The IP header format has the following fields below:
- Protocol Version(4 bits) : This is
the first field in the protocol header. This field occupies 4 bits.
This signifies the current IP protocol version being used. Most
common version of IP protocol being used is version 4 while version
6 is out in market and fast gaining popularity.
- Header Length(4 bits) : This field
provides the length of the IP header. The length of the header is
represented in 32 bit words. This length also includes IP options
(if any). Since this field is of 4 bits so the maximum header
length allowed is 60 bytes. Usually when no options are present
then the value of this field is 5. Here 5 means five 32 bit words
ie 5 *4 = 20 bytes.
- Type of service(8 bits) : The first
three bits of this field are known as precedence bits and are
ignored as of today. The next 4 bits represent type of service and
the last bit is left unused. The 4 bits that represent TOS are :
minimize delay, maximize throughput, maximize reliability and
minimize monetary cost.
- Total length(16 bits): This
represents the total IP datagram length in bytes. Since the header
length (described above) gives the length of header and this field
gives total length so the length of data and its starting point can
easily be calculated using these two fields. Since this is a 16 bit
field and it represents length of IP datagram so the maximum size
of IP datagram can be 65535 bytes. When IP fragmentation takes
place over the network then value of this field also changes. There
are cases when IP datagrams are very small in length but some data
links like ethernet pad these small frames to be of a minimum
length ie 46 bytes. So to know the exact length of IP header in
case of ethernet padding this field comes in handy.
- Identification(16 bits): This field
is used for uniquely identifying the IP datagrams. This value is
incremented every-time an IP datagram is sent from source to the
destination. This field comes in handy while reassembly of
fragmented IP data grams.
- Flags(3 bits): This field comprises
of three bits. While the first bit is kept reserved as of now, the
next two bits have their own importance. The second bit represents
the ‘Don’t Fragment’ bit. When this bit is set then IP datagram is
never fragmented, rather its thrown away if a requirement for
fragment arises. The third bit represents the ‘More Fragment’ bit.
If this bit is set then it represents a fragmented IP datagram that
has more fragments after it. In case of last fragment of an IP
datagram this bit is not set signifying that this is the last
fragment of a particular IP datagram.
- Fragment offset(13 bits): In case of
fragmented IP data grams, this field contains the offset( in terms
of 8 bytes units) from the start of IP datagram. So again, this
field is used in reassembly of fragmented IP datagrams.
- Time to live(8 bits) : This value
represents number of hops that the IP datagram will go through
before being discarded. The value of this field in the beginning is
set to be around 32 or 64 (lets say) but at every hop over the
network this field is decremented by one. When this field becomes
zero, the data gram is discarded. So, we see that this field
literally means the effective lifetime for a datagram on
network.
- Protocol(8 bits) : This field
represents the transport layer protocol that handed over data to IP
layer. This field comes in handy when the data is demultiplex-ed at
the destination as in that case IP would need to know which
protocol to hand over the data to.
- Header Checksum(16 bits) : This
fields represents a value that is calculated using an algorithm
covering all the fields in header (assuming this very field to be
zero). This value is calculated and stored in header when IP data
gram is sent from source to destination and at the destination side
this checksum is again calculated and verified against the checksum
present in header. If the value is same then the datagram was not
corrupted else its assumed that data gram was received corrupted.
So this field is used to check the integrity of an IP
datagram.
- Source and destination IP(32 bits
each) : These fields store the source and
destination address respectively. Since size of these fields is 32
bits each so an IP address os maximum length of 32 bits can be
used. So we see that this limits the number of IP addresses that
can be used. To counter this problem, IP V6 has been introduced
which increases this capacity.
- Options(Variable length) : This field
represents a list of options that are active for a particular IP
datagram. This is an optional field that could be or could not be
present.
- In the description above, the ‘copy flag’ means that copy this
option to all the fragments in case this IP datagram gets
fragmented. The ‘option class’ represents the following values : 0
-> control, 1-> reserved, 2 -> debugging and measurement,
and 3 -> reserved. Some of the options are given below :
- Data: This field contains the data
from the protocol layer that has handed over the data to IP layer.
Generally this data field contains the header and data of the
transport layer protocols. Please note that each TCP/IP layer
protocol attaches its own header at the beginning of the data it
receives from other layers in case of source host and in case of
destination host each protocol strips its own header and sends the
rest of the data to the next layer.
When a packet is fragmented, we need to look at two things -
Fragmentation offset and MF flag.
For the first fragment - Offset is 0 and MF is set to 1 to
indicate that there are more fragments
For intermediate fragments - Offset is non zero and MF is set to
1 to indicate that there are more fragmetns
For last fragment - Offset is non zero and MF is set to 0 to
indicate this is the last fragment.
For non fragmented packet - Offset is set to 0 and MF is also
set to 0.
With these information, the answers are:
1) The Fragmentation offset field is 0 but MF will be set to 1
to indicate this is the first fragment
2) As explained above, since the fragmentation offset field is
set to 0, this indicates it is the first fragment. Total packet
size is 1514. If we subtract the Ethernet header size of 14 bytes,
the IP datagram size is 1500 bytes
3) Since the wirehark capture has not been expanded to show the
fields, I will explain the concept here. If fragmentation offset is
non-zero, this indicates that it is not the first fragment. If the
MF flag bit is set, it indicates that there are more fragments
coming.