Rack of Ethernet switches.

Quick Overview of TCP/IP Protocol Header Structures

ARP — Address Resolution Protocol

Full details: RFC 826.

          Ethernet header                     28-octet ARP request/reply
                  |                                        |
      /-----------+----------\ /---------------------------+------------------------------\
      |                       |                                                           |
width in
 octets:    6           6       2   2   2  1 1  2       6         4           6       4
      +-----------+-----------+---+---+---+-+-+---+-----------+-------+-----------+-------+
      | Ethernet  | Ethernet  |   |   |   |H|P|   |  Sender   | Sender|  Target   |Target |
      |destination|  source   |FT |HT |PT |S|S|OP | Ethernet  |  IP   | Ethernet  |  IP   |
      |  address  | address   |   |   |   | | |   |  Address  |Address|  Address  |Address|
      +-----------+-----------+---+---+---+-+-+---+-----------+-------+-----------+-------+
                                ^   ^   ^  ^ ^  ^
                                |   |   |  | |  |
                                |   |   |  | |  +-- Operation: 1 =  ARP request, 2 =  ARP reply
                                |   |   |  | |                 3 = RARP request, 4 = RARP reply
                                |   |   |  | |
                                |   |   |  | +-- Protocol Size, number of octets
                                |   |   |  |     in the requested network address.
                                |   |   |  |     IP has 4-octet addresses, so 0x04.
                                |   |   |  |
                                |   |   |  +-- Hardware Size, number of octets in
                                |   |   |      the specified hardware address.
                                |   |   |      Ethernet has 6-octet addresses, so 0x06.
                                |   |   |
                                |   |   +-- Protocol Type, 0x0800 = IP.
                                |   |
                                |   +-- Hardware Type, Ethernet = 0x0001.
                                |
                                +-- Frame Type, 0x0806 = ARP Request or ARP Reply.
                                    This answers "What's inside?" for the encapsulated
                                    data within the Ethernet frame


	Firefox users may find that "monospace" isn't really a constant-width
	font, and Courier works much better for ASCII art.

IP / IPv4 — Internet Protocol, version 4

Full details: RFC 791, updated by RFC 1349.

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version|  IHL  |Type of Service|          Total Length         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|         Identification        |Flags|      Fragment Offset    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Time to Live |    Protocol   |         Header Checksum       |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                       Source Address                          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Destination Address                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Type of service
If using "classic" TOS, use and interpret the TOS field as "PreDTRCx", where:

Pre = Precedence = 000 through 111 (with DOD interpretations if desired)
D   = Delay (1 = minimize delay)
T   = Throughput (1 = maximize throughput)
R   = Reliability (1 = maximize reliability)
C   = Cost (1 = minimize cost)
x   = reserved, set to "0"

If using Differentiated Services (DiffServ), use and interpret as "000000xy", where:

x:  "1" = "ECN capable"
y:  "1" = "congestion experienced"

Flags
Three bits, use and interpret as "0DM", where:

0 = Use a "0" here!
D = Don't Fragment
M = More Fragments

IP / IPv6 — Internet Protocol, version 6

The IPv6 header is simpler but larger than the IPv4 header. Simpler to speed processing, larger to accommodate the 128-bit addresses.

Full details: RFC 2460.

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| Traffic Class |             Flow Label                |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|        Payload Length         |  Next Header  |   Hop Limit   |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
|                            Source                             |
|                           Address                             |
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
|                         Destination                           |
|                           Address                             |
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

ICMP — Internet Control Message Protocol

Full details: RFC 792.

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Type      |     Code      |          Checksum             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                             unused                            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|      Internet Header + 64 bits of Original Data Datagram      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Type
Three bits, use and interpret as "0DM", where:

 0 = Echo reply
 3 = Destination unreachable
     Code
      0	Net unreachable
      1	Host unreachable
      2	Protocol unreachable
      3	Port unreachable
      4	Fragmentation needed but DF set
      5	Source route failed
      6	Destination network unknown
      7	Destination host unknown
      8	Source host isolated
      9	Network administratively prohibited
     10	Host administratively prohibited
     11	Network unreachable for requested TOS
     12	Host unreachable for requested TOS
     13	Communication administratively prohibited
 4 = Source quench
 5 = Redirect
     Code
      0	Redirect datagram for the network
      1	Redirect datagram for the host
      2	Redirect datagram for the TOS and network
      3	Redirect datagram for the TOS and host
 8 = Echo request
 9 = Router advertisement
10 = Router selection
11 = Time exceeded
     Code
      0	Time to live exceeded in transit
      1	Fragment reassembly time exceeded
12 = Parameter problem
     Code
      0	Pointer indicates the error
      1	Missing a required option
      2	Bad length
13 = Timestamp
14 = Timestamp reply
15 = Information request
16 = Information reply
17 = Address mask request
18 = Address mask reply
30 = Traceroute (probably just Microsoft hosts, traceroute
     should be done via UDP)
DS3 interfaces on a Cisco 7000 series router.

DS3 interfaces on a Cisco 7000 series router.

ICMPv6 — Internet Control Message Protocol for IPv6

Full details: RFC 4443.

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Type      |     Code      |          Checksum             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|      Internet Header + 64 bits of Original Data Datagram      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Type

ICMPv6 error messages
  1  Destination Unreachable
  2  Packet Too Big
  3  Time Exceeded
  4  Parameter Problem
100  Private experimentation
101  Private experimentation
127  Reserved for expansion

ICMPv6 informational messages
128  Echo Request
129  Echo Reply
130  Multicast Listener Query
131  Multicast Listener Report
132  Multicast Listener Done
133  Router Solicitation     (NDP)
134  Router Advertisement    (NDP)
135  Neighbor Solicitation   (NDP)
136  Neighbor Advertisement  (NDP)
137  Redirect Message        (NDP)
138  Router Renumbering
139  ICMP Node Information Query
140  ICMP Node Information Response
141  Inverse Neighbor Discovery Solicitation Message    (NDP)
142  Inverse Neighbor Discovery Advertistement Message  (NDP)
143  Version 2 Multicast Listener Report
144  Home Agent Address Discovery Request Message
145  Home Agent Address Discovery Reply Message
146  Mobile Prefix Solicitation
147  Mobile Prefix Advertisement
148  Certifcation Path Solicitation   (SEND)
149  Certifcation Path Advertisement  (SEND)
150  used by experimental mobility protocols such as Seamoby
151  Multicast Router Advertisement  (MRD)
152  Multicast Router Solicitaion    (MRD)
153  Multicast Router Termination    (MRD)
154  FMIPv6 Messages
155  RPL Control Message
200  Private experimentation
201  Private experimentation
255  Reserved for expansion

DNS — Domain Name System

Full details: RFC 1034 and RFC 1035 with many updates.

0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|        Identification         |             Flags             |  \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  |
|     Number of questions       |      Number of answer RRs     |  + 12 bytes
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  |
|    Number of authority RRs    |    Number of additional RRs   |  /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |  \
/                           Questions                           /  |
|                                                               |  |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  |
|                                                               |  |
/         Answers (variable number of resource records          /  |   These
|                                                               |  |   fields
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  +-- are of
|                                                               |  |   variable
/        Authority (variable number of resource records         /  |   length.
|                                                               |  |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  |
|                                                               |  |
/  Additional information (variable number of resource records  /  |
|                                                               |  /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Flags are a 16-bit field:

                    1 1 1 1 1 1 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |       | | | | |     |       | <-- 4-bit return code:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+       0000 = no error
 ^    ^    ^ ^ ^ ^   ^                  0011 = name error
 |    |    | | | |   |
 |    |    | | | |   +-- 3-bit field that must contain 000.
 |    |    | | | |
 |    |    | | | +-- RA, 1-bit field for "Recursion Available".  Set
 |    |    | | |     in the response if the server supports recursion.
 |    |    | | |
 |    |    | | +-- RD, 1-bit field for "Recursion Desired".
 |    |    | |     Set in the query, returned in the response.
 |    |    | |
 |    |    | +-- TC, set to 1 in the response if the answer
 |    |    |     was truncated to 512 bytes.
 |    |    |
 |    |    +-- AA, 1-bit flag meaning "Authoritative Answer"
 |    |        if set to 1 in the response.
 |    |
 |    +-- opcode, 4-bit field:   0000 = standard query
 |                               0001 = inverse query
 |                               0010 = server status request
 |
 +-- QR, 1 bit field for Query (0) versus Response (1).

TCP — Transmission Control Protocol

Full details: RFC 793, updated by RFC 1122, and RFC 3168.

0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|          Source Port          |       Destination Port        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                        Sequence Number                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Acknowledgment Number                      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Data |           |U|A|P|R|S|F|                               |
| Offset| Reserved  |R|C|S|S|Y|I|            Window             |
|       |           |G|K|H|T|N|N|                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Checksum            |         Urgent Pointer        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|   .... data ....                                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

UDP — User Datagram Protocol

Full details: RFC 768.

0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|          Source Port          |       Destination Port        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|            Length             |           Checksum            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|   .... data ....                                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Other Pages