IPv4 is one of the core protocols used in standards based internetworking on the Internet and other packet-switched networks. It is succeeded by IPv6.


IP packets are between 20 and 2^16 bytes in size, comprised of a header and a payload.

IPv4 packet structure

The header comprises:

  • Version specifies the protocol version (always 4).
  • IHL specifies the total length of the header section, or the offset to reach the data.
  • DSCP specifies the type of service for packet classification, determining QoS.
  • ECN optionally allows end-to-end notification of traffic congestion without dropping packets.
  • Total Length defines the size of the entire packet, both header and data.
  • Identification uniquely identifies a group of fragments in a single datagram.
  • Flags specifies fragmentation control:
    • 0: reserved; must be 0.
    • 1: DF will cause the packet to be dropped rather than fragmented if fragmentation is required for transmission.
    • 2: MF indicates that additional fragments are to be transmitted, and is cleared for non-fragmented packets.
  • Fragment Offset specifies the offset of the fragment relative to the first (0) fragment of the datagram.
  • Time To Live determines how many routers can be traversed before giving up, to prevent loops.
  • Protocol defines the protocol used in the data section of datagram.
  • Header Checksum enables CRC against fragment headers.
  • Source IP Address defines the IP address of the source.
  • Destination IP Address defines the IP address of the destination.
  • Options is often unused, but allows setting options, provided the IHL value is large enough to accommodate it:
    • The Copied bit determines whether the options should be copied into all fragments of a fragmented packet.
    • Option Class sets a general category:
      • 0: "control".
      • 1: reserved.
      • 2: "debugging and measurement".
      • 3: reserved.
    • Option Number is a 5-bit number indicating the option.
    • Option Length is an 8 bit value indicating the length of the option value.
    • Option Data is a variable length, option-specific value.


The Address Resolution Protocol is used for the discovery of the link layer address (layer 2; e.g. MAC address) for a given network layer (layer 3; IPv4) address. It works by broadcasting "who has" messages to connected hosts, which can then respond with "I have".

Because the protocol is stateless, all nodes on the network are responsible for maintaining their own cache of protocol address to MAC address. On switches these are referred to as MAC Address Tables, and other hosts have an ARP Cache.

ARP packet structure

ARP packets comprise the following fields:

  • Hardware Type specifies the type of the hardware address.
    • 0 Reserved
    • 1: Ethernet (10Mb)
    • 2 Experimental Ethernet
    • 20 Serial Line
    • 31 IPsec tunnel
    • 32 InfiniBand
    • 258-65534 Unassigned
    • 65535 Reserved
  • Protocol Type specifies the internetwork protocol, using a number space shared with EtherType.
  • Hardware Address Length specifies the length, in octets, of the hardware address.
  • Protocol Address Length specifies the length, in octets, of the protocol address.
  • Operation specifies the type of request/reply:
    • 0: Reserved
    • 1 REQUEST
    • 2 REPLY
    • 26-65534 Unassigned
    • 65535 Reserved
  • Sender Hardware Address specifies the hardware address of the sender in a request (the hardware address of the requested host in the response).
  • Sender Protocol Address contains the internetwork address of the sender.
  • Target Hardware Address contains the hardware address of the intended receiver. Ignored during requests, indicates the address of the originating host of a request during a reply.
  • Target Protocol Address contains the


ICMP is the protocol used by network devices, e.g. routers, for diagnostics and error reporting. It's rarely used directly by user-facing applications, with the notable exceptions of ping and traceroute.


IPv4 addresses are 32-bit numbers, usually represented as a string of 4 decimal numbers representing 8-bit Binary octets.

IP addressOctet 1Octet 2Octet 3Octet 4 00001010 10000000 00010100 0000 11111111 11111111 11110000 0000

There are three types of IP addresses in each IP network:

  • An address with all binary zeroes in its host portion is a network address.
  • An address with all binary ones in its host portion is a broadcast address.
  • Anything else is a host address.


Classful addressing was used up until ~1995, and defined the first 3 octets of the address as the Network Portion, and the final octet as the Host Portion. It segmented the address space into a number defined ranges:

ClassUsageRoutable on public internet?Range startRange endNetwork PortionHost Portion
AUnicast0.0.0.0127.0.0.0Octet 1Octets 2-4
BUnicast128.0.0.0191.0.0.0Octets 1 and 2Octets 3 and 4
CUnicast192.0.0.0223.0.0.0Octets 1-3Octet 4
DMulticast224.0.0.0239.0.0.0Octets 1-4None


In classless routing, the Host and Network Portions of the address are defined by the subnet mask.

IP addressSubnet maskHost PortionNetwork Portion (1100 0000 1010 1000 0000 0001)64 (0100 0000)

CIDR allows us to express the subnet mask as a prefix with the starting address of the network:

IP addressSubnet maskNetwork address


Variable-Length Subnet Mask is a type of subnet design which uses more than one length of subnet mask. Whilst more complex, it allows engineers to make more effective use of the available address space by saving on wasted address space caused by a fixed design.


Network Address Translation lets us segregate private networks from the public Internet and allows routers to translate route packets between devices on either side.

RFC1918 nameClassful descriptionNetwork address
24-bit blockSingle class A network10.0.0.0/8
20-bit block16 contiguous class B networks172.16.0.0/12
16-bit block256 contiguous class C networks192.168.0.0/16

Carrier-grade NAT

CGNAT, also known as large-scale NAT, is an approach to IPv4 network design in which end sites are configured with private network address that are translated to public IPv4 addresses by middlebox NAt devices in the operator's network. It allows for reuse of the limited IPv4 address space, extending the lifespan of IPv4.


APIPA is a "helpful" Windows feature designed to automatically assign IP addresses to nodes in the absence of a functioning DHCP server. It provisions addresses in the network The presence of an address in this range on a NIC configuration is usually indicative of a connectivity issue.


IP routing allows packets to traverse network boundaries. The route that a packet follows is determined by the routing table on each host or gateway (router). The default gateway on each host or gateway is a catch-all for things not matching specific rules in the routing table.

At each hop, the router:

  • Extracts the message from the frame
  • Reads the destination address
  • Looks at its routing table for a matching route
  • When found, creates a new frame with that

Dynamic routing

Dynamic (or adaptive) routing allows a set of routers to adjust their routing rules to allow for optimal performance and availability, responding in real-time to changes to the network's logical layout.

They can be grouped into two broad categories based on the data transferred between neighbouring routers:

  • Distance vector protocols exchange vectors of all known networks and the transmitter's relative distance from them.
  • Link state protocols have routers describe themselves and their interfaces to their neighbours. Routers relay all of these messages to neighbouring routers to give a complete picture of the network to all routers.
RIPDistance vectorold and unused
EIGRPDistance vector
OSPFLink state
BGPHybridexterior gateway protocol based on autonomous systems


traceroute (or tracert on Windows) allows tracing the gateway traversals packets make between our host and a destination.

Transmission modes


Unicast transmissions take place between exactly one transmitter and exactly one receiver, sent directly to the receiver's IP address.


Broadcast transmissions are between exactly one transmitter and all recipients:

  • Limited broadcasts are sent to all devices within the network, not forwarded.
  • Directed broadcasts can be sent to an individual IP network's broadcast address, allowing transmission to all clients within a specific subnet.


Multicast transmissions are sent between at least one client and zero or more receivers. Multicast groups receive an address in the multicast (class D) address space.

Group membership is managed by the clients, using IGMP. Routers use IGMP to determine which subnets should receive the packets, but don't maintain lists of hosts: they'll be broadcasted to all hosts in these subnets.

Multicast is commonly used for video streaming, where volumes of data make it impractical to unicast to larger numbers of clients.