If you’ve ever opened Wireshark and thought, “Why does one tiny web request explode into so many headers?”, you’re already staring at encapsulation in action.
Encapsulation is the networking equivalent of packing a fragile item for shipping: the same payload gets wrapped multiple times – each wrap adds exactly the information needed for the next stage of delivery. The application cares about meaning (an HTTP request). TCP cares about reliability and ordering. IP cares about routing across networks. Ethernet (or Wi-Fi) cares about moving frames across a local link. None of those layers needs to understand the entire message – each one adds a small, structured header so its peer on the other side can do its job.
In this article, we’ll walk through encapsulation in computer networks step by step, using real packet-style examples (with fields you’ll actually see in captures). By the end, you’ll be able to look at any packet and confidently answer: What’s the payload here? Which layer added this header? And what problem is that header solving?
In this article:
- Why encapsulation exists (and what it is)
- The mechanics: headers, payloads, and peer-to-peer control
- Encapsulation in computer networks step by step (the full journey)
- Real packet example #1: “One HTTP GET” broken into layers
- Real packet example #2: Encapsulation changes per hop (re-encapsulation)
- Encapsulation edge cases you actually meet
- How to learn this fast with Wireshark (mini-lab)
- Summary + “mental checklist”
1. Why encapsulation exists (and what it is)
At its core, encapsulation is the mechanism that allows complex networks to work without becoming unmanageable.
Modern computer networks are built as layered systems. Each layer solves a specific problem—application semantics, reliability, routing, or local delivery—without needing to understand how the other layers are implemented. Encapsulation is what makes this separation possible.
Encapsulation is the process by which:
- A layer receives data from the layer above,
- Treats that data as an opaque payload,
- Adds its own control information (a header, and sometimes a trailer),
- Passes the resulting data unit down to the next layer.
This happens repeatedly until the data is transmitted as bits over a physical medium. On the receiving side, the process is reversed through decapsulation, where each layer removes and interprets its own header before passing the remaining payload upward.
A crucial point often missed by beginners—but emphasized in the literature—is this:
Each layer communicates logically with its peer layer on the remote host, even though data physically travels through all layers.
Encapsulation enables this illusion. The TCP header added on the sender is interpreted only by TCP on the receiver. IP headers are read by routers along the path. Ethernet headers are relevant only on the local link. Each layer adds just enough information to solve its problem, and nothing more.
Without encapsulation, every network component would need to understand the entire application data structure. Scalability, interoperability, and innovation would collapse.
2. The mechanics: headers, payloads, and peer-to-peer control
To understand encapsulation properly, you need to be precise about three terms: payload, header, and protocol data unit (PDU).
Payload
A payload is the data a layer carries on behalf of the layer above.
From TCP’s perspective, an HTTP request is just a sequence of bytes. TCP does not care whether those bytes represent HTML, JSON, or an image.
This abstraction is fundamental:
- TCP does not parse HTTP.
- IP does not understand TCP semantics.
- Ethernet does not know what an IP address means.
Each layer treats the payload as opaque.
Header
A header is structured control information added by a layer so that its peer layer can correctly interpret the payload.
Examples:
- TCP headers enable reliability (sequence numbers, acknowledgments).
- IP headers enable routing (source/destination IP, TTL).
- Ethernet headers enable local delivery (MAC addresses).
Headers are not for the layer above or below—they are for the same layer at the destination (or, in IP’s case, also for routers).
Some layers also add a trailer, most commonly at the link layer, where integrity checks such as a Frame Check Sequence (FCS) are appended.
Protocol Data Units (PDUs)
As encapsulation progresses, the same data is referred to by different names:
- Message (Application layer)
- Segment (Transport layer, e.g. TCP)
- Packet / Datagram (Network layer, IP)
- Frame (Link layer)
These are not different “things”—they are the same data, wrapped in different headers as it moves down the stack.
3. Encapsulation in computer networks step by step (the full journey)
Let’s now walk through encapsulation in computer networks step by step, using a concrete and realistic example:
A web browser requests a page from a server.
Step 1 — Application Layer: Creating the Message
The process starts at the application layer.
The browser generates an HTTP request, such as:
GET /index.html HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
At this point:
- This is an application message
- There are no transport, network, or link headers
- The data has meaning only to HTTP-aware applications
The application layer does not know—or care—how this message will reach the server.
Step 2 — Transport Layer: TCP Encapsulation
The HTTP message is passed to the transport layer, typically TCP.
TCP encapsulates the application message by adding a TCP header containing:
- Source and destination ports
- Sequence and acknowledgment numbers
- Flags (SYN, ACK, PSH, FIN, etc.)
- Flow control information (window size)
After encapsulation, we now have:
[TCP Header][HTTP Message]
This unit is called a TCP segment.
Why this matters:
- TCP enables reliable, ordered delivery
- Retransmissions and congestion control happen here
- TCP still does not care what the payload means
Step 3 — Network Layer: IP Encapsulation
The TCP segment is then passed to the network layer.
IP adds its own IP header, which includes:
- Source and destination IP addresses
- Time To Live (TTL)
- Protocol identifier (e.g. “this payload is TCP”)
The result becomes:
[IP Header][TCP Header][HTTP Message]
This is an IP packet (or datagram).
Why this matters:
- IP enables routing across multiple networks
- Routers forward packets based on the IP header
- IP does not guarantee delivery or order
Step 4 — Link Layer: Frame Encapsulation
Finally, the IP packet is passed to the link layer (e.g. Ethernet or Wi-Fi).
The link layer adds:
- Source and destination MAC addresses
- A type field (e.g. IPv4)
- A trailer for error detection (conceptually)
Now we have:
[Ethernet Header][IP Header][TCP Header][HTTP Message][Trailer]
This is a frame, ready to be transmitted as bits.
Each hop along the path will:
- Remove the link-layer header
- Forward the IP packet
- Re-encapsulate it in a new link-layer frame
At the destination, the process runs in reverse—decapsulation—until the original HTTP message is delivered to the application.
At this point, encapsulation has done its job:
every layer solved its problem independently, yet the system worked as a coherent whole.
4. Real packet example #1: “One HTTP GET” broken into layers
Theory really clicks when you can map it to a single, concrete packet. In this section, we’ll take one realistic HTTP request and walk through how it appears after full encapsulation, exactly as you would see it in a packet capture.
Scenario:
A client with IP192.168.1.10requests/index.htmlfrom a web server at93.184.216.34(example.com) over HTTP.
4.1 Application Layer: HTTP Message (Payload)
The browser generates the following HTTP request:
GET /index.html HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Accept: text/html
At this point:
- This is pure application data
- No addressing, no reliability, no routing information
- Meaning exists only at the application layer
From now on, every lower layer will treat this entire block as opaque bytes.
4.2 Transport Layer: TCP Segment
TCP encapsulates the HTTP message by prepending a TCP header.
TCP Header (key fields):
Source Port: 51514
Destination Port: 80
Sequence Number: 123456789
Acknowledgment: 987654321
Flags: PSH, ACK
Window Size: 64240
Resulting structure:
[TCP Header]
[HTTP Message]
What TCP contributes:
- Identifies the application via ports
- Ensures ordered and reliable delivery
- Allows the receiver to reassemble the byte stream
Important detail:
- TCP does not know this is HTTP
- The HTTP request is simply the TCP payload
At this stage, the data unit is a TCP segment.
4.3 Network Layer: IP Packet
The TCP segment is passed down to IP, which adds its own header.
IP Header (key fields):
Version: IPv4
Source IP: 192.168.1.10
Destination IP: 93.184.216.34
TTL: 64
Protocol: 6 (TCP)
Total Length: 1500 (example)
Resulting structure:
[IP Header]
[TCP Header]
[HTTP Message]
What IP contributes:
- End-to-end logical addressing (IP addresses)
- Routing across multiple networks
- Hop limitation via TTL
Critical insight:
- Routers inspect only the IP header
- The TCP segment and HTTP data are not modified by routers
This data unit is now an IP packet (or datagram).
4.4 Link Layer: Ethernet Frame
The IP packet is delivered to the link layer for local transmission.
Ethernet Header (key fields):
Destination MAC: 00:1A:2B:3C:4D:5E
Source MAC: 00:11:22:33:44:55
EtherType: 0x0800 (IPv4)
Ethernet Trailer (conceptual):
Frame Check Sequence (FCS)
Final on-the-wire structure:
[Ethernet Header]
[IP Header]
[TCP Header]
[HTTP Message]
[Ethernet Trailer]
What Ethernet contributes:
- Local delivery on the current network
- MAC addressing valid only for this link
- Error detection via FCS
Key practical point:
- Ethernet headers change at every hop
- The IP packet inside remains logically the same end-to-end
At this moment, encapsulation is complete. The frame is converted into bits and transmitted.
(see article: What is a Network Frame?)
4.5 Seeing This in Wireshark (How to Read It)
When you open this packet in Wireshark, you will see the exact same layering:
- Frame
- Capture metadata (length, arrival time)
- Ethernet II
- Source MAC, Destination MAC
- Internet Protocol Version 4
- Source IP, Destination IP, TTL
- Transmission Control Protocol
- Ports, sequence numbers, flags
- Hypertext Transfer Protocol
GET /index.html HTTP/1.1
A powerful mental check:
- The payload of each layer is the entire data unit of the layer above
- Remove one header at a time, and you climb the stack
4.6 Why This Example Matters
This single packet illustrates the essence of encapsulation:
- The same HTTP request is carried unchanged
- Each layer adds just enough information to solve its problem
- No layer needs to understand the internals of the others
Once you can mentally decompose a packet like this, packet captures stop looking chaotic—and start telling a very precise story.
5. Real packet example #2: Encapsulation changes per hop (re-encapsulation)
A very common misunderstanding is to imagine a packet travelling across the Internet unchanged from source to destination. In reality, only part of the packet remains stable end-to-end. Other parts are replaced at every hop. Understanding this distinction is essential to truly grasp encapsulation.
This section explains re-encapsulation—what changes at each hop, what does not, and why this design is fundamental to how the Internet scales.
(see article: What is a Network Hop?)
5.1 End-to-End vs. Hop-by-Hop Responsibilities
Each layer in the network stack operates over a different scope:
- Application and Transport layers operate end-to-end (host to host)
- Network layer (IP) operates end-to-end, but is visible to routers
- Link layer operates hop-by-hop
Encapsulation reflects this division of responsibility.
When a frame arrives at a router:
- The link-layer header and trailer are removed
- The IP packet is inspected
- A new link-layer header and trailer are added
- The frame is forwarded on the next link
This repeated process is called re-encapsulation.
5.2 What Stays the Same Across the Network
Despite passing through many routers, some parts of the packet are intentionally preserved.
Application data
The original HTTP request or response remains unchanged. Intermediate devices do not inspect or modify application payloads.
TCP header (mostly)
- Source and destination ports stay the same
- Sequence and acknowledgment numbers remain valid
- TCP state is maintained only by the endpoints
Routers do not interpret TCP semantics.
IP source and destination addresses
- These identify the end hosts
- They remain constant from sender to receiver
This end-to-end stability is what allows transport protocols like TCP to function correctly across heterogeneous networks.
5.3 What Changes at Every Hop
Now to the crucial part: what changes on each link.
Link-layer headers and trailers
Every physical or logical link has its own addressing and framing:
- Ethernet uses MAC addresses
- Wi-Fi uses different frame formats
- Point-to-point links use yet another format
As a result:
- Source and destination MAC addresses are rewritten at every hop
- A new trailer (e.g. FCS) is calculated for each link
Each frame is valid only for the current link.
IP Time To Live (TTL)
One IP field is deliberately modified by routers:
- The TTL value is decremented by 1 at each hop
- When TTL reaches zero, the packet is discarded
TTL prevents routing loops from circulating packets indefinitely. (see what is Time To Live)
5.4 A Concrete Hop-by-Hop Example
Consider a simple path:
Client → Router A → Router B → Server
On the first link (Client → Router A):
Ethernet:
Src MAC: Client MAC
Dst MAC: Router A MAC
IP:
Src IP: 192.168.1.10
Dst IP: 93.184.216.34
TTL: 64
On the second link (Router A → Router B):
Ethernet:
Src MAC: Router A MAC
Dst MAC: Router B MAC
IP:
Src IP: 192.168.1.10
Dst IP: 93.184.216.34
TTL: 63
On the final link (Router B → Server):
Ethernet:
Src MAC: Router B MAC
Dst MAC: Server MAC
IP:
Src IP: 192.168.1.10
Dst IP: 93.184.216.34
TTL: 62
Notice the pattern:
- MAC addresses change every hop
- IP addresses remain constant
- TTL decreases
- TCP and application data are untouched
This is re-encapsulation in action.
5.5 Why the Internet Is Designed This Way
This design is not accidental—it is what makes the Internet scalable and robust.
If routers had to:
- Understand application data, or
- Maintain transport-layer state,
the network would:
- Become slower
- Lose interoperability
- Fail under scale
Instead:
- Routers make fast, local decisions
- End systems handle complex logic
- Encapsulation cleanly separates concerns
This separation is one of the core architectural principles highlighted in both classic and modern networking literature.
5.6 A Key Takeaway for Packet Analysis
When analysing packets in Wireshark, always ask:
- Is this field end-to-end or hop-by-hop?
- Which layer added this header?
- Could this value change at the next hop?
Once you internalise re-encapsulation, you stop thinking in “packets moving” and start thinking in layers cooperating—which is the mental shift that marks real understanding of computer networks.
6. Encapsulation edge cases you actually meet
Encapsulation works cleanly in the “happy path”, but real networks introduce constraints and design patterns that slightly bend the model. Two edge cases come up frequently in practice—and are worth understanding early.
MTU and Fragmentation: Why Size Matters
Every link has a Maximum Transmission Unit (MTU), which limits how large a frame can be. If an IP packet is larger than the MTU of the next link, it cannot be sent as-is.
In IPv4, this may lead to IP fragmentation:
- The original IP packet is split into multiple fragments
- Each fragment becomes its own IP datagram
- Each fragment is independently encapsulated at the link layer
- Reassembly happens only at the final destination
This means fragmentation multiplies packets, increases overhead, and raises loss sensitivity—one lost fragment invalidates the whole packet. Modern networks try to avoid this via Path MTU Discovery.
Tunneling and Overlays: Encapsulation Inside Encapsulation
In tunneling, an entire packet is treated as payload and wrapped inside another packet:
[Outer IP][Outer Transport][Inner IP][Inner TCP][Data]
Intermediate routers see only the outer headers; the inner packet is invisible to them. This is foundational to VPNs, overlays, and modern data-center networking.
A Modern Note: VLANs and VXLAN
Technologies like VLAN and VXLAN extend this idea further by adding extra “wrapping” layers, allowing logical networks to exist independently of the physical infrastructure.
Encapsulation isn’t just theory—it’s a tool networks use constantly to adapt, scale, and evolve.
(see article: What is a VLAN?)
7. How to learn this fast with Wireshark (mini-lab)
Encapsulation becomes intuitive once you see it. This short Wireshark mini-lab is enough to lock the concept in permanently.
To download Wireshark click here.
Step 1 — Capture a Simple Request
Start a capture on your active interface and generate traffic:
- Visit an HTTP site (for clear text), or
- Visit an HTTPS site and focus on the TCP/TLS handshake (still useful for headers).
Stop the capture once you see a few packets.
Step 2 — Expand the Layers
Click on a packet and expand the protocol tree, one layer at a time:
- Frame
- Ethernet
- Internet Protocol (IP)
- Transmission Control Protocol (TCP)
- HTTP (if visible) or TLS
This vertical expansion is literally the encapsulation stack. You are seeing headers added layer by layer.
Step 3 — Identify Payload Boundaries
At each layer, observe:
- Where the header ends
- Where the payload begins
Key insight:
- The payload of Ethernet is the entire IP packet
- The payload of IP is the TCP segment
- The payload of TCP is application data (HTTP, TLS records, etc.)
Wireshark highlights this perfectly once you know where to look.
Step 4 — Follow the Conversation
Right-click a TCP packet and choose “Follow → TCP Stream”.
This reconstructs the application-layer byte stream and strips away all lower-layer headers—showing you exactly what TCP was carrying.
Step 5 — Export and Inspect
For deeper learning:
- Use “Export Packet Bytes”
- Compare raw bytes with decoded fields
Once you do this a few times, encapsulation stops being abstract.
You’ll start reading packets by layer, automatically—and that’s the real goal.
8. Summary + “mental checklist”
Encapsulation is not just a technical detail—it is the organizing principle that allows computer networks to scale, evolve, and remain interoperable.
Throughout this article, we followed encapsulation in computer networks step by step, starting with an application message and watching it be wrapped—layer by layer—until it became bits on the wire. Each layer added a header with a clear purpose, solved its own problem, and passed the result downward without needing to understand the layers above or below.
When analysing packets, troubleshooting issues, or studying protocol behaviour, use this simple mental checklist:
- What layer am I looking at?
(Application, Transport, Network, or Link?) - What’s the payload right now?
(Which upper-layer data is being carried?) - Which header was added here, and what problem does it solve?
(Reliability, routing, local delivery, or application semantics?)
If you can answer these three questions, packet captures stop being overwhelming and start making sense. Encapsulation turns a complex system into a set of small, cooperating mechanisms—and once you see that, computer networking becomes far more approachable and logical.