Crux Read real packet dumps, route tables, and traceroute output; decode the header, predict the forwarding decision, and pick the highest-leverage fix.
Your altitude — climbing toward senior
ZeroJuniorMiddleSenior
You are at senior altitude — in orbit
◷ 14 min
Packet dumps, route tables, and traceroute output are where IP-layer problems are actually diagnosed. Read each one, work out what the bytes and columns mean, then choose the call a senior engineer would make first.
Goal
Practise the loop you run in every routing or path-MTU incident: decode the header or table in front of you, predict the behaviour, and reach for the fix that does not depend on a signal you cannot guarantee.
Snippet 1 — decode the IPv4 header
A tcpdump -X capture shows the first 20 bytes of an IPv4 packet:
From this header, what is the L4 protocol, what is the TTL, and what does the TTL value 40 most likely tell you about the packet's journey so far?
Heads-up Protocol 6 is TCP (17 is UDP), and TTL is a hop count, not a time value despite the name — each router decrements it by one.
Heads-up ICMP is protocol 1; 6 is TCP. TTL caps the maximum remaining hops but guarantees nothing about the path length ahead.
Heads-up IHL counts 32-bit words: 5 words = 20 bytes, the minimum header. A 60-byte header would need IHL 15.
Snippet 2 — the route table
$ ip route showdefault via 203.0.113.1 dev eth010.0.0.0/8 via 10.4.0.1 dev eth110.4.0.0/16 via 10.4.0.1 dev eth110.4.2.0/24 dev eth2 scope link
Quiz
Completed
A packet for 10.4.2.9 arrives. Which line forwards it, and which line would handle a packet for 8.8.8.8?
Heads-up Order in the table does not decide forwarding — longest-prefix match picks the /24. And 8.8.8.8 is not dropped: the default route matches everything as a last resort.
Heads-up The /24 is more specific than the /16, so it wins for 10.4.2.9. And 8.8.8.8 is outside 10.0.0.0/8, so it uses the default route, not the /8.
Heads-up The default (0.0.0.0/0) is the least specific prefix; it is used only when no longer prefix matches. 10.4.2.9 has three more specific matches available.
Snippet 3 — the traceroute
$ traceroute -n example.com 1 192.168.1.1 0.9 ms 2 203.0.113.1 8.4 ms 3 * * * 4 198.51.100.7 24.1 ms 5 93.184.216.34 71.2 ms
Quiz
Completed
Hop 3 shows three asterisks but hops 4 and 5 reply normally. What is happening at hop 3, and is the path broken?
Heads-up If hop 3 dropped data-plane traffic, hops 4 and 5 could not reply. Asterisks mean only that the ICMP TTL-exceeded reply is missing, not that forwarding failed.
Heads-up A loop would never let the trace progress to hops 4 and 5. The asterisks are a missing/rate-limited ICMP response, a common and benign configuration.
Heads-up Routers do not encrypt forwarded IP packets. The missing line is purely about that router not returning an ICMP time-exceeded message.
Snippet 4 — MSS clamping on the gateway
# VPN/PPPoE gateway, packets stalling on large transfers# iptables rule under consideration:iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ -j TCPMSS --clamp-mss-to-pmtu
Quiz
Completed
Large transfers through this gateway stall while small ones work. What does this rule do, and why is it preferred over just unblocking ICMP?
Heads-up The rule edits the MSS option inside the SYN; it does not block SYNs. It prevents oversized packets by lowering the negotiated segment size, not by dropping connections.
Heads-up MSS clamping avoids fragmentation entirely by keeping segments small at negotiation time. It edits the handshake, it does not split packets.
Heads-up Unblocking ICMP only helps if every middlebox on the path passes ICMP. MSS clamping works regardless of ICMP filtering, which is exactly why it is the pragmatic fix.
Recap
Every IP-layer incident is read in bytes and columns: the first nibble of an IPv4 header gives version and length, byte 8 is TTL (a hop counter, not a clock) and byte 9 is the L4 protocol; a route table is resolved by longest-prefix match with the default route as the last resort; traceroute asterisks usually mean a hop that withholds ICMP, not a broken path; and an MSS-clamp rule fixes path-MTU stalls without depending on ICMP. Decode what is in front of you, predict the behaviour, then fix the cause — not the symptom.