Packet
When you send a file or load a web page, the data does not travel as one big chunk. It is broken into small pieces called packets, each stamped with the destination address and a sequence number. These packets may take different routes through the network and arrive out of order, but the receiving device reassembles them correctly. It is like sending a book one page at a time through the mail: each envelope has the page number and the address, so the recipient can put it all back together.
A packet is a formatted unit of data carried over a network. At Layer 3 (Network), data is specifically called a “packet”; at Layer 2 it is a “frame,” and at Layer 4 it is a “segment” (TCP) or “datagram” (UDP). In casual usage, “packet” refers to any network data unit.
IPv4 packet structure:
| Field | Size | Purpose |
|---|---|---|
| Version | 4 bits | IP version (4) |
| Header Length | 4 bits | Header size in 32-bit words |
| Total Length | 16 bits | Entire packet size (max 65,535 bytes) |
| TTL | 8 bits | Hop limit (decremented by each router) |
| Protocol | 8 bits | Upper-layer protocol (6=TCP, 17=UDP, 1=ICMP) |
| Source IP | 32 bits | Sender’s IP address |
| Destination IP | 32 bits | Receiver’s IP address |
| Payload | Variable | The actual data (TCP segment, UDP datagram, etc.) |
MTU (Maximum Transmission Unit): the largest packet size a link can carry. Standard Ethernet MTU is 1500 bytes. Jumbo frames support 9000 bytes for high-throughput LAN traffic.
Fragmentation: if a packet exceeds the MTU of a link, it is either fragmented (split into smaller packets) or dropped with an ICMP “Packet Too Big” message (if the Don’t Fragment flag is set). Fragmentation is avoided when possible because it increases overhead and reassembly complexity.
Packet loss: when packets are dropped due to congestion, corruption, or routing issues. TCP retransmits lost packets; UDP does not. Measured as a percentage; even 1% packet loss severely degrades TCP throughput.
Capturing and analyzing packets
# Capture packets on an interface
$ sudo tcpdump -i eth0 -c 5 -n
12:00:01 IP 192.168.1.10.54312 > 93.184.216.34.443: Flags [P.], seq 1:100, length 99
12:00:01 IP 93.184.216.34.443 > 192.168.1.10.54312: Flags [.], ack 100, length 0
# Capture and save to file for Wireshark analysis
$ sudo tcpdump -i eth0 -w capture.pcap -c 1000
# Filter specific traffic
$ sudo tcpdump -i eth0 'tcp port 443 and host 10.0.0.5' -n
# Check packet statistics on an interface
$ ip -s link show eth0
RX: bytes packets errors dropped
1.2G 890234 0 12
TX: bytes packets errors dropped
245M 312456 0 0
# Check for packet loss with ping
$ ping -c 100 8.8.8.8 | tail -2
100 packets transmitted, 99 received, 1% packet loss
round-trip min/avg/max = 11.2/12.8/15.1 msPackets are the fundamental unit of all network communication. Wireshark and tcpdump are the standard tools for packet capture and analysis, used daily by network engineers and security analysts. Packet captures (pcap files) are the gold standard of network forensics: they contain the complete record of what traveled across the wire. In troubleshooting, packet captures reveal issues invisible to higher-level tools: retransmissions, window scaling problems, TLS handshake failures, and malformed requests. DDoS attacks are measured in packets per second (pps) as well as bits per second (bps). Cloud providers often limit packet rates per instance, which can become a bottleneck before bandwidth limits are reached.