IP packet header

IP uses 32 bit words, aka 4 octect (byte) words.
IP headers are usually 20 bytes, or 5 words.
tcpdump -x displays four words on a line. This is an ICMP echo:

        4500 0054 162f 4000 ff01 2e3f a0a0 a0a0
        a0a0 a0a1

IP Version
4 bits
(usually 4)

Header Len
4 bits
(in 32 bit words)
(usually 5)

TOS (Type of Service)
8 bits (3,1,1,1,2)

Precedence
0=normal, 7=network control

D
low delay

T
high thru

R
high reli

Unused
proposed: ECN

Total Length
16 bits
(in octets) including header and data

Identification
16 bits

Flags
3 bits

Fragment Offset
13 bits
(in 32 bit words)

Time to live
8 bits
(in hops)

Protocol
8 bits
(01=ICMP, 06=TCP, 0x11=UDP)

Header checksum
16 bits

Source IP address 10.10.10.10
32 bits

Destination IP address 10.10.10.11
32 bits

IP options (if any)
variable length
Since the Header length (5 means no options, or 20 bytes) is specified in 32 bit words, the options and padding fields need to end on a word boundary

Padding
(if needed)

ICMP Packets

Each ICMP message has its own format but they all start with the same word: type (8 bits), code (8 bits), and checksum (16 bits)

09:22:30.840043 10.10.10.10 > 10.10.10.11: icmp: echo request (DF)

   4500 0054 162f 4000 ff01 2e3f 0a0a 0a0a first 20 bytes = IP header
   0a0a 0a0b 0800 c5ca 2bdf 0000 3ac2 0fc6 next 4+ bytes = ICMP header
   1415 1617 1819

IP Version Header Len Service type Total Length
Identification Frag flags & offset
Time to live Protocol 01 Header checksum
Source IP address
Destination IP address
Type
8 bits Code
8 bits Checksum
Identifier
16 bits Seq number
16 bits
...data...

UDP Datagrams

UDP datagram headers are eight bytes

IP Version	Header Len	Service type	Total Length
Identification			Frag flags & offset
Time to live		Protocol 0x11	Header checksum
Source IP address
Destination IP address
UDP Source Port 16 bits			UDP Destination Port 16 bits
UDP Message length 16 bits			UDP checksum 16 bits
...Data... (if any)

TCP packets

TCP headers are usually 20 bytes

23:06:01.790441 10.10.10.10.32934 > 10.10.10.11.23: . ack 79 win 8760 (DF)

   4500 0028 39ef 4000 ff06 5874 0a0a 0a0a first 20 bytes = IP header
   0a0a 0a0b 80a6 0017 9c71 8519 c511 9503 next 20 bytes = TCP header
   5010 2238 a7d2 0000

IP Version Header Len Service type Total Length
Identification Frag flags & offset
0x4000 means DF
Time to live Protocol 06 Header checksum
Source IP address 10.10.10.10
Destination IP address 10.10.10.11
Source Port 32934
16 bits Destination Port 23
16 bits
Sequence number
32 bits
Acknowledgement number
32 bits
Header length
4 bits Reserved
6 bits 6 Code bits

URG
20 ACK
10 PSH
08 RST
04 SYN
02 FIN
01
Windows size
16 bits
Checksum
16 bits Urgent Pointer
16 bits
Options (if any)
Since the Header length (5 means no options, or 20 bytes) is specified in 32 bit words, the options and padding fields need to end on a word boundary Padding
(if needed)

...Data... (if any)

Example

display all but the TCP data stream packets

    sudo tcpdump -i eth-s2p2c0 'tcp[13] & 0x18 == 0' or not tcp

display interesting packets, TCP (non-payload), not IPSEC, others

    sudo tcpdump -n -i xl0 'ip[9]!=50 and (tcp[13] & 0x18 == 0 or not tcp )'

4500	0054	162f	4000	ff01	2e3f	0a0a	0a0a	first 20 bytes = IP header
0a0a	0a0b	0800	c5ca	2bdf	0000	3ac2	0fc6	next 4+ bytes = ICMP header
1415	1617	1819

4500	0028	39ef	4000	ff06	5874	0a0a	0a0a	first 20 bytes = IP header
0a0a	0a0b	80a6	0017	9c71	8519	c511	9503	next 20 bytes = TCP header
5010	2238	a7d2	0000