How a Packet Travels Through a Network

1. The Big Picture – What Actually Happens When You Send Data

When an application on your computer sends data to a server on the other side of the network, that data does not travel as a raw stream of bytes. It is wrapped in a precise series of headers at each layer of the OSI model, forwarded hop by hop through switches and routers, and then unwrapped layer by layer when it arrives at the destination. Understanding this journey in detail is one of the most fundamental skills a network engineer can have — it underlies every troubleshooting scenario you will ever face.

This page walks through the complete end-to-end journey of a single packet using a concrete example: a PC on one network sending an HTTP request to a web server on a different network, separated by two routers. Every step — ARP resolution, frame construction, routing table lookup, MAC address replacement, and final decapsulation — is covered in sequence.

OSI Layer Protocol Data Unit (PDU) Key Device What Changes Hop to Hop
Layer 7–5 (Application–Session) Data Host (application) Nothing — application data is untouched end-to-end
Layer 4 (Transport) Segment Host Nothing — source/destination ports stay the same end-to-end
Layer 3 (Network) Packet Router Nothing — source/destination IP addresses stay the same end-to-end (except with NAT)
Layer 2 (Data Link) Frame Switch, Router Source and destination MAC addresses are replaced at every router hop
Layer 1 (Physical) Bits NIC, Cable, Switch Signal encoding changes per medium

The single most important concept to internalise from this table: the IP addresses never change (end-to-end), but the MAC addresses change at every router hop (local link only).

Related pages: OSI Layer Functions | OSI vs TCP/IP Model | Layer Functions | MAC Addresses | IP Interface Brief | Frame Forwarding / MAC Table

2. The Lab Topology Used in This Walkthrough

All examples in this page use the following topology. Keep it in mind as you read each step — every device and address referenced below maps back to this diagram. 


  PC-A                  Router R1               Router R2                Server
192.168.1.10       Gi0/0        Gi0/1       Gi0/0        Gi0/1        10.0.3.100
MAC: AA:AA        192.168.1.1  10.0.1.1   10.0.1.2    10.0.3.1      MAC: FF:FF
    |                  |            |           |            |              |
    +--[Switch SW1]----+            +-----------+            +--[Switch SW2]+

  Network:           Network:                              Network:
  192.168.1.0/24     10.0.1.0/30                           10.0.3.0/24

The scenario: PC-A (192.168.1.10) sends an HTTP GET request to the web server at 10.0.3.100. The two networks are separated by R1 and R2. PC-A's default gateway is R1 Gi0/0 (192.168.1.1). R1 has a route to 10.0.3.0/24 via R2 (10.0.1.2). R2 is directly connected to 10.0.3.0/24.

3. Step 1 – The Application Creates Data and the Transport Layer Adds a Segment Header

The browser on PC-A initiates an HTTP GET to 10.0.3.100 on TCP port 80. The OS TCP/IP stack performs the following at Layers 7–4:

Layer Action Header Added
Layer 7 – Application HTTP generates the GET request text HTTP data payload
Layer 4 – Transport TCP encapsulates the HTTP data; performs the 3-way handshake before data flows; assigns a random ephemeral source port (e.g. 52341) and destination port 80 TCP header: Src port 52341, Dst port 80, sequence number, flags

The result so far is a TCP segment: TCP header + HTTP payload. This segment is then passed down to Layer 3.

Related pages: HTTP & HTTPS | Ports & Protocols | Common Port Numbers

4. Step 2 – Layer 3 Encapsulation: Building the IP Packet

The OS network layer (Layer 3) wraps the TCP segment in an IP header, creating an IP packet. The source and destination IP addresses are set here and will not change for the entire journey across the network (assuming no NAT).

IP Header Field Value at This Point Changes?
Source IP 192.168.1.10 (PC-A) No — stays the same end-to-end
Destination IP 10.0.3.100 (Server) No — stays the same end-to-end
TTL (Time to Live) 128 (Windows default) or 64 (Linux default) Yes — decremented by 1 at each router
Protocol 6 (TCP) No
Header Checksum Calculated over the IP header Yes — recalculated at each router (TTL change invalidates it)

The result is now an IP packet: IP header + TCP header + HTTP payload. This packet is passed down to Layer 2, but before a Layer 2 frame can be built, PC-A must determine the correct destination MAC address for the first hop.

Related pages: IP Interface Brief

5. Step 3 – Routing Decision on PC-A: Is the Destination Local or Remote?

Before PC-A can build a Layer 2 frame, it must decide who to send the frame to. It does this by comparing the destination IP address against its own subnet mask: 

PC-A IP:            192.168.1.10
PC-A Subnet Mask:   255.255.255.0  (/24)
PC-A Network:       192.168.1.0/24

Destination IP:     10.0.3.100
Destination Network (applying /24): 10.0.3.0

Are they in the same subnet? 192.168.1.0 ≠ 10.0.3.0  → NO

Because the destination is on a different subnet, PC-A cannot deliver the frame directly. It must send the frame to its default gateway — R1's Gi0/0 interface at 192.168.1.1. The IP packet's destination IP remains 10.0.3.100, but the Layer 2 frame's destination MAC will be R1's MAC address, not the server's.

This is the core reason why IP addresses and MAC addresses serve different purposes: IP addresses identify the end-to-end source and destination; MAC addresses identify the next hop on each local link.

Related pages: Default Routes | show ip route | Wildcard Masks

6. Step 4 – ARP: Resolving the Default Gateway's MAC Address

PC-A now knows it needs to send the frame to 192.168.1.1 (R1), but it does not know R1's MAC address. It checks its ARP cache first. If no entry exists for 192.168.1.1, PC-A broadcasts an ARP Request.

6.1 ARP Request (Broadcast)

ARP Request (broadcast — sent to FF:FF:FF:FF:FF:FF on SW1)
┌─────────────────────────────────────────────────────────┐
│ Sender MAC:    AA:AA (PC-A)                             │
│ Sender IP:     192.168.1.10                             │
│ Target MAC:    00:00:00:00:00:00 (unknown — asking)     │
│ Target IP:     192.168.1.1                              │
│ Dst MAC Frame: FF:FF:FF:FF:FF:FF (broadcast)            │
└─────────────────────────────────────────────────────────┘

SW1 floods this broadcast out all ports except the one it arrived on. Every device on 192.168.1.0/24 receives it, but only R1 (owner of 192.168.1.1) responds.

6.2 ARP Reply (Unicast)

ARP Reply (unicast — sent directly back to PC-A)
┌─────────────────────────────────────────────────────────┐
│ Sender MAC:    BB:BB (R1 Gi0/0)                         │
│ Sender IP:     192.168.1.1                              │
│ Target MAC:    AA:AA (PC-A)                             │
│ Target IP:     192.168.1.10                             │
│ Dst MAC Frame: AA:AA (unicast to PC-A)                  │
└─────────────────────────────────────────────────────────┘

PC-A receives the ARP Reply and stores the mapping 192.168.1.1 → BB:BB in its ARP cache. This entry will be reused for subsequent packets until it expires (typically 2–4 hours on Windows, 20 minutes on Cisco IOS).

Related pages: ARP & MAC Addresses | MAC Address Table | MAC Address Table | DHCP Snooping | Dynamic ARP Inspection Lab

7. Step 5 – Layer 2 Encapsulation on PC-A: Building the Ethernet Frame

With R1's MAC address now known, PC-A can construct the Ethernet frame that will carry the IP packet across the first hop (the 192.168.1.0/24 LAN segment). 

Ethernet Frame — PC-A to R1 (Hop 1)
┌───────────────────────────────────────────────────────────────────────┐
│ Dst MAC:  BB:BB  (R1 Gi0/0)   ← Layer 2 destination = next hop       │
│ Src MAC:  AA:AA  (PC-A NIC)                                           │
│ EtherType: 0x0800 (IPv4)                                              │
├───────────────────────────────────────────────────────────────────────┤
│  IP Header                                                            │
│    Src IP:  192.168.1.10   ← Layer 3 source = PC-A (unchanged)       │
│    Dst IP:  10.0.3.100     ← Layer 3 destination = Server (unchanged) │
│    TTL:     128                                                       │
├───────────────────────────────────────────────────────────────────────┤
│  TCP Header  (Src: 52341, Dst: 80)                                    │
├───────────────────────────────────────────────────────────────────────┤
│  HTTP Payload  (GET / HTTP/1.1 ...)                                   │
├───────────────────────────────────────────────────────────────────────┤
│ FCS (Frame Check Sequence — CRC32 trailer)                            │
└───────────────────────────────────────────────────────────────────────┘

PC-A passes this frame down to Layer 1 — it is converted to electrical signals (or light pulses) and transmitted on the wire to SW1.

Related pages: Ethernet Standards | MAC Addresses | Frame Forwarding / MAC Table

8. Step 6 – The Switch Forwards the Frame (Layer 2 Only)

SW1 receives the frame on the port connected to PC-A. As a Layer 2 device, a switch reads only the Ethernet header — it does not examine the IP header at all. SW1 performs the following:

SW1 Action Detail
Learn source MAC Records AA:AA → Port 1 in its MAC address table (if not already present)
Look up destination MAC Searches CAM table for BB:BB (R1 Gi0/0)
Forward frame If BB:BB is in the CAM table, forwards out the associated port only. If not found, SW1 floods out all ports except the incoming port
FCS check Verifies the CRC; discards the frame if it fails

The switch does not modify the frame in any way (MAC addresses, IP addresses, TTL, or payload are all untouched). It simply forwards bits from one port to another at wire speed.

Related pages: How a Switch Works | MAC Address Table | MAC Address Table | VLANs | show mac address-table

9. Step 7 – Router R1: Decapsulation, Routing Decision, and Re-encapsulation

R1's Gi0/0 interface receives the frame from SW1. This is where the most important per-hop processing occurs. A router performs three distinct operations for every packet it forwards:

9.1 Layer 2 Decapsulation

R1 strips the entire Ethernet frame header and trailer (Dst MAC, Src MAC, EtherType, FCS). It verifies the FCS, then discards the Layer 2 wrapper entirely. It now holds only the raw IP packet. 

R1 receives on Gi0/0:
  Dst MAC: BB:BB ✓ (that's me) → accept and decapsulate
  Strip Ethernet header and FCS
  Now examining IP packet:
    Src IP:  192.168.1.10
    Dst IP:  10.0.3.100
    TTL:     128

9.2 Routing Table Lookup

R1 consults its routing table for the best match for destination 10.0.3.100 using the longest prefix match rule: 

R1# show ip route
C    192.168.1.0/24 is directly connected, GigabitEthernet0/0
C    10.0.1.0/30    is directly connected, GigabitEthernet0/1
S    10.0.3.0/24 [1/0] via 10.0.1.2          ← best match for 10.0.3.100

Result: Forward to next-hop 10.0.1.2 (R2 Gi0/0) via Gi0/1

R1 also decrements the TTL by 1 (128 → 127) and recalculates the IP header checksum. If the TTL reaches 0, R1 discards the packet and sends an ICMP Time Exceeded message back to the source — this is how traceroute works.

9.3 ARP for the Next Hop and Layer 2 Re-encapsulation

R1 now needs to forward the packet to 10.0.1.2 (R2). It checks its ARP cache for 10.0.1.2. If no entry exists, R1 ARPs on its Gi0/1 interface. Once R2's MAC (CC:CC) is resolved, R1 builds a brand new Ethernet frame with completely new MAC addresses: 

New Ethernet Frame — R1 to R2 (Hop 2)
┌───────────────────────────────────────────────────────────────────────┐
│ Dst MAC:  CC:CC  (R2 Gi0/0)   ← NEW Layer 2 destination              │
│ Src MAC:  DD:DD  (R1 Gi0/1)   ← NEW Layer 2 source                   │
│ EtherType: 0x0800 (IPv4)                                              │
├───────────────────────────────────────────────────────────────────────┤
│  IP Header                                                            │
│    Src IP:  192.168.1.10   ← UNCHANGED                                │
│    Dst IP:  10.0.3.100     ← UNCHANGED                                │
│    TTL:     127            ← decremented from 128                     │
├───────────────────────────────────────────────────────────────────────┤
│  TCP Header  (Src: 52341, Dst: 80)  ← UNCHANGED                      │
├───────────────────────────────────────────────────────────────────────┤
│  HTTP Payload  ← UNCHANGED                                            │
├───────────────────────────────────────────────────────────────────────┤
│ FCS (recalculated for this new frame)                                 │
└───────────────────────────────────────────────────────────────────────┘

This is the definitive illustration of the golden rule: MAC addresses change at every router hop; IP addresses do not.

Related pages: show ip route | How a Router Works | Administrative Distance

10. Step 8 – Router R2: Second Hop Processing

R2's Gi0/0 receives the frame from R1. R2 performs the same three-step process as R1:

R2 Action Detail
Decapsulate Layer 2 Strips the Ethernet frame (Dst CC:CC — that's R2's Gi0/0 ✓). Discards the old frame header and FCS
Read IP header Dst IP: 10.0.3.100 — check routing table
Routing table lookup 10.0.3.0/24 is directly connected, GigabitEthernet0/1 — the destination is on R2's directly connected network. No further routing hops needed
Decrement TTL TTL: 127 → 126. Recalculate IP checksum
ARP for destination host R2 needs the MAC address of 10.0.3.100 (the server). It ARPs on Gi0/1 (10.0.3.0/24 segment)
Re-encapsulate in new frame Builds a new Ethernet frame with R2 Gi0/1 as source MAC and the server's MAC (FF:FF) as destination MAC 
New Ethernet Frame — R2 to Server (Hop 3 / Final hop)
┌───────────────────────────────────────────────────────────────────────┐
│ Dst MAC:  FF:FF  (Server NIC)  ← NEW Layer 2 destination             │
│ Src MAC:  EE:EE  (R2 Gi0/1)   ← NEW Layer 2 source                   │
│ EtherType: 0x0800 (IPv4)                                              │
├───────────────────────────────────────────────────────────────────────┤
│  IP Header                                                            │
│    Src IP:  192.168.1.10   ← UNCHANGED throughout entire journey      │
│    Dst IP:  10.0.3.100     ← UNCHANGED throughout entire journey      │
│    TTL:     126            ← decremented again                        │
├───────────────────────────────────────────────────────────────────────┤
│  TCP Header  (Src: 52341, Dst: 80)  ← UNCHANGED                      │
├───────────────────────────────────────────────────────────────────────┤
│  HTTP Payload  ← UNCHANGED                                            │
├───────────────────────────────────────────────────────────────────────┤
│ FCS (recalculated again for this new frame)                           │
└───────────────────────────────────────────────────────────────────────┘

11. Step 9 – The Server Receives and Decapsulates the Frame

SW2 receives the frame from R2 and forwards it to the server's port based on its CAM table (same process as SW1 in Step 6). The server's NIC receives the frame and performs decapsulation from the bottom up:

Layer Server Action
Layer 1 – Physical NIC converts electrical/optical signal to bits
Layer 2 – Data Link Verifies FCS (CRC check). Checks destination MAC — FF:FF matches the server's own MAC ✓. Strips the Ethernet header and passes the IP packet up
Layer 3 – Network Checks destination IP — 10.0.3.100 matches the server's own IP ✓. Checks TTL (126 — still valid). Strips IP header and passes TCP segment up
Layer 4 – Transport Reads destination port 80 — hands data to the HTTP service listening on port 80. Checks sequence number and ACKs receipt
Layer 7 – Application HTTP server processes the GET request and prepares a response (200 OK + HTML body)

At this point, the original HTTP GET has successfully travelled from PC-A across two router hops to the web server. The server will now generate an HTTP response and send it back — following the exact same process in reverse, with PC-A's IP (192.168.1.10) as the destination.

12. Complete Hop-by-Hop Summary Table

The table below captures every change in the frame's headers at each point along the path. Study this table closely — exam questions frequently ask what the source/destination MAC or IP is at a specific hop.

Location Src MAC Dst MAC Src IP Dst IP TTL
PC-A → SW1 → R1 Gi0/0 AA:AA (PC-A) BB:BB (R1 Gi0/0) 192.168.1.10 10.0.3.100 128
R1 Gi0/1 → R2 Gi0/0 DD:DD (R1 Gi0/1) CC:CC (R2 Gi0/0) 192.168.1.10 10.0.3.100 127
R2 Gi0/1 → SW2 → Server EE:EE (R2 Gi0/1) FF:FF (Server) 192.168.1.10 10.0.3.100 126

Key observations from this table: the source and destination IP addresses are identical in every row. The MAC addresses are entirely different in every row. The TTL decrements by exactly 1 at each router. The TCP port numbers and HTTP payload are also identical in every row (not shown, but unchanged throughout).

13. Special Cases That Modify This Flow

13.1 NAT (Network Address Translation)

When a packet passes through a router performing NAT, the source IP address is changed — typically from a private RFC 1918 address to a public routable address. PAT (Port Address Translation) also modifies the source TCP/UDP port. This is the notable exception to the "IP addresses never change" rule.

13.2 VLANs and Inter-VLAN Routing

When traffic crosses VLANs via a Router-on-a-Stick / Inter-VLAN or a Layer 3 switch, the same MAC replacement process occurs at the routing boundary. The 802.1Q VLAN tag is added by the sending switch and stripped by the receiving switch or router sub-interface — it is not part of the original Ethernet frame structure.

13.3 ARP Proxy

In some configurations a router answers ARP requests on behalf of hosts in a remote subnet (Proxy ARP). The sending host believes the remote host is local and sends the frame directly to the router's MAC, which then routes it normally. Proxy ARP is enabled by default on Cisco IOS interfaces.

13.4 TTL Expiry and ICMP Time Exceeded

If a routing loop exists and a packet circulates indefinitely, the TTL counter will eventually reach 0 at some router. That router drops the packet and sends an ICMP Type 11 (Time Exceeded) message back to the original source IP. Traceroute exploits this behaviour deliberately — sending packets with TTL=1, then TTL=2, and so on — to map each hop's identity by collecting the ICMP Time Exceeded replies.

13.5 Fragmentation

If an IP packet is larger than the MTU of an outgoing interface (default 1500 bytes for Ethernet), the router fragments the packet into multiple smaller IP packets, each with its own IP header. Each fragment carries the same source/destination IP but includes fragmentation offset fields. The destination host (not intermediate routers) is responsible for reassembly. Path MTU Discovery (PMTUD) uses ICMP Type 3 Code 4 (Fragmentation Needed) messages to allow the source to reduce its packet size and avoid fragmentation altogether.

Related pages: NAT Overview | Static NAT | Dynamic NAT | PAT Lab | Inter-VLAN Routing | Router-on-a-Stick / Inter-VLAN | 802.1Q VLAN Tagging

14. Quick Reference – Packet Flow Rules

Rule Detail
IP addresses end-to-end Source and destination IP addresses do not change at any hop (unless NAT is in use)
MAC addresses local only Source and destination MAC addresses are replaced with new values at every router
TTL decrements at routers Each router decrements TTL by 1; drops packet and sends ICMP Time Exceeded when TTL = 0
ARP is always local ARP broadcasts never cross a router; ARP only resolves addresses on the local subnet
Switches are transparent A switch forwards frames without modifying any header field
Routers decapsulate and re-encapsulate At every router: strip old Layer 2 header → routing decision → build new Layer 2 header with new MACs
Default gateway for remote traffic If destination is not in the local subnet, the host always sends the frame to its default gateway's MAC address
Longest prefix match Routers always select the most specific matching route entry for the destination IP
FCS is per-link Each frame has its own FCS; it is recalculated for every new frame a router creates
TCP/UDP ports unchanged Source and destination ports in the Layer 4 header are not touched by routers or switches (unless PAT modifies the source port)

Related pages: OSI Layer Functions | TCP/IP Port Numbers | How a Router Works | How a Switch Works | Frame Forwarding / MAC Table | show ip route | show ip interface brief | End-to-End Troubleshooting Lab

Practice Quiz – How a Packet Travels Through a Network

1. PC-A (192.168.1.10/24) sends a packet to Server (10.0.3.100). What destination MAC address does PC-A place in the Ethernet frame?

Correct answer is B. When PC-A determines that the destination IP (10.0.3.100) is not on its local subnet (192.168.1.0/24), it sends the frame to its default gateway. The IP packet's destination IP remains 10.0.3.100 throughout the journey, but the Ethernet frame's destination MAC is set to the gateway's MAC address (R1 Gi0/0). This is why hosts must be configured with a default gateway — without one, they can only communicate within their own subnet.

2. A packet travels from PC-A through R1 and R2 to a server. Which header fields remain identical in every frame along the entire path?

Correct answer is C. The Layer 3 source and destination IP addresses, the Layer 4 TCP/UDP port numbers, and the application data payload are all unchanged from source to destination (assuming no NAT). MAC addresses change at every router hop. TTL decrements by 1 at each router (and the IP checksum is recalculated accordingly). The FCS is also recalculated for each new frame. Only Layers 3, 4, and above remain constant end-to-end.

3. Router R1 receives a frame, strips the Ethernet header, looks up the destination IP in its routing table, decrements the TTL, and then builds a new Ethernet frame. What MAC addresses does R1 use in the new frame?

Correct answer is A. When a router builds a new Ethernet frame for the outgoing segment, the source MAC is the router's own outgoing interface MAC address, and the destination MAC is the MAC of the next-hop device (resolved by ARP if not already in the ARP cache). The original sending host's MAC address is gone from this point forward — it only existed on the first hop. This MAC replacement at every router is the fundamental mechanism that allows Layer 2 frames to traverse different physical media types between hops while Layer 3 routing maintains end-to-end addressing.

4. Why does ARP use a broadcast for the request but a unicast for the reply?

Correct answer is D. An ARP request must be sent as a Layer 2 broadcast (FF:FF:FF:FF:FF:FF) because the sender does not know the MAC address of the target — that is precisely what it is asking for. Every device on the LAN segment receives the broadcast, but only the target (the device that owns the requested IP) responds. The target already knows the requester's MAC (it was included in the ARP request packet), so it can send the ARP reply directly as a unicast frame — no broadcast needed for the reply.

5. A packet arrives at R1 with TTL = 1. What does R1 do?

Correct answer is B. A router always decrements TTL by 1 before forwarding. If the result is 0, the router discards the packet and sends an ICMP Type 11 (Time Exceeded) message to the original source IP address. This mechanism prevents packets from circulating forever in a routing loop. It is also the mechanism traceroute relies on: by sending packets with TTL=1, 2, 3... each successive router sends back an ICMP Time Exceeded, revealing its IP address and RTT at that hop.

6. How does a switch differ from a router in how it processes a received frame?

Correct answer is C. A Layer 2 switch operates exclusively at the Data Link layer. It reads only the destination MAC address, looks it up in the CAM table, and forwards the frame out the appropriate port — without touching any header field. A router operates at Layer 3: it strips the entire Layer 2 frame, reads the Layer 3 IP header to make a routing decision, decrements the TTL, and then builds a completely new Layer 2 frame with new source and destination MAC addresses appropriate to the outgoing link.

7. PC-A sends a packet to Server at 10.0.3.100. The packet passes through R1 and R2. At which point does the destination MAC address in the frame equal the server's actual MAC address?

Correct answer is A. The server's MAC address only appears as the destination MAC in the very last frame — the one built by R2 and sent on the 10.0.3.0/24 network segment. R2 ARPs for the server's MAC on its directly connected segment (Gi0/1) and uses it as the destination MAC only for that final hop. On all previous hops, the destination MAC is the next router's interface MAC. PC-A never knows, and never needs to know, the server's MAC address.

8. Which of the following is the correct sequence of events when PC-A sends the very first packet to a server on a remote network, assuming all ARP caches are empty?

Correct answer is D. The complete sequence is: (1) Layer 3 builds the IP packet with the correct source and destination IPs. (2) Layer 3 compares the destination IP to the local subnet — determines it is remote. (3) PC-A ARPs for its default gateway's MAC (broadcast on local segment). (4) Layer 2 builds the Ethernet frame using the gateway's MAC as destination. (5) The frame is forwarded through the local switch to R1. (6) R1 decapsulates, looks up the route, ARPs for the next hop if needed, and re-encapsulates with new MACs. (7) This repeats at each router. (8) The final router ARPs for the server's MAC and delivers the frame. (9) The server decapsulates from Layer 2 upward.

← Back to Home