Encapsulation: Headers, Payloads, and Protocol Stacks
What This Concept Is
Encapsulation is how the layered model is realized on the wire.
When data goes down the stack, each layer:
- takes the message from the layer above as an opaque payload
- adds its own header (and sometimes trailer) of metadata
- hands the result to the layer below
When data goes up the stack at the receiver, each layer strips its own header, inspects it, and passes the remaining payload up.
The header contains everything that layer needs to do its job: addresses, length, flags, checksums, sequence numbers, type-of-next-header hints. The payload is none of its business.
Why It Matters Here
Encapsulation explains why a single Ethernet frame on your NIC contains, in order: an Ethernet header, an IP header, a TCP header, a TLS record, an HTTP request. It also explains why tcpdump output looks the way it does: you are watching bytes that carry five layers of structure at once.
Every protocol decision downstream -- MTU, fragmentation, checksums, offload -- is an encapsulation decision.
Concrete Example
A TCP segment carrying 100 bytes of HTTP sent over Ethernet looks roughly like:
+----------------+----------------+----------------+-------------+-------------+--------+
| Ethernet hdr | IP hdr | TCP hdr | HTTP req | ... | FCS |
| 14 bytes | 20 bytes | 20 bytes | 100 bytes | | 4 bytes|
| src/dst MAC | src/dst IP | src/dst port | "GET / ..." | | |
| type=0x0800 | proto=6 (TCP) | seq, ack, flags| | | |
+----------------+----------------+----------------+-------------+-------------+--------+
^ ^
| frame on the wire (~158 bytes total) |
The type field in the Ethernet header says "next is IP." The proto field in the IP header says "next is TCP." Each header points to the one above it.
Common Confusion / Misconception
"The payload is just the user's message." No. From the perspective of the IP layer, the entire TCP segment -- TCP header plus HTTP bytes -- is payload. From the perspective of the link layer, the entire IP packet is payload. Payloads nest.
Related trap: MTU is a link-layer property, but it constrains all the upper layers because they all have to fit inside one frame (or fragment).
How To Use It��
For any packet you see or design:
- Identify the outermost header.
- Read its "next protocol" indicator.
- Move the cursor past it to the next header.
- Repeat until you hit an application payload.
This is exactly what tcpdump, wireshark, and every NIC driver do.
Check Yourself
- If a TCP segment has a 20-byte header and the TCP payload is 1460 bytes, and the IP header is 20 bytes, how big is the IP packet?
- Why does the IP header need a
protocolfield at all? - What would happen if the link layer lost the Ethernet header's type field?
- Why does every layer have its own checksum instead of one checksum for the whole frame?
- Why are MTU-related problems a cross-layer concern even though MTU is a link-layer property?
Mini Drill or Application
Draw a boxed encapsulation diagram for each:
- A DNS query over UDP/IPv4/Ethernet.
- A TCP SYN over IPv4/Ethernet (no application payload).
- An HTTPS GET: Ethernet / IPv4 / TCP / TLS record / HTTP.
Label at least the source/destination fields at each layer.
Related Gotchas
Two encapsulation pitfalls worth remembering before you hit them in production:
- MTU and fragmentation. Every link has a maximum frame size (1500 bytes is typical Ethernet MTU). If an IP packet is larger, either IP fragments it (IPv4) or the sender is told to do "path MTU discovery" (IPv6). When this breaks -- often because a firewall drops the needed ICMP -- connections stall after the handshake. This is one of the most common "mysterious" bugs on the Internet.
- Tunneling and double headers. VPNs and overlays (VXLAN, WireGuard, GRE) wrap an entire packet as the payload of another. The inner IP header and outer IP header both exist, and each encapsulation costs MTU budget. Ignoring this is why "the VPN works for small requests and breaks on big uploads."