A packet header is a small block of structured information attached to the front of every piece of data sent across a network. It works like the addressing label on a shipping envelope: the contents inside are your actual data, and the header tells every device along the route where that data needs to go, where it came from, and how to handle it. Without headers, routers and switches would have no way to move your data from point A to point B.
How Headers Work as Digital Envelopes
When you send anything over the internet, your data doesn’t travel as one continuous stream. It gets broken into smaller chunks called packets, each typically a few hundred to a few thousand bytes. Every one of those packets gets its own header, and every header carries enough information for any device on the network to forward that packet closer to its destination.
Think of it like mailing a letter. Your message goes inside the envelope, and the outside of the envelope has a destination address, a return address, and a stamp. A packet header serves the same purpose. Routers along the path read the header, figure out where the packet should go next, and pass it along. They never need to open the “envelope” and look at the data inside to do their job.
What’s Inside an IP Header
The most common type of packet header you’ll encounter is the IP (Internet Protocol) header. In IPv4, which still carries the majority of internet traffic, this header is at least 20 bytes long and can stretch up to 60 bytes if optional fields are included. It contains several fields, but a few are especially important:
- Source and destination IP addresses: These are the 32-bit addresses that identify the sender and the intended recipient. They’re the core reason the header exists.
- Time to Live (TTL): A counter that starts at a set value and drops by 1 every time the packet passes through a router. If it hits zero, the router discards the packet. This prevents data from circling the network forever if there’s a routing error.
- Total Length: Tells every device how large the entire packet is, header and data combined. The maximum is 65,535 bytes.
- Header Checksum: A quick math check that lets each router verify the header wasn’t corrupted in transit. If the numbers don’t add up, the packet is dropped on the spot.
- Version: Identifies whether the packet uses IPv4 or IPv6 formatting, so the receiving device knows how to read the rest of the header.
The original IPv4 standard was published in 1981 as RFC 791 and remains the foundation for how IP packets work today. It was designed with a key philosophy: every packet is treated as an independent unit with no built-in guarantees of delivery, no automatic retransmission, and no error correction for the data itself. The header checksum only protects the header, not the payload. Reliability is left to higher layers of the networking stack.
IPv4 vs. IPv6 Headers
IPv6, the newer version of the Internet Protocol, takes a different approach to header design. Its header is a fixed 40 bytes with no variable-length options. That’s actually larger than the minimum IPv4 header (20 bytes), but the trade-off is simplicity. Routers don’t need to calculate how long the header is before they start reading it, which speeds up processing. IPv6 also drops the header checksum entirely, relying on other layers to catch errors, and uses 128-bit addresses instead of 32-bit ones to support a vastly larger number of devices.
Layers of Headers Stack on Top of Each Other
A single packet doesn’t carry just one header. As your data moves down the networking stack before it leaves your device, each layer wraps the data in its own header through a process called encapsulation.
It starts at the transport layer. If your data uses TCP (the protocol behind web browsing, email, and file transfers), TCP breaks the data into segments and attaches a TCP header to each one. That header includes sequence numbers so the receiving device can reassemble segments in the correct order, acknowledgment numbers to confirm what’s been received, and control flags that manage the connection (like SYN to start a connection and FIN to close it).
Next, the internet layer wraps that entire segment, TCP header and all, inside an IP header. This is where the source and destination IP addresses get added. Finally, the data-link layer adds yet another header (and a footer) to create a frame that can travel across a physical network like Ethernet or Wi-Fi. This frame header includes MAC addresses, which are hardware-level identifiers specific to each network device.
The result is a nesting-doll structure: a frame header surrounds an IP header, which surrounds a TCP header, which surrounds your actual data. Each layer only reads and acts on its own header, then passes the rest up or down the stack.
How Routers Use Headers to Move Data
When a packet arrives at a router, the router reads the destination IP address in the header and compares it against its routing table to determine the next hop, meaning the next device the packet should be sent to. Once the router knows the next hop’s IP address, it needs to translate that into a physical hardware (MAC) address so the packet can actually travel across the local network segment.
This translation happens through ARP (Address Resolution Protocol). The router checks a local cache of recently resolved addresses first. If the address is already cached, the packet gets forwarded immediately. If not, the router sends out an ARP request to find the right hardware address, and the packet waits in a queue until the response comes back or the request times out. This entire process happens in milliseconds, repeated at every hop between you and the destination.
Headers and Network Security
Because headers contain structured, predictable information, they’re a natural target for both security tools and attackers. Firewalls and intrusion detection systems routinely inspect header fields to filter traffic. They can block packets based on source or destination addresses, flag unusual TCP control flags, or detect patterns like an abnormal number of outgoing connections that might indicate malware trying to spread.
Some security tools go further with deep packet inspection, examining both the header and the payload. But header-only analysis is faster and often sufficient to catch common threats. One well-known detection method watches for hosts that have a suspiciously low ratio of successful connection attempts to total attempts, a pattern typical of network scanners probing for vulnerable machines. Another approach models the first 48 bytes of each packet starting from the IP header, which captures the full header stack plus a small slice of the payload, to build a profile of normal traffic and flag anything that deviates.
On the attacker side, IP spoofing involves forging the source address in a packet header to disguise where traffic is really coming from. This is why many security systems don’t trust header information at face value and use additional verification methods to confirm a packet’s legitimacy.