still travel across the network. Although TTL (Time to Live) is usually defined in seconds. But the TTL field is actually implemented as the number of hops a packet can still cross before it is dropped by a router on the network. Typical TTL values are 32, 64, and 128.

3.1.9 Protocol (Protocol)

The protocol field in the IPv4 header contains a number indicating the data type found in the payload section of the datagram. The most common values are 17(for UDP) and 6(for TCP). This field provides a multiplexing feature so that the IP protocol can be used to carry multiple protocol types of payloads. Although this field originally specified the transport layer protocol that the datagram is encapsulating, it can now identify the encapsulated protocol, which may or may not be a transport protocol.

The Protocol field in the IPv4 header contains a number indicating the type of data found in the payload portion of the datagram. The most common values are 17 (for UDP) and 6 (for TCP).

This field provides a demultiplexing feature so that the IP protocol can be used to carry payloads of more than one protocol type. Although this field originally specified the transport-layer protocol the datagram is encapsulating, it now can identify the encapsulated protocol, which may or not be a transport protocol. Other encapsulations are possible, such as IPv4-in-IPv4 (value 4).

From The Internet Protocol (IP).

Similarly, the physical layer has a field indicating the Ethernet type of its payload, and a field type of the data link layer indicates the IP packet type of its payload. As shown in the figure:

At the network layer, the following protocol fields are commonly used:

For more Protocol fields, see Protocol Numbers.

3.1.20 Header Checksum

This field provides error detection for the CONTENTS of the IP header. The header checksum field is only computed on the IPv4 header, which means that the payload of IPv4 datagrams (such as TCP or UDP data) is not checked for correctness by the IP protocol. To ensure that the payload has been delivered correctly, other protocols must use their own data integrity checking mechanisms to override any important data after the header. Almost all protocols encapsulated in IP (ICMP, IGMP, UDP, and TCP) have a checksum in their own headers to override headers and data that they deem important, as well as parts of IP headers that they deem important (a form of “layered conflict”). The algorithm used to compute the checksum (also used by most Internet-related protocols) is sometimes referred to as the Internet checksum. When an IPv4 datagram passes through a router, its header checksum must change because of the reduced TTL field.

3.1.20.1 Header Checksum algorithm

3.1.20.2 IPv4 Header Error Checksum Calculator

IPv4 Header Error Checksum Calculator is an online tool used to verify that the value of the Header Checksum field of the IP Header is correct.

The interface is very intuitive and simple, and the investigation of problems can bring high efficiency.

3.1.21 Source IP Address

The local IP address that sends data. If host A sends data to host B, the field indicates the IP address of host A.

3.1.22 Destination IP Address (Destination Address)

IP address of the host for receiving and sending data. If host A sends data packets to host B, the value of this field is the IP address of host B.

3.1.23 Optional Fields (Options)

IP provides optional fields to extend its functionality. Timestamps, routing, and other options used as usual. There are also padding fields that make the IP packet header a 32-bit integer, or a 0 if not a 4-byte integer.

IP options may be selected on a per-datagram basis. Many of the options are no longer practical or desirable because of the limited size of the IPv4 header or concerns regarding security. With IPv6, most of the options have been removed or altered and are in the basic IPv6 header but are placed after the IPv6 header in one or more extension headers.

For more details about optional fields, see IP Options

3.1.24 Data

The value in this field is the packet information of the upper TCP data segment (TCP header +TCP data segment).

IP Protocol Header Fundamentals described with Diagrams

3. Summary

This section describes the position of TCP/IP protocol family at the network (Internet Protocol) layer and its functions and features. After that, the header structure of IP is described, and the fields in the header are also explained in detail.