How the Linux Kernel Processes Packets

Introduction

Every time a Linux system loads a web page, sends an email, streams a video, or connects to a remote server, network packets travel through the Linux kernel. While applications such as web browsers and SSH clients generate and consume data, it is the kernel that performs the actual work of moving packets between hardware, network protocols, and user-space applications.

The Linux networking stack is one of the most sophisticated components of the operating system. It handles packet reception, routing, firewall filtering, protocol processing, traffic shaping, and delivery to applications. Understanding how packets move through the kernel provides valuable insight into networking, security, performance tuning, and operating system design.

What Is a Packet?

A packet is a unit of data transmitted across a network.

When an application sends information, the data is divided into smaller pieces called packets. Each packet contains:

• Payload data
• Source address
• Destination address
• Protocol information
• Error-checking information

Packets allow large amounts of data to be transmitted efficiently and reassembled at the destination.

The Journey Begins: Receiving a Packet

When a packet arrives at a Linux system, it first reaches the network interface card (NIC).

Examples of network interfaces include:

• Ethernet adapters
• Wi-Fi adapters
• Virtual network interfaces
• VPN interfaces

The NIC receives electrical, optical, or radio signals and converts them into digital data that the operating system can process.

Once the NIC receives a packet, it generates an interrupt to notify the CPU that new data has arrived.

Interrupt Handling

An interrupt is a signal sent to the CPU indicating that immediate attention is required.

Without interrupts, the CPU would need to constantly check network devices for incoming traffic, wasting valuable processing time.

When a packet arrives:

1. The NIC raises an interrupt.
2. The CPU pauses its current task.
3. The kernel executes the network driver’s interrupt handler.
4. The packet is transferred into kernel memory.

Modern Linux systems often use interrupt mitigation and polling techniques such as NAPI (New API) to improve performance under heavy network loads.

Network Device Drivers

Every network adapter requires a device driver.

The driver acts as a translator between the hardware and the kernel networking subsystem.

Responsibilities include:

• Receiving packets
• Transmitting packets
• Managing hardware buffers
• Handling interrupts
• Configuring network hardware

The driver delivers received packets to the Linux networking stack for further processing.

The sk_buff Structure

Inside the Linux kernel, packets are represented by a structure called sk_buff, commonly referred to as an skb.

The sk_buff structure contains:

• Packet data
• Protocol information
• Routing information
• Interface information
• Metadata used throughout packet processing

Nearly every networking subsystem within Linux interacts with sk_buff structures.

Many Linux networking developers consider the skb to be the fundamental object of the networking stack.

Entering the Network Stack

After the packet is received by the driver and stored in an sk_buff structure, it enters the kernel networking stack.

The kernel examines the packet headers to determine:

• Protocol type
• Source address
• Destination address
• Network interface
• Processing requirements

The packet then moves through multiple layers of protocol processing.

Layer 2 Processing

At Layer 2, Linux processes Ethernet frames.

The kernel examines:

• Source MAC address
• Destination MAC address
• EtherType field

The EtherType identifies the payload protocol.

Common examples include:

• IPv4
• IPv6
• ARP

If the frame is invalid, the kernel discards it immediately.

Valid frames continue into higher protocol layers.

ARP Processing

If the packet contains an Address Resolution Protocol (ARP) request, Linux processes it separately from IP traffic.

ARP is used to map IP addresses to MAC addresses.

For example:

A computer wants to communicate with 192.168.1.20 but only knows its IP address.

The system sends an ARP request asking:

“Who owns 192.168.1.20?”

The target system responds with its MAC address.

Linux maintains an ARP cache to avoid repeating these lookups unnecessarily.

Layer 3 Processing: IP

Most packets eventually reach the Internet Protocol layer.

The kernel validates:

• Source IP address
• Destination IP address
• Header integrity
• Packet length
• Fragmentation information

The kernel then determines whether the packet is:

• Intended for the local machine
• Intended for forwarding
• Invalid and should be dropped

This decision is critical because Linux often acts as both a host and a router.

Routing Decisions

The Linux routing subsystem determines where packets should go next.

The kernel consults its routing table.

Administrators can view routing information using:

ip route

The routing table contains information about:

• Directly connected networks
• Gateway routes
• Default routes
• Static routes
• Dynamic routes

Based on this information, Linux decides how to forward or deliver the packet.

Netfilter and Firewall Processing

One of the most important packet-processing stages is Netfilter.

Netfilter provides the framework used by:

• nftables
• iptables
• connection tracking
• network address translation (NAT)

As packets move through the kernel, they pass through various hooks where firewall rules can inspect them.

The kernel may:

• Accept packets
• Reject packets
• Drop packets
• Modify packets
• Redirect packets

This framework provides the foundation for Linux firewalls.

Connection Tracking

Linux maintains a connection tracking table for stateful firewalling.

The kernel records information about active connections such as:

• Source addresses
• Destination addresses
• Protocols
• Connection states

Examples of connection states include:

• NEW
• ESTABLISHED
• RELATED
• INVALID

Stateful filtering allows firewalls to make intelligent decisions about traffic.

Transport Layer Processing

After IP processing, packets move to the transport layer.

The kernel examines the protocol field to determine whether the packet uses:

• TCP
• UDP
• ICMP

Each protocol has its own processing path.

TCP Processing

TCP packets undergo extensive processing.

The kernel manages:

• Sequence numbers
• Acknowledgments
• Retransmissions
• Flow control
• Congestion control

TCP provides reliable communication by ensuring packets arrive correctly and in order.

UDP Processing

UDP processing is simpler.

Linux verifies the packet and delivers it to the appropriate application.

Unlike TCP, UDP provides no guarantee of delivery or ordering.

This simplicity makes UDP suitable for applications that prioritize speed over reliability.

Socket Lookup

Once protocol processing is complete, Linux must determine which application should receive the packet.

The kernel performs a socket lookup using:

• Destination IP address
• Destination port
• Protocol type

For example:

Port 22 → SSH server

Port 80 → Web server

Port 443 → HTTPS server

The kernel locates the appropriate socket and queues the packet for delivery.

Delivering Data to User Space

When data is available, the application is notified.

The application retrieves data through system calls such as:

• recv()
• read()
• recvfrom()

At this point, the packet has completed its journey from the network interface to user space.

The application can now process the received information.

Sending Packets

Outbound packets follow a similar process in reverse.

When an application sends data:

1. The application writes data to a socket.
2. The kernel creates packet structures.
3. TCP or UDP headers are added.
4. IP headers are added.
5. Routing decisions are made.
6. Firewall rules are applied.
7. Ethernet frames are created.
8. The NIC transmits the packet onto the network.

This process is known as encapsulation.

Performance Optimizations

Linux includes numerous networking optimizations.

Examples include:

• NAPI polling
• Receive Side Scaling (RSS)
• Generic Segmentation Offload (GSO)
• Generic Receive Offload (GRO)
• TCP window scaling
• Zero-copy networking

These technologies allow Linux servers to handle millions of packets per second.

Modern cloud infrastructure depends heavily on these optimizations.

Packet Drops

Not every packet successfully reaches an application.

Linux may drop packets due to:

• Firewall rules
• Invalid headers
• Routing failures
• Memory shortages
• Interface errors
• Security policies

Administrators often use tools such as:

• tcpdump
• Wireshark
• ss
• nft
• ip

to diagnose packet loss and networking problems.

Why Understanding Packet Processing Matters

Understanding packet processing helps explain how Linux networking actually works. It provides insight into firewall behavior, routing decisions, performance bottlenecks, and network troubleshooting. Whether managing servers, developing network applications, building firewalls, or studying operating systems, packet flow through the kernel is one of the most important concepts in Linux networking.

Conclusion

The Linux kernel performs a remarkable amount of work whenever a packet enters or leaves a system. From hardware interrupts and device drivers to routing, firewall inspection, protocol processing, and socket delivery, every packet travels through multiple subsystems before reaching its destination. By understanding this journey, administrators and developers gain a deeper appreciation for the networking stack that powers modern Linux systems and much of the Internet itself.