How does the network layer deal with headers

7 IP protocols of the network and transport layer

IP packets and packet headers

The OSI layer 3 (network layer) is implemented with TCP / IP by the protocol IP (Internet Protocol). As usual, an IP packet consists of packet-specific information in the packet header and the user data. The packet header has the following structure:

The header of an IP packet consists of the fields

  • Version: Protocol version of the IP protocol (currently version 4, standardization is version 6)
  • IHL: length of the header
  • Type of service: desired service, reliability, speed
  • Total Length: Length of header and data, maximum 65535 bytes
  • Identification: Identifier for fragments, all fragments have the same identifier
  • Flags DF and MF: fragmentation flags. DF (Don't Fragment) requests that the datagram is not fragmented, MF (More Fragments) signals that more fragments of a fragmented datagram are coming.
  • Fragment Offset: Offset of the fragment in the datagram
  • Time To Live: maximum lifetime of the package in seconds (max. 255 seconds)
  • Protocol: type of transport protocol (e.g. TCP, UDP etc.)
  • Header Checksum: checksum of the header
  • Source Address: IP address of the sender
  • Destination Address: IP address of the recipient
  • Options: possible options are:
    • Security: Security, indicates how secret the datagram is
    • Strict Source Routing: Strict source routing, defines the complete path exactly
    • Loose Source Routing: Loose source routing, specifies a list of routers that must not be bypassed
    • Record Route: Route recording, causes every router to append its IP address
    • Time Stamp: Time stamp, causes every router to append its address and a time stamp
    If necessary, the option field is filled with filler characters

In terms of user data, an IP packet can contain a maximum of a little less than 64 kB of data. The exact number of maximum usable bytes of an IP packet is calculated from the maximum length of an IP packet of 65535 bytes minus the length of the IP header, which depends dynamically on the size of the option field.

IP addresses

IP addresses (version 4) are 32 bits or 4 bytes long. A distinction is made between 5 address types: The important addresses of classes A, B and C as well as the experimental class D for multicasting and the reserved class E. IP addresses are usually written in the so-called dotted decimal notation, e.g. This means that each byte of the 4 byte long address is noted in decimal notation and the individual bytes of the address are separated from one another by periods.

IP addresses consist of 1 or more bits that identify the address type and, for the addresses of classes A, B and C, of ​​a network component (7, 14 or 21 bits) and a host component (24, 16 or 8 bits). The network part indicates the address of the company or institution network, the host part the address of the node within the company or institution network. Class A addresses are therefore intended for large networks (many nodes), and class C addresses for small networks (a few nodes, max. 255). However, due to the expansion of the Internet, the address space is so scarce that almost only class C addresses are assigned. Larger networks must therefore be set up with class C address blocks. For example, the Fulda University of Applied Sciences has the worldwide unique addresses to, ie 7 networks of class C. Since 7 networks are not sufficient for structuring the LAN of the Fulda University of Applied Sciences, the 8-bit host part became the class C addresses are subdivided into a 3-bit subnet part and a host part that is only 5 bits wide. This means that a maximum of 32 nodes can be addressed per segment.

In addition to the IP address are also important

  • Net mask: masks the network part in the IP address, i.e. all bits in the IP address that represent the network part (and, if applicable, the subnet part) are set, all bits that represent the pure host part are not set
  • Broadcast address: for broadcast messages in the network segment. The broadcast address thus consists of the network part of the segment and the host part with all bits set.


Calculator: --------------------------------------- ---------- IP address Net mask 11100000 (binary) ===== Host share broadcast 10011111 (binary) ===== Host share subnet address 10000000 ( binary)


IP addresses are purely logical addresses on layer 3, the transport layer. These addresses are unknown or incomprehensible on the layers below. There so-called MAC addresses apply, e.g. physical Ethernet addresses (48 bits wide), which are usually defined in the hardware of the Ethernet controller. In order to send a data packet to a recipient with an IP address, an address translation is first necessary.

The task of the ARP (Address Resolution Protocol) is to implement this conversion of the logical addresses of layer 3 (IP address) into MAC addresses of layer 2 (Ethernet address). This information is usually kept in cache tables. Example: ARP table of the computer

ulme) arp -a Net to Media Table Device IP Address Mask Flags Phys Addr ------ -------------------- -------- ------- ----- --------------- hme0 cedar 08: 00: 20: 20: b5: 50 hme0 poplar 08: 00: 20: 20: bf: 71 hme0 ficus 08: 00: 20: 12: 5a: be hme0 zirpe 08: 00: 20: 18: d9: 5a hme0 kiefer 08:00: 20: 19: 2a: c1 hme0 pasture 08: 00: 20: 20: af: 02 hme0 cisco 00: 60: 83: 7b: 66: f0

The table shows that the hosts ceder, poplar etc. can be reached via the network interface hme0 under the MAC addresses given in the right column.

Conversely, it may be necessary to determine the IP address from the MAC address. That is the job of the RARP (Reverse Address Resolution Protocol).

IP routing

The routing of IP packets takes place in the IP layer of the computer according to the simple algorithm

IF recipient address local THEN send datagram ELSE datagram to default router

The basis is the routing table of the IP layer with the entries

  • Recipient address: network or host (specified by flag)
  • IP address of the next-hop router or the directly connected network (flag)
  • Specification of the network interface for transmission

This means that the IP routing is based on the principle

  1. look for a match with the complete IP address
    => send the datagram to the recipient
  2. search for a match only for the network address => send the datagram on (note the possible subnet mask)
  3. send the datagram to the default router (default gateway)

Routing information is kept in internal tables. Example: configuration and routing table of the computer

elm) ifconfig hme0 hme0: flags = 863

The host ulme with the IP address sends all packets to its own loopback address ( via the interface lo0. The flags UH indicate that the loopback address is activated (U) and a host is (H). Packets in the subnet, in which ulme also resides, are delivered directly via the hme0 interface, packets to other recipients go to the router, which is configured as the default gateway.

Multi-task systems (e.g. Unix systems or Novell servers) have the special feature that the IP layer of the computer can also act as a router / gateway.

Examples of IP routing

A distinction must be made between sending packets to a computer in your own subnet and via a gateway to a computer outside your own subnet:

  1. Sending within the subnet (A -> B)
    • By masking it with the subnetwork address, the sender A determines that the receiver B is in its own subnetwork
    • the sender uses an ARP call to determine the MAC address of the recipient and enters it in the frame of the underlying network layer (e.g. Ethernet)
    • the sender A sends the packet addressed in this way to the recipient B.
  2. Sending within the LAN (B -> U)
    • By masking it with the subnetwork address, the sender B determines that the receiver U is outside its own subnet, that is, the packet is to be sent to the default gateway X for forwarding
    • the sender uses an ARP call to determine the MAC address of the default gateway and enters it in the frame of the underlying network layer (e.g. Ethernet)
    • the sender B sends the packet addressed in this way to the default gateway X,
    • the gateway X, e.g. a router, examines the packet, especially the recipient address of U
    • If he can send the packet himself directly to the recipient U, he determines the MAC address, enters it in the network frame and sends the packet to U on
  3. Sending out to the WAN (V -> WAN)
    • by masking it with the subnet address, the sender V determines that the recipient is outside its own subnet, that is, the packet is to be sent to the default gateway X for forwarding
    • the sender uses an ARP call to determine the MAC address of the default gateway and enters it in the frame of the network layer below (e.g. Ethernet)
    • the sender V sends the packet addressed in this way to the default gateway X,
    • the gateway X, e.g. a router, examines the packet, especially the recipient address
    • if it cannot send the packet to the recipient in the WAN, it uses its algorithms and tables to determine the appropriate route and sends it to the next hop on the way to the recipient, who in turn forwards or delivers it


The different methods and protocols of OSI layers 1 and 2 also define different frame or cell sizes depending on the method. Examples:

  • Ethernet: 1536 bytes maximum frame size
  • X.25: 128 bytes packet size
  • ATM: 53 byte cell size

This means that data to be transported are chopped up into correspondingly smaller packets with the respective maximum size and sent, regardless of their length or the length of the packets of the network layer. The data packets must therefore be fragmented by the sender and reassembled by the receiver in order to ensure adaptation to the respective network.

Example: Transport of an IP packet of 300 bytes over X.25 (packet length 128 bytes). It should be noted that the fragment offset is in units of 8 bytes, i.e. all fragmented packets (with the exception of the last one) must be divisible by 8 without a remainder. With a length of the IP header of 20 bytes, 104 bytes remain per fragment of user data (104 + 20 = 124 < 128).="">

Question no. Length offset MF-Bit ID -------------------------------------------- - 1 124 0 1 1234 2 124 13 (13x8 = 104) 1 1234 3 112 26 0 1234

When the first fragment arrives at the recipient, a timer is started that monitors the assembly of the fragments. In order not to load the network buffers unnecessarily with incomplete packets, these are discarded after the timer has expired. Under Unix, the timer is usually set to 30 seconds.


The ICMP protocol (Internet Control Message Protocol) defines control operations, e.g. the ICMP ECHO tests a connection.

ICMP knows the following types:

  • Destination unreachable: destination cannot be reached
  • Time exceeded: Time exceeded
  • Parameter Problem: Header contains invalid data
  • Source quench: stop host
  • Redirect: redirect packets
  • Echo request and echo reply: target reachable and alive (ping)
  • Time stamp request and time stamp reply: connection test with time measurement

Ports and port numbers

The services of the higher layers of the TCP / IP protocol are addressed via so-called ports and the associated port number. Ports are used to address the end points of a TCP / IP connection. The port numbers are 16 bits wide, so that theoretically a maximum of 65536 simultaneous connections are possible. The transport protocols TCP and UDP of OSI layer 4 each have their own address space for ports, i.e. TCP port 7 is not the same as UDP port 7. The meaning of the port number is analogous to the telephone number:

Internet socket telephone ------------------------------------- Network number Area code Host ID Subscriber number Port number Extension

Ports with numbers less than 1024 are reserved and can only be used by the superuser (under Unix). Fixed port numbers are reserved for some well-known services such as ECHO, TELNET, FTP etc. and are listed in a service table. Some services and their port numbers (from the Unix file / etc / services):

# # Network services, Internet style # tcpmux 1 / tcp echo 7 / tcp echo 7 / udp discard 9 / tcp sink null discard 9 / udp sink null systat 11 / tcp users ... ftp-data 20 / tcp ftp 21 / tcp telnet 23 / tcp smtp 25 / tcp mail


The TCP (Transmission Transfer Protocol) protocol of OSI layer 4 is a connection-oriented transport protocol. Features of a TCP connection include:

  • full-duplex-capable bidirectional virtual connection
  • From the user's point of view, there is only one data stream, no packets
  • Securing the transmission through
    • Sequence numbers
    • Checksums and receipts
    • Acknowledgment with time monitoring and sequence repetition after the acknowledgment has timed out
    • Urgent data, i.e. data with high priority possible
    • regulated connection establishment
    • Transport user addressing through 16-bit port numbers

The TCP header is structured as follows:

The fields mean:

    Sender and receiver port numbers: identify the endpoints of the connection
  • Sequence and acknowledgment number: identify the position of the data within the data stream
  • Data spacing: Length of the log header to determine the start of data
  • Flags: trigger actions in the TCP protocol
    • URG: Urgent data, urgent pointer is valid
    • ACK: Acknowledgment number is valid
    • PSH: Data should be transferred to the application immediately
    • RST: Reset the connection or answer to un
    • SYN: Request to establish a connection, must be acknowledged
    • FIN: Unilateral connection disconnection request, must be acknowledged
  • Window size: contains the number of bytes that the receiver can currently hold in its data buffers for this connection. This means that the receiving TCP can control the flow of data; a window size of 0 would stop the sending TCP immediately
  • Check sum: sums up the log header, data and pseudo header
  • Urgent pointer: together with the sequence number, results in a pointer to a data byte that defines the end of a message section. Subsequent data are thus marked as particularly important, and the receiver can extract this data from the normal data stream and process it
  • Options: TCP only knows the 3 options End of Option List, No Operation and Maximum Segment Size


The UDP protocol is a connectionless transport protocol with the following features:

  • connectionless
  • Addressing through port numbers
  • Checksum of the data
  • extremely simple
  • Delivery according to the best effort principle

The fields of the UDP protocol header are:

  • Sender and receiver port numbers: mark the endpoints of the transport
  • Length: contains the length of the entire datagram including the header
  • Checksum: contains the checksum of the data, the header and the psedo header

Back to content

June 30, 1998, Peter Klingebiel, DVZ