1. IPv4 Header: Forensic Bitmasking
An IPv4 packet starts with a 20-byte minimum header. Every bit is a functional decision point. The first 4 bits define the **Version** (0100 for IPv4), followed by the **IHL (Internet Header Length)**, which specifies the offset to the payload.
The Identification & Flags Field
To handle **Fragmentation**, IPv4 uses a 16-bit **Identification** field, coupled with 3 status flags. Forensics teams look for ID-field patterns; sequential IDs can reveal internal subnet sizes or even the Operating System family (e.g., Windows vs. Linux).
DF (Don't Fragment) Bit
If a packet is larger than the MTU and the DF bit is set, the router MUST drop it and send an ICMP "Fragmentation Needed" message. This is the mechanism for **PMTUD (Path MTU Discovery)**.
MF (More Fragments) Bit
A value of 1 indicates that the current packet is NOT the end of the data. Resolvers wait for the packet with MF=0 before completing the reassembly buffer.
TTL Decay: The Loop Killswitch
The **Time to Live (TTL)** field is an 8-bit counter that prevents packets from looping infinitely. Every L3 hop decrements the TTL. When it hits 0, the router discards the packet and sends an **ICMP Time Exceeded (Type 11)** message.
Forensic analysts use TTL to calculate the number of hops between sources. If you receive a packet with a TTL of 126, and the default for the OS is 128, you are likely 2 hops away. Discrepancies in TTL for a single flow are a high-fidelity indicator of **BGP Route Flapping** or **Load Balancer Asymmetry**.
2. Fragmentation Offset: The 8-Byte Block Math
The **Fragment Offset** is a 13-bit field. Because the header is only 13 bits, it cannot measure individual bytes for a 65,535-byte datagram. Therefore, it measures in **8-byte blocks** (2^3).
The Offset Calculation
In a forensic trace, if you see a fragment offset of 185, the data starting byte is 1,480. If the previous fragment ended at 1,479, the reassembly is contiguous. If it ended earlier, there is a "Frag Gap" (Data Loss). If it ended later, there is a **Frag Overlap**.
3. CIDR & VLSM: Aggregate Route Forensics
In 1993, **CIDR (Classless Inter-Domain Routing)** replaced the wasteful A/B/C class system. **VLSM (Variable Length Subnet Masking)** allows us to subdivide a block (like a /24) into smaller chunks (/27, /30) to save IP space for point-to-point links.
Subnet Boundary Math
The mask defines the split between the **Network ID** and the **Host ID**. In a /27 network, we have $2^5 = 32$ total addresses, with $32-2 = 30$ usable hosts.
Routing forensics relies on the **Longest Prefix Match (LPM)**. If a router has a route for 10.0.0.0/8 and another for 10.1.2.0/24, it will ALWAYS choose the /24 for traffic to 10.1.2.55. Attackers use 'Specific-Route Injections' to redirect traffic even if a less-specific legitimate route exists.
4. Checksum Math: The 1's Complement Guard
The IPv4 header checksum only protects the header, not the data. This keeps the per-hop processing footprint small. The math is simple but elegant:
Algorithm: RFC 1071
- Adjacent 8-bit bytes are paired into 16-bit integers.
- The 1's complement sum of these integers is calculated.
- The result is bitwise negated to form the final Checksum.
Hardware Offload Forensics: If a packet capture shows 'Invalid Checksum' but the application is working, the NIC is likely performing **TCP/IP Checksum Offload**, meaning the kernel is not calculating the sum, leaving it to the hardware at the very moment of transmission.
5. NAT, PAT & Traversal: The 32-bit Lifeline
NAT (Network Address Translation) is the primary reason IPv4 still exists. **PAT (Port Address Translation)** allows 65,535 concurrent connections from a single public IP.
STUN (RFC 5389)
The client asks an external STUN server: "What is my public IP and port?" This works for cone NATs but fails for **Symmetric NAT**, where the public port changes based on the destination IP.
TURN (RFC 5766)
When STUN fails, traffic is relayed through a TURN server. This is the expensive fallback for VoIP and WebRTC. Forensic analysts monitor **STUN Binding Requests** to map the NAT topology of a remote network.
6. IP Options: Strict vs Loose Source Routing
The IPv4 header can be extended up to 60 bytes using the **Options** field. Historically, this included **Source Routing**, allowing a sender to specify the exact path a packet should take.
Security Deprecation
Source routing was a massive security hole; attackers could force a packet to transit a malicious node to bypass firewalls. In 2026, **Loose Source Routing (LSRR)** and **Strict Source Routing (SSRR)** are administratively disabled on 99.9% of production routers. Forensically, any packet with these options set is treated as an active exploit attempt.
7. ICMP & PMTUD: The MTU Black Hole Forensics
IPv4 is not a "fire and forget" protocol. It relies on **ICMP (Internet Control Message Protocol)** to provide feedback loops. The most critical feedback in modern high-speed networking is **PMTUD (Path MTU Discovery)**.
The "Destination Unreachable" Packet
When a router encounters a packet larger than its egress interface MTU, and the **DF (Don't Fragment)** bit is set, it MUST send an **ICMP Type 3 Code 4** message back to the source. This message contains the MTU of the next hop, allowing the source to adjust its **MSS (Maximum Segment Size)**.
Forensic Note: **MTU Black Holes** occur when firewalls block all ICMP traffic. The source never receives the 'too big' message and continues to send large packets that are silently dropped. This manifests as a connection that can 'ping' (small packets) but cannot transfer data (large packets).
ICMP Redirect (Type 5) Forensics
Routers use ICMP Type 5 to inform a host that there is a better first-hop router on the same local subnet. While efficient for routing optimization, it is a high-fidelity **Man-in-the-Middle (MitM)** vector. Modern security posture requires disabling ICMP redirects to prevent 'Route Hijacking' on the local segment.
8. QoS & DiffServ: The TOS Field Evolution
The 8-bit **Type of Service (TOS)** field has undergone multiple architectural revisions. Originally defined as 3 bits for Precedence and 4 for service types, it has evolved into the **DS (Differentiated Services)** field.
DSCP (6 bits)
The **Differentiated Services Code Point** defines the Per-Hop Behavior (PHB). Values like **EF (Expedited Forwarding - 46)** are used for VoIP to ensure low-latency queue priority, while **AF (Assured Forwarding)** classes provide tiered bandwidth guarantees.
ECN (2 bits)
The **Explicit Congestion Notification** bits allow routers to mark packets as "Congestion Experienced" (11) rather than dropping them. This prevents TCP global synchronization and is a cornerstone of modern **AI Fabric** flow control.
9. Multicast Forensics: The 224.0.0.0/4 Block
Class D addresses (224.0.0.0 to 239.255.255.255) are reserved for Multicast. Unlike unicast, there is no ARP for multicast. Instead, the L3 address is mathematically mapped to a specific L2 MAC address range (**01-00-5E**).
The 32-to-1 Aliasing Problem
Because only 23 bits of the Multicast IP are mapped to the MAC address, multiple Multicast IPs can share the same MAC. Specifically, 32 different IPs will aliasing to the same L2 address.
Forensic Insight: If you see high CPU utilization on a NIC, it may be due to **Multicast Aliasing**. The NIC hardware passes all packets matching the MAC to the OS kernel, which must then perform a 'Software Filter' to discard packets for multicast groups the host hasn't actually joined.
IGMP Snooping & Querier Logic
Switches use **IGMP Snooping** to listen to the "Join" and "Leave" messages of hosts. This prevents multicast from behaving like a broadcast (flooding all ports). Forensics involves auditing the **IGMP Querier**—the device responsible for asking "Who is still listening?". If no querier exists, snooping switches will eventually time out and either flood or prune all multicast traffic.
10. The Economics of the Final /8
The IANA (Internet Assigned Numbers Authority) exhausted the global pool of IPv4 addresses in 2011. This created a secondary market where a single /24 (256 addresses) can trade for upwards of **$15,000 to $25,000 USD**.
Carrier-Grade NAT (CGNAT) Forensics
To cope with address exhaustion, ISPs use **CGNAT (RFC 6598)**, utilizing the 100.64.0.0/10 shared address space. This creates a "Double NAT" scenario.
NAT64 / DNS64
A transition mechanism that allows IPv6-only clients to talk to IPv4-only servers by synthesizing an IPv6 address that embeds the IPv4 destination.
464XLAT
The dominant standard for mobile networks, providing IPv4 connectivity over an IPv6-only core without requiring the application to be IPv6-aware.
Frequently Asked Questions
Technical Standards & References
Related Engineering Resources
"You are our partner in accuracy. If you spot a discrepancy in calculations, a technical typo, or have a field insight to share, don't hesitate to reach out. Your expertise helps us maintain the highest standards of reliability."
Contributors are acknowledged in our technical updates.