The value in the upper layer protocol field is 01 (ICMP)
The IP header length is 20. The total length of the datagram is 84, meaning the payload is 64 bytes.
This IP datagram has not been fragmented. We can tell because all flags, as well as the fragmentation offset, are 0.
The identification and checksum fields always change from one datagram to the next.
The other fields, except for the TTL field, stay constant. The protocol, source, and destination fields must stay constant. The identification and checksum (because it is a function in part of the identification field) must change.
The identification field appears to be incremented by 1 for each datagram sent.
The value of the identification field of the first ICMP TTL-exceeded reply is 36949. The TTL value is 64.
The identification value changes for each reply. The TTL value stays the same.
The first UDP message of packet size 2000 has been fragmented across two IP datagrams.
The first fragment has the “More fragments” flag set. It has a fragmentation offset of 0. It has a total length of 1500 (the length of an Ethernet frame):
The second fragment indicates that it is not the first fragment by having a “Fragment offset” value greater than 0. There are no more fragments, as indicated by the “More fragments” bit being set to 0:
The fields that change between the first and second fragments are: total length, flags (more fragments), and fragment offset.
The UDP message of 3500 bytes is split into three fragments.
The first fragment has a total length of 1500, the “More fragments” flag set, and a fragment offset of 0. The second has a total length of 1500, the “More fragments” flag set, and a fragment offset of 1480. The third has a total length of 540, the “More fragments” flag not set, and a fragment offset of 2960 (2960 + 540 = 3500).