i didn’t understand this .The minimum length of an IP header is 20 bytes so with 32 bit increments, you would see value of 5 here. The maximum value we can create with 4 bits is 15 so with 32 bit increments

o with 32 bit increments, you would see **value of 5 here 32 bits = 4 bytes i dont understand this ? why its 5 ?

Hello Abdul

The Header Length is a “4 bit field that tells us the length of the IP header in 32 bit increments”.

To understand this statement more clearly, let’s use 4-byte increments which is the same as 32-bit increments since 4 bytes = 32 bits.

• A value of 1 in the Header Length gives us a length of 4 bytes
• A value of 2 in the Header Length gives us a length of 8 bytes
• A value of 3 in the Header Length gives us a length of 12 bytes
• A value of 4 in the Header Length gives us a length of 16 bytes
• A value of 5 in the Header Length gives us a length of 20 bytes

Because the length of the IP header cannot be smaller than 20 bytes, the smallest value of the Header Length is 5. It can be larger of course, like so:

• A value of 6 in the Header Length gives us a length of 24 bytes
• A value of 7 in the Header Length gives us a length of 28 bytes
• A value of 8 in the Header Length gives us a length of 32 bytes
• A value of 14 in the Header Length gives us a length of 56 bytes
• A value of 15 in the Header Length gives us a length of 60 bytes

So essentially, to get the header length in bytes, we multiply the value of the Header Length by 4.

Does that make sense?

I hope this has been helpful!

Laz

Hello,

The source and destination IP address in the header are /32, even if the packet was created on a pc which has an IP with a /24 mask ?

Yes, that is correct. The IP header contains no information about subnet masks. That information is found only as a network parameter configured on the network interface of each device. The subnet mask is used by host devices and routing devices to determine which networks particular IP addresses (such as those configured on the interfaces and those encountered in the headers of IP packets) belong to.

The subnet mask configured on a router’s interfaces allows a router to determine the networks (IP address ranges) that its interfaces are connected to. Using that information, it can correctly build the routing table with its directly connected networks.

Similarly, a host uses its subnet mask to determine if the destination address in the IP header of a packet it is about to send is in its own subnet or in a different subnet. In the former case it sends it directly to the destination host, and in the latter case it will direct the packet to the default gateway.

Subnet information therefore is unnecessary in the header of the IP packet.

I hope this has been helpful!

Laz

1 Like

DSCP setting in the IP headers, I did some tests and they do seem to cross the internet. I have heard sometimes they get changed and not carried over the internet. Any way to tell a carrier to preserve them? private circuits (not internet) ?

Hello Rod

There are a couple of things to keep in mind when examining how DSCP values are modified over the Internet. First of all, if we’re talking about any kind of private circuit, VPN, MPLS, MetroEthernet, or others, where our internal traffic is tunneled in some way over another technology, then the DSCP values of those packets are not modified. These are not considered packets that are on the Internet at large but are sent via these technologies between remote sites, as if those remote sites were on the same corporate LAN. Such packets are not directly routed by any router on the Internet, but are tunneled and remain unchanged.

Now when we’re not using such technologies, and you send data out of your ISP’s connection to the Internet, the DSCP values will typically be reset by the first router that is encountered. You mention that:

In order to ensure that this is indeed the case, you would have to take a packet capture at that particular router. By examining packets that have arrived on your network, you still cannot be sure of what happened while that packet was traversing the Internet unless you take a packet capture at one or more of the routers on the Internet itself. For example, you might examine a packet that has just arrived on your network. That packet has passed through the edge router of your network, which may change the DSCP values as the packet enters the corporate network.

So it is not as clear-cut and certain as to what happens while a packet traverses the internet. However, your question got me thinking, and I did some more research. I found the following research paper on the subject which has some interesting results.
https://www.sciencedirect.com/science/article/pii/S0140366417312835
It states that within the Internet core, they found that the majority of packets (over 70%) had their DSCP values carried transparently, meaning they remained unchanged. The percentage changes somewhat when we take the network edge into account, which is where the local ISPs operate, which tend to modify them more often, depending upon the type of network (mobile or fixed) and the location in the world (Americas, Europe, Asia etc…).

I hope this has been helpful!

Laz

Hello Rene,

As i learned UDP or TCP protocol carried in TRANSPORT layer of OSI Model. But as i see in the captured packet, IP address and Protocol types carried in Network layer. only Port numbers shown in Transport layer. So i am confused further exams how to answer this type of questions. IS UDP, TCP layer 3 or 4?

Regards,
Orgio

Hello Munkhorgil

Yes, you are correct, TCP and UDP are protocols that operate in the Transport layer of the OSI model. Now what you saw in the Network layer of the Wireshark capture is the following:

In the header of the IPv4 packet, you will find the “Protocol” field. This field contains information about the Transport layer protocol that this particular IPv4 packet is carrying as its payload. This is just information

Don’t confuse the simple mention of the protocol in the IP header with the actual operation of the TCP or UDP protocols. TCP and UDP are Transport layer protocols because they operate on that layer.

I hope this has been helpful!

Laz