02
17 min read · 6 briefings

The OSI & TCP/IP Models

Two maps of the same territory — learn the layers and you can find any bug and any attack.

01 Two maps of the same territory

Networking is layered on purpose. Each layer handles one concern and hands the rest to its neighbor, so you can swap out Wi-Fi for Ethernet without rewriting your web browser. There are two famous models describing this.

The OSI model is a 7-layer teaching framework. The TCP/IP model is the 4-layer model the real internet actually runs on. They map onto each other cleanly.

OSI (7)TCP/IP (4)Example
7 Application / 6 Presentation / 5 SessionApplicationHTTP, DNS, TLS
4 TransportTransportTCP, UDP
3 NetworkInternetIP, ICMP
2 Data Link / 1 PhysicalLinkEthernet, Wi-Fi

Memorize the OSI order — "Please Do Not Throw Sausage Pizza Away" (Physical, Data Link, Network, Transport, Session, Presentation, Application). The point isn't trivia: when something breaks or an attack lands, naming the layer tells you which tools and which fixes apply.

02 Encapsulation: nesting dolls of networking

As your data travels down the stack on the sending machine, each layer wraps it in its own header — like stuffing an envelope inside a bigger envelope at every step. This is encapsulation, and each layer even has its own name for the resulting unit (its PDU, protocol data unit):

  • Application data (your HTTP request) becomes...
  • a segment at the Transport layer once TCP adds ports and sequence numbers, which becomes...
  • a packet (or datagram) at the Network layer once IP adds source/destination IP addresses, which becomes...
  • a frame at the Data Link layer once Ethernet adds MAC addresses and a checksum, which finally becomes...
  • bits on the wire at the Physical layer.

On the receiving machine the process runs in reverse — decapsulation — each layer stripping its own header and handing the payload up. A router only unwraps down to the Network layer (it cares about IP); a switch only to the Data Link layer (it cares about MAC).

Insight Every header is overhead. This is why tiny payloads are inefficient: a 1-byte message can still drag dozens of bytes of TCP/IP/Ethernet headers behind it.

03 MAC vs. IP: two kinds of address

Devices actually have two addresses, working at two different layers, and confusing them is a classic beginner trap.

A MAC address is a 48-bit hardware address burned into (or assigned to) a network interface, written like 3c:5a:b4:1f:07:9e. It is used at the Data Link layer and only has meaning on the local network segment. The first half identifies the manufacturer (the OUI).

An IP address is a logical, routable address at the Network layer — 32 bits for IPv4 (192.0.2.15) or 128 bits for IPv6 (2001:db8::1). IP addresses are how packets find their way across the whole internet.

The glue between them is ARP (Address Resolution Protocol): when your device knows the destination IP is on the local network, it broadcasts "who has 192.0.2.15?" and the owner replies with its MAC. The analogy: the IP address is the recipient's full mailing address across the country; the MAC address is which mailbox on this street the letter drops into for the next leg.

Watch out ARP has no authentication. In ARP spoofing, an attacker on your local network replies to ARP requests with their own MAC, silently inserting themselves as a man-in-the-middle between you and the gateway.

04 Ports and the transport layer

Your laptop runs dozens of network programs at once — a browser, a mail client, a chat app. IP gets a packet to the right machine; ports get it to the right program on that machine. A port is a 16-bit number (0–65535), and the combination of IP address plus port plus protocol identifies one end of a connection.

  • Well-known ports (0–1023): reserved for standard services — 80 HTTP, 443 HTTPS, 22 SSH, 53 DNS, 25 SMTP.
  • Registered ports (1024–49151): assigned to specific applications.
  • Ephemeral ports (49152–65535): temporary ports your OS assigns to your side of an outbound connection.

A full connection is defined by a 4-tuple: source IP, source port, destination IP, destination port. That's how your machine keeps ten browser tabs to the same server straight — each uses a different source port.

Pro tip Attackers port scan to find which services are listening. Every open port is potential attack surface — the defensive instinct is to close or firewall anything you don't explicitly need exposed.

05 TCP handshake vs. UDP

The transport layer offers two very different deals.

TCP (Transmission Control Protocol) is reliable and ordered. Before any data flows, it performs the three-way handshake:

  1. Client sends SYN (synchronize) with an initial sequence number.
  2. Server replies SYN-ACK — acknowledging the client's number and sending its own.
  3. Client sends ACK, and the connection is established.

From then on, TCP numbers every byte, acknowledges receipt, retransmits losses, and controls its sending rate (congestion control). You get a clean, in-order stream — at the cost of setup time and overhead.

UDP (User Datagram Protocol) is fire-and-forget: no handshake, no acknowledgments, no reordering, no guarantees. It just fires datagrams. That sounds worse, but for live video, voice, DNS lookups, and gaming, a slightly-lost-but-fast packet beats a perfectly-retransmitted-but-late one.

Watch out The handshake itself is attackable. A SYN flood sends floods of SYN packets and never completes the handshake, exhausting the server's table of half-open connections — an early and still-relevant denial-of-service technique.

06 The troubleshooting mindset

Layers aren't just theory — they are a debugging algorithm. When "the internet is broken," professionals climb the stack from the bottom, ruling out each layer in turn:

  1. Physical: Is the cable plugged in? Is Wi-Fi associated? Are the link lights on?
  2. Data Link: Do you have a MAC-level connection to the local switch/AP? Any interface errors?
  3. Network: Do you have an IP address? Can you ping your gateway? Can you ping 8.8.8.8 (a raw IP)?
  4. Transport/Application: Can you resolve DNS? Does ping 8.8.8.8 work but names fail (a DNS problem, not connectivity)? Is the specific port open?

The classic tell: if you can ping an IP address but cannot load websites by name, the network is fine — DNS is the culprit (the next module's subject). Layered thinking turns a vague "it's slow" into a specific, testable question.

It's always DNS. And when it isn't DNS, it's BGP.

Field Glossary

OSI model
A 7-layer conceptual framework (Physical, Data Link, Network, Transport, Session, Presentation, Application) used to reason about networking responsibilities.
TCP/IP model
The 4-layer model the real internet runs on: Link, Internet, Transport, and Application. It maps directly onto the OSI layers.
Encapsulation
The process by which each layer wraps the data from the layer above in its own header, producing segments, packets, frames, and finally bits.
MAC address
A 48-bit hardware address used at the Data Link layer, meaningful only on the local network segment. Its first half identifies the manufacturer (OUI).
ARP
Address Resolution Protocol — resolves a local IP address to its MAC address via broadcast. It has no authentication, enabling ARP spoofing attacks.
Port
A 16-bit number (0–65535) identifying a specific program or service on a machine. Combined with an IP and protocol, it identifies one end of a connection.
TCP three-way handshake
The SYN, SYN-ACK, ACK exchange that establishes a reliable TCP connection before any application data is sent.

Knowledge Check

Field Assessment

0 / 3

01 On which OSI layer does a router primarily operate when forwarding traffic across networks?

02 You can ping 8.8.8.8 successfully but no website will load by name. What is the most likely problem?

03 Why might a developer choose UDP over TCP for a live voice call?

ESC
↑↓ navigate jack in