CHAPTER 03
Beginner
Understanding Network Packets
Updated: May 16, 2026
20 min read
# CHAPTER 3
Understanding Network Packets
1. Introduction
When you open Wireshark and start a capture, you will immediately be hit by a wall of terrifying hexadecimal numbers and complex acronyms. If you do not understand how a network packet is constructed, Wireshark will be completely illegible. In this chapter, we are going back to the absolute fundamentals. We will dissect the anatomy of digital communication. We will explore the difference between a Frame and a Packet, demystify the concept of Data Encapsulation, and build the mental model you need to read Wireshark's output like a native language.2. Learning Objectives
By the end of this chapter, you will be able to:- Define what a Network Packet is in plain English.
- Explain the concept of Data Encapsulation (The Matryoshka Doll model).
- Differentiate between a Layer 2 Frame and a Layer 3 Packet.
- Identify the standard components of a packet (Header, Payload, Trailer).
- Understand how Wireshark dissects and displays these layers.
3. Beginner-friendly Explanations
The Russian Nesting Doll (Encapsulation): Imagine you are sending a birthday present.- 1. The Gift (Data): This is the actual thing you care about (e.g., an HTML webpage).
- 2. The Bubble Wrap (TCP/UDP Layer): You wrap the gift to ensure it doesn't break in transit, and you add a note saying "Handle with Care" (TCP ensures reliable delivery).
- 3. The Cardboard Box (IP Layer): You place the bubble-wrapped gift into a box and write the exact Destination Address on the outside (The IP Address).
- 4. The Delivery Truck (Ethernet Layer): You hand the box to the local postman, who puts it in his physical truck to drive it down the physical street (The MAC Address).
When a packet leaves your computer, it goes through Encapsulation (putting the doll inside the larger doll). When the server receives it, it performs De-encapsulation (opening the dolls until it finds the gift). Wireshark's entire job is to show you every single doll at the exact same time.
4. Frames vs. Packets
Networking professionals are very pedantic about vocabulary based on the OSI Model.- Data (Layer 7): The raw application data (e.g., an HTTP GET request).
- Segment (Layer 4): The Data wrapped in a TCP or UDP header.
- Packet (Layer 3): The Segment wrapped in an IP header (contains Source/Dest IP Addresses).
- Frame (Layer 2): The Packet wrapped in an Ethernet header (contains Source/Dest MAC Addresses).
When Wireshark captures traffic off your network card, it is technically capturing Frames. However, in casual conversation, everyone just calls them "Packets."
5. Anatomy of a Packet
If we slice a standard internet packet open, it looks like this:| Ethernet Header (Layer 2) | IP Header (Layer 3) | TCP Header (Layer 4) | Payload / Data (Layer 7) |
|---|---|---|---|
| Dest MAC, Source MAC | Source IP, Dest IP | Source Port, Dest Port | HTTP "GET /index.html" |
Wireshark reads this raw stream of 1s and 0s and perfectly separates it into these distinct blocks so a human can read it.
6. The TCP/IP Overview
Wireshark is dominated by a few major protocols. If you know these four, you can survive 90% of packet analysis:- 1. Ethernet (Layer 2): Moves the data across the local physical room.
- 2. IPv4 / IPv6 (Layer 3): Moves the data across the global internet to the correct city.
- 3. TCP / UDP (Layer 4): Ensures the data arrives intact (TCP) or fast (UDP), and delivers it to the correct application (e.g., Port 443 for Web).
- 4. HTTP / DNS / TLS (Layer 7): The actual application conversation (e.g., asking for a website name).
7. Packet Anatomy Diagrams
*Visual Concept: The Protocol Stack* Draw a horizontal block. Slice it into 4 colored sections.- Red Section (Left): "Ethernet II (MAC Addresses)"
- Blue Section: "IPv4 (IP Addresses)"
- Green Section: "TCP (Ports)"
- Yellow Section (Right): "HTTP (Application Data)"
8. Best Practices
- Focus on the Layer of the Problem: When troubleshooting in Wireshark, if two computers cannot ping each other at all, stop looking at the Application Layer (HTTP); the problem is at Layer 2 (MAC/ARP) or Layer 3 (IP Routing). Always start your analysis at the bottom of the stack and work your way up.
9. Common Mistakes
- Confusing Headers with Payload: A beginner looks at a packet that is 1500 bytes large. They see the HTTP data is only 50 bytes. They ask, "Where did the other 1450 bytes go?" They forget that the Ethernet, IP, and TCP headers all consume physical space (bytes) in the packet. This "protocol overhead" is entirely normal.
10. Mini Project: Map the Encapsulation
Write out the encapsulation journey of an email on a piece of paper.- 1. The user types the email (Data).
- 2. The email app adds a port number to ensure it goes to a mail server (TCP Segment).
- 3. The Operating System adds the server's public IP address (IP Packet).
- 4. The Wi-Fi card adds the MAC address of the home router (Ethernet Frame).
- 5. The frame is blasted out as radio waves.
11. Practice Exercises
- 1. Explain the "Russian Nesting Doll" concept of Data Encapsulation. Why do we wrap data in multiple different protocol headers?
- 2. Differentiate between a Layer 2 Frame and a Layer 3 Packet regarding the specific type of addressing they use.
12. MCQs with Answers
Question 1
In the context of data encapsulation, what specific protocol header is wrapped directly around the application payload to create a "Segment" and ensure reliable delivery?
Question 2
When a network card transmits data onto a physical local cable, the final, fully-encapsulated data unit (containing Source and Destination MAC addresses) is formally called a:
13. Interview Questions
- Q: Walk me through the exact encapsulation process of an HTTP GET request, from Layer 7 down to Layer 2. What specific headers are added at each step?
- Q: Explain the difference between a MAC Address and an IP Address. At which layers of the OSI model do they operate?
- Q: Why does Wireshark display multiple layers of protocols for a single captured line of traffic?