Wireshark is a nice tool for keeping your packet dissecting knowledge fresh and finding things you didn't know were there...you can play with the colorization settings and click through the fields in the packet dump and see which fields in the header and payloads they correspond to. Below I have the start of the IP header selected, which shows us the first nibble is the IP version field, and the other half of the first byte is the header length. We see the IP version is 4. Whatever is in the second nibble, the IP Header Length, multiply it by four to get the bytes in the header. So the value five means the header is twenty bytes, the minimum length of an IP header, which also means there are no IP options. IP options are (relatively) rare and almost always suspicious if not malicious, whereas TCP options are common, with things like padding, selective acknowledgment, etc being represented.
Note: In my haste, I switched the value and multiplier in the second nibble when I originally posted this. Sorry..
