Basics

5 MIN READ

Apr 13, 2026

What Is an IP Packet? The Atoms of the Internet

IP packets are the fundamental unit of data transmission on the internet—discrete datagrams carrying a header and payload that routers forward independently. Understanding their structure explains buffering, latency, and packet loss.

The Building Block Every Network Engineer Must Understand

Every file download, every video stream, every DNS query, every SSH session—all of it moves across the internet as a sequence of discrete, self-contained units called IP packets. They are not streams, not circuits, and not continuous flows. Each packet is an independent datagram carrying just enough information in its header to be routed from source to destination without any persistent connection state in the routers along the path.

This design choice, made in the early ARPANET era, is what gives the internet its fault tolerance and scalability. A router failure midway through a file download does not terminate the transfer; subsequent packets simply take a different path. Understanding how a packet is structured, how it travels, and what happens when it is lost or delayed gives you the foundation to diagnose nearly any network problem you will ever encounter.

The Anatomy of an IPv4 Packet Header

An IPv4 header is a minimum of 20 bytes long. Each field has a specific purpose, and understanding them is not optional knowledge for anyone doing real network work:

Version (4 bits): Set to 4 for IPv4. Routers check this first to know which header format follows.
IHL — Internet Header Length (4 bits): Specifies the header length in 32-bit words. A value of 5 means the header is 20 bytes (no options). A value of 15 means 60 bytes of header including options.
DSCP — Differentiated Services Code Point (6 bits): Used by QoS systems to classify traffic. A packet with DSCP EF (Expedited Forwarding, decimal 46) gets prioritized over best-effort traffic in queues.
Total Length (16 bits): The total size of the packet in bytes, including header and payload. Maximum value is 65,535 bytes, though most practical packets stay below the path MTU.
Identification (16 bits): A value assigned by the sender, used to group fragments belonging to the same original datagram during reassembly.
Flags (3 bits): Bit 1 is the Don't Fragment (DF) flag. When set, routers must drop the packet and send an ICMP Type 3 Code 4 message if the packet is too large for the next link. Bit 2 is the More Fragments (MF) flag, indicating that more fragments follow.
Fragment Offset (13 bits): The position in bytes (in units of 8 bytes) of this fragment within the original unfragmented packet.
TTL — Time to Live (8 bits): Decremented by 1 at each router hop. When it reaches zero, the router drops the packet and sends an ICMP Time Exceeded message back to the source. Traceroute exploits this behavior to map network paths.
Protocol (8 bits): Identifies the transport layer protocol in the payload. TCP is 6, UDP is 17, ICMP is 1, IP-in-IP encapsulation is 4.
Header Checksum (16 bits): A one's complement checksum of the header only (not the payload). Recalculated at each hop because the TTL field changes.
Source IP Address (32 bits): The IPv4 address of the originating host.
Destination IP Address (32 bits): The IPv4 address of the intended recipient.

After the header comes the payload: the actual data being transported. For a TCP segment, the payload is the TCP header plus application data. For a UDP datagram, it is the UDP header plus application data. The IP layer does not interpret the payload—it delivers it to the protocol identified in the Protocol field.

How Packet Switching Works

The internet is a packet-switched network. This is fundamentally different from the traditional telephone network (a circuit-switched network), where a dedicated physical path was reserved for the duration of a call. In packet switching:

The sender breaks the data into packets, each sized to fit within the path MTU.
Each packet is independently routed. Different packets from the same file can travel through entirely different physical paths across the network.
Intermediate routers examine only the destination IP address and forward the packet toward the destination using their routing tables. They maintain no state about the flow.
The receiving end reassembles the packets in the correct order using sequence numbers (at the TCP layer) or the IP fragment identification and offset fields (at the IP layer).

This model allows thousands of simultaneous flows to share the same physical links without requiring pre-allocated capacity for each one. The tradeoff is that delivery is best-effort—IP itself guarantees nothing about delivery, ordering, or timing.

Fragmentation and Reassembly

When a packet is too large to fit within the MTU of a network link along its path, the router at that point has two choices depending on the DF flag:

If the DF flag is clear, the router fragments the packet into smaller pieces, each with a new header preserving the original Identification field and setting appropriate Fragment Offset and MF flag values.
If the DF flag is set, the router drops the packet and sends an ICMP Destination Unreachable (Type 3, Code 4) message back to the source, indicating the MTU of the outgoing link. The source should then reduce its packet size accordingly. This is the mechanism behind Path MTU Discovery (PMTUD).

Reassembly happens at the final destination only—not at intermediate routers. This is an important IPv4 design decision. The destination collects all fragments with the same Identification value and source IP, sorts them by Fragment Offset, and reconstructs the original datagram. If any fragment is lost, the entire original datagram is discarded and the transport protocol must retransmit.

Real-World Implications

Buffering in video streaming: A streaming server sends video data as a continuous sequence of UDP or TCP packets. When a packet is lost (dropped by a congested router or a wireless link with errors), the player has to wait. If using TCP, it waits for the retransmission before it can deliver data to the decoder. If using UDP (as with most modern streaming over QUIC), the protocol has its own loss recovery. The buffer you see on your screen is designed to absorb this variation.

Latency and jitter in VoIP: Real-time audio is especially sensitive to packet loss and jitter (variation in arrival time). VoIP codecs encode audio into small UDP packets every 20ms. A single lost packet causes a brief audio dropout. Jitter buffers at the receiver compensate for variable arrival times by holding packets briefly before playback, at the cost of added delay.

Traceroute and network diagnostics: Traceroute works by sending packets with incrementing TTL values, starting from 1. Each router that drops a packet due to TTL expiry sends back an ICMP Time Exceeded message revealing its IP address. By collecting these responses, traceroute maps the path a packet takes through the network. The TTL field in the IP header makes this entire diagnostic technique possible.

IPv4 vs IPv6 Packet Structure Comparison

Field	IPv4	IPv6
Header size (minimum)	20 bytes	40 bytes
Address size	32 bits	128 bits
Header checksum	Yes (per-hop recalculation)	No (removed to improve forwarding speed)
Fragmentation	By routers and endpoints	By endpoints only (via extension header)
Options	Variable-length options field	Extension headers (chained)
Flow label	No	Yes (20 bits, for QoS)
TTL equivalent	TTL field	Hop Limit field (same function)

Common Misconceptions

Packets always take the same path

They do not. Each packet is routed independently based on the current state of routing tables at each intermediate router. Equal-Cost Multi-Path (ECMP) routing actively distributes flows across multiple parallel paths. This is one reason why out-of-order packet arrival is a normal condition that TCP is designed to handle.

A larger packet is always faster

Larger packets reduce per-packet header overhead but increase serialization delay on slow links and increase the retransmission cost when a packet is lost. The optimal packet size depends on the link characteristics. On a lossy wireless network, smaller packets can improve throughput because each retransmission carries less wasted data.

The IP layer handles reliability

IP is explicitly a best-effort, unreliable protocol. It makes no delivery guarantees. Reliability—acknowledgment, retransmission, ordering—is the responsibility of the transport layer. TCP provides these guarantees; UDP does not.

Packet loss only happens on bad connections

Packet loss is a normal part of congestion control. TCP deliberately interprets packet loss as a signal to reduce its sending rate. On a healthy, well-provisioned network, you will see occasional packet loss during peak load periods as a feature, not a bug—it is the network's way of telling senders to slow down.

Pro Tips for Working With IP Packets

Always check your path MTU before blaming the application. Many mysterious TCP connection hangs and black-hole routes are caused by PMTUD failures due to ICMP being filtered. Test with ping -M do -s 1472 (Linux) or ping -f -l 1472 (Windows) to probe the path MTU manually.
Use Wireshark display filters to isolate specific flows. The filter ip.addr == x.x.x.x shows all packets involving a specific address. Combine with tcp.analysis.retransmission to immediately surface retransmissions and diagnose loss events.
Watch the TTL field to detect asymmetric routing. If packets arriving from a remote host have widely varying TTL values, they are taking different paths through the network. This can cause reordering and performance issues for TCP flows.
Understand DSCP markings before tuning QoS. Re-marking DSCP at the network boundary is standard practice, but marking traffic CS6 or EF without understanding queue configurations can cause unexpected drops. Know what each DSCP value means for your specific equipment.
Enable selective acknowledgment (SACK) on all servers. SACK allows TCP receivers to acknowledge non-contiguous data, meaning a sender does not have to retransmit everything after a lost packet—only the missing pieces. It is enabled by default on most modern operating systems but verify it is not disabled by policy.
Use packet captures at both endpoints when debugging. A single-sided capture can mislead you. A packet might appear to leave one endpoint cleanly but arrive corrupted or reordered. Simultaneous captures at source and destination reveal exactly where the problem occurs in the path.

Every problem you will ever debug on a network ultimately comes back to packets—their structure, their path, and whether they arrive intact and in sequence. Building a precise mental model of the IP header fields and the packet-switching process is foundational knowledge that pays dividends across every specialization in networking. Inspect your current IP address and packet routing details here.

Frequently Asked Questions

Q.What is an IP packet?

An IP packet is a self-contained unit of data transmitted over an IP network. It consists of a header (containing source address, destination address, TTL, protocol, and other routing metadata) and a payload (the actual data being transported). Every piece of data that crosses the internet travels as one or more IP packets.

Q.How large can an IP packet be?

The IPv4 header's Total Length field is 16 bits, giving a theoretical maximum packet size of 65,535 bytes. In practice, most packets are limited by the Path MTU—typically 1,500 bytes on Ethernet networks. Packets larger than the path MTU are either fragmented or dropped depending on the Don't Fragment flag setting.

Q.What happens when an IP packet is lost?

IP itself takes no action on packet loss. If you are using TCP, the receiving end notices a gap in sequence numbers and sends a duplicate acknowledgment. The sender detects the loss and retransmits the missing segment. With UDP, there is no built-in recovery; the application must handle loss itself or simply accept it. This is why TCP connections experience buffering but eventually recover, while UDP-based streams may have brief gaps.

Q.What does TTL mean in an IP packet?

TTL stands for Time to Live. It is an 8-bit counter in the IP header that starts at a value set by the sender (commonly 64 or 128) and is decremented by 1 at each router hop. When it reaches zero, the router drops the packet and sends an ICMP Time Exceeded message back to the source. TTL prevents packets from circulating indefinitely in routing loops.

Q.Why do packets from the same file take different paths through the internet?

IP routing is stateless and per-packet. Each router makes an independent forwarding decision based on the destination IP address and its current routing table. Equal-Cost Multi-Path routing distributes traffic across multiple paths simultaneously. This improves throughput and resilience but means packets can arrive out of order, which TCP handles through its sequence number and reordering mechanisms.

Q.What is packet fragmentation and why is it bad?

Fragmentation occurs when a packet is too large to fit through a link along its path and gets split into smaller pieces. It is problematic because reassembly only happens at the final destination, intermediate fragments consume router resources, any single lost fragment causes the entire original datagram to be discarded, and some firewalls block fragments. Modern networks use Path MTU Discovery to avoid fragmentation entirely.

Q.What is the difference between a packet and a frame?

A packet operates at Layer 3 (the IP layer) and carries IP addressing information. A frame operates at Layer 2 (Ethernet, Wi-Fi) and carries MAC addressing information. When an IP packet is transmitted over Ethernet, it is encapsulated inside an Ethernet frame. The frame is stripped at each Layer 2 boundary (switch or router interface), and the packet inside is re-encapsulated in a new frame for the next link.

Q.What is the Protocol field in an IP header?

The Protocol field is an 8-bit value that identifies the type of data in the IP payload. Common values are: 1 for ICMP, 4 for IP-in-IP encapsulation, 6 for TCP, 17 for UDP, and 41 for IPv6 encapsulation. Receiving hosts use this field to hand the payload to the correct transport layer handler.

Q.How does traceroute use IP packets?

Traceroute sends a series of packets with incrementing TTL values starting from 1. Each router that drops a packet due to TTL expiry sends back an ICMP Time Exceeded message, revealing its address. By collecting these ICMP responses, traceroute reconstructs the sequence of routers (hops) between the source and destination. The technique exploits the TTL decrement behavior that exists specifically to prevent routing loops.

Q.What is the DSCP field in an IP packet used for?

The Differentiated Services Code Point (DSCP) is a 6-bit field that classifies traffic for Quality of Service treatment. Network equipment uses DSCP markings to prioritize certain packet types—for example, voice traffic marked with Expedited Forwarding (EF) gets queued ahead of bulk file transfer traffic. DSCP replaced the older IP Precedence system and is defined in RFC 2474.

Q.Does IPv6 have the same packet structure as IPv4?

No. IPv6 has a redesigned header that is 40 bytes fixed (versus IPv4's variable 20–60 bytes). IPv6 removes the Header Checksum field (improving forwarding speed), removes in-path fragmentation (endpoints fragment using extension headers), and adds a 20-bit Flow Label for QoS. The address fields expand from 32 to 128 bits each to accommodate the vastly larger address space.

Q.What is packet jitter and why does it affect voice calls?

Jitter is variation in the arrival time of packets. Even if no packets are lost, arriving 5ms early and then 25ms late creates audible disruption in real-time audio. VoIP systems use a jitter buffer to smooth out these variations by holding packets briefly before playing them. A deeper jitter buffer reduces audio glitches but increases end-to-end call latency.

Q.Can I inspect IP packet contents with free tools?

Yes. Wireshark is the standard open-source packet analyzer for captured traffic. tcpdump is the command-line equivalent on Linux and macOS and can capture live traffic or write pcap files for later analysis in Wireshark. Both tools can decode all standard IP header fields and the protocols inside the payload.

TOPICS & TAGS

ip packetnetworking basicsdata sharingpayloaddatagramwhat is an ip packet explainedatoms of the internet data sharingunderstanding payload and header anatomyhow data fragments rebuild into websitespacket switching and global resiliencedatagram delivery across the websource and destination addressing logicidentifying packet loss and bufferinghow computers reassemble digital puzzlesunseen heroes of internet communicationit fundamentals of data transmissionefficient data transport across networkspath of a packet through the atlanticrebuilding high definition videos from atomspacket headers and routing metadataIPv4 header fields explainedTTL time to live packetfragmentation and reassemblypacket switching vs circuit switchingchecksum IP header validationDSCP differentiated servicesIP datagram structure