Looking at Packets

Cisco Networking: Looking at Packets

Data containers are dubbed frames in the data link layer (Layer 2) and packets in the network layer (Layer 3). In the network layer, you look only at the section of the frame that was referred to as data in the Ethernet frame. As the Ethernet frame moves up from the data link layer to the network layer, the data link header is removed.
Removing the data link information removes destination and source address fields (which store the MAC addresses of the network devices), and the type field.
Because the preamble and FCS information was removed when the Ethernet frame was sent from the physical layer to the data link layer, this now leaves just the data. The data is not just a blob though. At the network layer, this information is referred to as a packet, and it has its own address data and fields; but when you look at it from the Ethernet frame level, you do not care what that data is.

Looking at packets

After you strip off the Ethernet or data link layer structures, you look at what the data link layer considered to be data, which is a packet. The packet’s structure will be based on the network layer protocol, it is reasonable to call the packet an IP packet.
Just like the Ethernet frame had an Ethernet header and a data section, the IP packet has an IP header and a data section. The following figure shows the contents of an IP packet contained within the Ethernet frame. Notice that the entire IP packet is found in the data field.

Viewing packet structure

The IP packet is defined by its header, and that header contains many fields. The key elements that are in the header are
• Version: This is used to identify the IP version being used. There are really only two choices, either version 4 (the first production version of IP that was implemented), or version 6 (which is currently in the process of being implemented over the Internet). The example shows the IPv4 header here because it is likely the one you will encounter most over the next decade.
• Time to Live (TTL): The length of time this packet can remain on the network. Each router that handles this packet decrements (reduces) this counter by at least one.
• Protocol: The transport layer protocol where the data portion of the IP packet is to be delivered. This will be either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP).
• Header checksum: The header checksum data that the verification calculation is based on is only the header data, and the result of that calculation is stored in the header checksum field. If the header is intact, IP considers the packet good.
• Source address: The IP address of the device that sends the packet onto the network. This is also where any network-level error messages are sent, including Internet Control Message Protocol (ICMP) delivery failures or control messages.
• Destination address: The address the packet is sent to.
• Data: As with the Ethernet frame, the data portion is sent to the transport layer, to either the TCP or UDP. IP does not care what is found here; it is merely the delivery means.