How to Decode an IP Header

Look at the first line of the IP header; in this case, 45 00 00 2c. The first pair of numbers indicates the IP version and the number of 32-bit "words" in the header. The "4" represents the IP version, and "5" means the header contains five 32-bit "words" -- the five lines in our example. The header can contain anywhere from five to 15 words.

The next two sets of numbers represent the differentiated services code point, which tells a router what to do with the packet before sending it to the next router. The last pair of numbers/letters gives the total length of the data and header being sent, in bytes. This number is presented in hexadecimal code -- a letter/number combination.

Examine the second line of the IP header, 00 01 00 00 in this example. The first two pairs of numbers/letters uniquely identify the data being sent. Typically, the number increases by one each time the data is sent to another router. The last two pairs indicate fragmentation offset of that data, meaning they tell a router whether or not the data is fragmented and, if so, how many fragments it contains. If the data is fragmented, the identification numbers -- 00 01, in this example -- tell a router which fragments belong with this particular data set because they all have the same identification numbers.

Take a look at the third line of the header, 1f 06 e4 04. The first pair of characters refers to "time to live," or the number of links through which the data has to travel. This is listed in hexadecimal code. The second pair of numbers is the protocol to which the data is going. The "06" in this example means the data is being sent to transmission control protocol, or TCP. A number 17 would indicate that the data was going to user datagram protocol, or UDP. The last four numbers are the header checksum, which verifies the accuracy of the other header information. Typically, the sender of the data calculates the header checksum by adding all the 16-bit values of the header together and converting the total to hex code. When the packet arrives at a router, the router calculates the checksum to confirm the validity of the data being sent as a security feature.

View the fourth line of the IP header. This lists the source address, or IP address, from which the data originated. In this example, this line would point to IP address 202.54.139.83. The origination is also referred to as the encapsulator.

Locate the fifth line of the IP header. This is the final destination address, or the decapsulator. In this example, the data is being sent to IP address 194.61.67.181.