CBT IT Certification Training

Unlimited IT Certification Courses via Streaming Video

OSI Model vs TCP-IP Model

Chapter 1: The OSI Model vs TCP IP Models

Compare the layers of the OSI vs TCP/IP models. The first chapter in the Networking Concepts section proposes an analysis of the OSI and TCP/IP models, taking into account the particularities of each of the seven OSI layers and the four TCP/IP layers. The information presented in this chapter will help students understand the logical process that happens when network devices communicate with each other.

The OSI and TCP/IP models were defined in order to understand and structure the processes that make a network function. While the OSI (Open System Interconnection) reference model can help in understanding how network communications occur, it represents more of a theoretical approach, unlike the TCP/IP (Transmission Control Protocol/Internet Protocol) protocol suite used in production. TCP/IP is considered a set of protocols (or a protocol stack) that operate together to accomplish various tasks that allow inter-communication among network devices.

Learn more in the CompTIA Network+ course.

Back to book index.

Contents hide
Chapter 1: The OSI Model vs TCP IP Models
The OSI Reference Model
Protocols
OSI Application Layer
OSI Presentation Layer
OSI Session Layer
OSI Transport Layer
OSI Network Layer
OSI Data Link Layer
OSI Physical Layer
Encapsulation
TCP/IP Protocol Suite
TCP/IP Application Layer
TCP/IP Transport Layer
TCP/IP Internet Layer
TCP/IP Network Access Layer
Traffic Analysis
Traffic Analysis – Physical Layer
Traffic Analysis – Data Link Layer
Traffic Analysis – Network Access Layer
Traffic Analysis – Transport Layer
Traffic Analysis – Application Layer
Summary

The OSI Reference Model

The OSI reference model was defined in ISO/IEC 7498-1. It is a seven-layer model used in networking, a layered mechanism that describes how information from an application on a network device (e.g., computer, router, etc.) moves from the source to the destination using the physical medium, and then interacts with the software application on that specific network device, as illustrated in Figure 1.1 below:

OSI Reference Model

Figure 1.1 – OSI Reference Model

OSI was developed by the International Organization for Standardization (ISO) in 1984. The OSI mechanism involves two concepts:

  • The OSI reference model, which has seven layers
  • The OSI protocols that map to each of the seven layers

In other words, the OSI model defines the network functions required for sending data and divides them into seven categories. The seven layers of the OSI reference model, starting from the top (i.e., Layer 7), are shown in Table 1.1 below:

Table 1.1 – The OSI Reference Model

OSI Layers
Layer 7 Application
Layer 6 Presentation
Layer 5 Session
Layer 4 Transport
Layer 3 Network
Layer 2 Data Link
Layer 1 Physical

The upper layers involve application issues, such as interfacing with the user or formatting data. The lower layers relate to transport issues, such as data routing and the physical characteristics of the network.

When a network device (source) communicates with another network device (destination), the information flows as presented in Figure 1.1 above, starting from the source device’s Application Layer, going down to its Physical Layer, arriving at the destination device’s Physical Layer, and going up to its Application Layer. The response from the destination device to the source device follows the reverse order: Layer 7 to Layer 1 and then Layer 1 to Layer 7.

It is really essential to understand the OSI reference model from a design standpoint because of its modular architecture. The OSI model divides the specific tasks that are involved in moving information from one networking device to another into seven smaller and more manageable groups of tasks/actions. The overall goal of the OSI model is to enhance interoperability and functionality between different applications and vendors, as well as to make it easier for network administration to focus on the design of particular layers of the model. For example, applications can be designed without having to worry about the lower OSI layers, so a certain level of trust is present if the packet has already been analyzed by the lower layers. The same rule applies in the other direction: the Application Layer trusts that the lower layers will successfully process and send the packet over the wire.

The OSI reference model is a key concept in the networking industry and it plays an important role in the design phase of a network using a modular (layered) approach.

Note:     The OSI reference model represents everything that must happen in order to send data, but it does not specify how these things are done. Different protocols implement these functions differently at various layers and the OSI model provides a framework for these communication protocols to be used between devices.

Protocols

A protocol is a set of rules. Network devices need to agree on a set of rules in order to communicate and they must use the same protocol to understand each other. A wide variety of network protocols exist at different OSI layers. For example, at the lower OSI layers, LAN and WAN protocols are used. Going up the reference model, routed and routing protocols are found at Layer 3. Each layer and its associated protocols will be covered in detail in the following sections.

Protocols can be organized in protocol suites or stacks. TCP/IP is the most commonly used network protocol suite, named after the two protocols in the stack. The TCP/IP protocol suite can be found in almost all modern networks, and it is a core feature not only of the Internet but also within organizations’ networks. Other examples of protocol suites are AppleTalk and Novell NetWare.

OSI Application Layer

The Application Layer (Layer 7) is the layer closest to the end-user, who utilizes the network services available. For example, to transmit information such as data requests, pictures, and document files, the end-user interacts directly with an application in the Application Layer, which manages software applications that have communication-over-internetwork functionality.

Depending on the information the user wants to send over the network, a specific protocol is used at the Application Layer. A few examples include the following:

  • SMTP, POP3: used to send/receive an e-mail message
  • FTP: used to transmit a file over the network
  • Telnet: used to control a remote device

OSI Presentation Layer

The Presentation Layer is Layer 6 and it makes sure that the data is understandable to the end-system. In other words, the data must be converted and formatted in such a way that the system recognizes it and knows how to treat it. This includes the translation and conversion of details like formatting, compression schemes, encryption schemes, and character representation formats (e.g., ASCII to Unicode).

Most often, the Presentation Layer will handle conversion schemes and video and audio compression (e.g., MPEG, AVI, JPEG, GIF, and TIF files). If the packets from the Application Layer are sent unformatted, the Presentation Layer translates them and then passes them to the Session Layer.

Layer 6 specifies the format, data structure, coding, compression, and other ways to represent the data to ensure that information sent by a host at the Application Layer can be properly interpreted by the destination host.

OSI Session Layer

From a technical standpoint, communications systems are made up of different service requests and service responses between applications located on different networking devices. The Session Layer (Layer 5), establishes, manages, and terminates these communication sessions and connects the lower layers with the Presentation and Application Layers. It negotiates these connections, makes sure that the device is willing to talk to the other party, and tracks the conversation using port numbers.

OSI Transport Layer

The middle stack layer, the Transport Layer (Layer 4), accepts data from the Session Layer and breaks it up into transport segments. The Transport Layer is responsible for the information reaching the destination device in an error-free fashion and in the proper order (i.e., the correct sequence of packets), utilizing the following features to accomplish this task:

  • Reliability
  • Transmission error checking
  • Error correction
  • Data retransmission
  • Flow control
  • Sequencing
  • Data multiplexing

From a technical standpoint, all of these features are implemented by establishing a virtual circuit between the sender and receiver devices. The Transport Layer initiates, maintains, and terminates these virtual circuits at OSI Layer 4 and uses segments as the protocol data units (PDUs). Segments are defined sets of data that include control information and they are sent between the Transport Layers of the endpoints.

The following two protocols in the Transport Layer are used on the Internet:

  • Transmission Control Protocol (TCP): a reliable, connection-oriented protocol
  • User Datagram Protocol (UDP): an unreliable, low overhead, connectionless protocol

Connection-oriented protocols establish a logical connection and use sequence numbers to ensure that all the data is received at the destination. Connectionless protocols only send the data, relying on the upper-layer protocols to handle error detection and correct possible problems.

Note:     The process of segmenting the data is transparent to the upper layers, as the Transport Layer at the other end will re-assemble everything before passing the data over to the Session Layer.

OSI Network Layer

Layer 3, also known as the Network Layer, is responsible for identifying the internetwork path (routing) from the sender device to the receiver device. Considering this aspect, Layer 3 is responsible for the logical addressing schemes (e.g., IP, IPX, and AppleTalk) that assign logical addresses to the network hosts on both sides of the communication path.

The Network Layer sends datagrams (or packets), which are a defined set of data that includes addressing and control information. Datagrams are routed between source and destination devices. If a datagram needs to be sent across a network that can handle only a certain amount of data at a time, it can be fragmented into multiple packets and reassembled by the receiving device. In other words, a datagram is considered a unit of data and a packet is what physically goes on the network. If no fragmentation occurs, a datagram is a single packet.

In addition to logical addressing schemes, the Network Layer is also responsible for route selection and packet forwarding, and it deals with two types of protocols:

  • Routed protocols: IP, IPX/SPX, AppleTalk, and DECnet
  • Routing protocols: RIP, EIGRP, OSPF, IS-IS, and BGP

Routed protocols are responsible for the actual rules and processes involved in the encapsulation of the data packets that are ultimately routed over the internetwork. Routing protocols find available routes that exist on the network, build routing tables, and make routing decisions. Network devices that operate at Layer 3 are called routers.

OSI Data Link Layer

Layer 2 (Data Link Layer) defines the format of data that is transmitted across the physical network and encapsulates it based on the media type. A frame represents the organization of data in a specific fashion so that both parties can understand it, and the Data Link Layer chooses the proper frame type based on the link in use. The Data Link Layer has two sublayers: the Logical Link Control (LLC) sublayer and the Media Access Control (MAC) sublayer. The LLC sublayer deals with the Network Layer, while the MAC sublayer has access to physical media in the Physical Layer (Layer 1). These sublayers are shown in Figure 1.2 below:

Data Link Sublayers

Figure 1.2 – Data Link Sublayers

The LLC sublayer (IEEE 802.2) allows multiple Network Layer 3 protocols to communicate over the same physical link by allowing those protocols to be specified in the LLC fields. The MAC sublayer (IEEE 802.3) specifies the physical MAC address that identifies a device on a network. Each frame sent over the wire contains a MAC Address field and only those devices with that specific MAC address will process the frame. A Source MAC Address field is also included in the frame.

The Data Link Layer offers reliable transmission of data across a physical network link and allows different Data Link Layer specifications that provide different network and protocol characteristics. This includes physical addressing, different network topologies, error notifications, frame (Layer 2 data units) sequences, and frame flow control.

Layer 2 manages physical addressing, while Layer 3 handles logical addressing. Physical addressing is generally in the form of MAC addresses (burned into a computer network interface card (NIC) or in the interfaces of network devices). MAC addresses are 48 bits long and the standard format contains six groups of two hexadecimal digits separated by hyphens (-) or colons (:), for example, aa:bb:12:34:56:67 or aa-bb-12-34-56-67. Every device on the network has a unique physical address that has to be included in the message so it can be delivered to the proper device. If the physical address of the destination is not known, the packet will be forwarded to all the devices on that segment. Network devices that operate at Layer 2 are called switches.

Note:     MAC addresses are also called burned-in addresses (BIAs) or hardware addresses.

OSI Physical Layer

The Physical Layer is placed at the bottom of the OSI protocol stack and it represents the actual physical medium on which the information is traveling between network devices. Layer 1 interconnects with the Data Link Layer through the Layer 2 MAC sublayer and sends the physical signals that encode 0 and 1 bits, or “binary digits” (i.e., electrical signals over copper links, fiber-optic light beams, and radio frequencies for wireless transmissions).

The protocols that operate at the Physical Layer include the following:

  • Local Area Network (LAN) protocols: Ethernet,* IEEE 802.3, 100BaseT, Token Ring/IEEE 802.5, and FDDI
  • Wide Area Network (WAN) protocols: EIA/TIA-232, EIA/TIA-449, V.35, and EIA-530

Layer 1 defines physical media procedures, electrical or mechanical aspects, encoding, and modulation (voltage) on the line, and the electrical signal generated either will be a 0 or a 1 bit or will be placed into a transition state. The Physical Layer also activates, maintains, and deactivates the actual physical links between multiple systems in LAN and WAN networks.

*Ethernet actually operates at both Layer 1 and Layer 2 of the OSI reference model.

Note:     Every process and function within Layers 2 to 7 of the OSI reference model (or Layers 2 to 4 of the TCP/IP protocol suite) happens logically inside the network device, whereas Physical Layer (TCP/IP Network Access Layer) functionality transmits bits as electrical signals on the wire, light beams on fiber-optic links, or radio frequencies in Wi-Fi networks.

Encapsulation

In both LANs and WANs, packet transmission can be analyzed using the seven-layer OSI reference model. When data is transmitted by the source toward a specific destination, it passes through the Application, Presentation, and Session Layers and the PDU arrives at Layer 4 (Transport Layer).

The process of sending data down the protocol stack (from the Application Layer to the Physical Layer) is called encapsulation. The upper layer sends data down to the next level, which adds its own specific information (using a header and a trailer) before sending it down to the next layer where the process is repeated, making the message bigger at each layer. The opposite process is called decapsulation, in which the destination device receives the message and moves it up the protocol stack to the Application Layer. As the message travels through the layers, each layer removes the lower layer’s additional information (i.e., header and trailer), making the message smaller as it goes up the protocol stack.

As illustrated in Figure 1.3 below, the Transport Layer (Layer 4) places a 20-byte header in front of the data. Regardless of the protocol used (i.e., TCP or UDP), the Layer 4 header and the data form a segment that is passed down to Layer 3 (Network Layer).

The Network Layer places its header in front of the segment received and this group becomes a packet (or a datagram). The Layer 3 header contains very important fields that include the logical address (IP address) of both the source and destination device.

The newly formed packet is passed down to Layer 2 (Data Link Layer), which creates a new data unit (i.e., a frame) by adding the Layer 2 frame header and trailer. The frame is then passed down to the Physical Layer (Layer 1), which converts the information into 0 and 1 bits that are sent over physical media using, for example, electrical signals (for a copper link). Finally, the data is sent over the wire using a wide variety of methods, such as Ethernet, Token Ring, or other technologies.

The headers and trailers used in the encapsulation process contain specific control information that allows the data to go through the network properly. Thus, the data at each layer is encapsulated by information appropriate for that specific layer, including addressing and error checking.

Packet Encapsulation

Figure 1.3 – Packet Encapsulation

A protocol data unit (PDU) is a group of data used to exchange information at a particular OSI layer. The Layer 1 to Layer 4 PDU types, signifying the group of data and the specific headers and trailers, are summarized in Table 1.2 below:

Table 1.2 – PDU Types

Layer PDU Types
Layer 1 Bit
Layer 2 Frame
Layer 3 Packet (Datagram)
Layer 4 Segment

To summarize, referring to Figure 1.3, with encapsulation the amount of information increases as the data travels down through the lower layers to the Physical Layer (as shown on the left). With decapsulation the destination device receives the data and this additional information is analyzed and then removed as the data is passed up through the higher layers to the Application Layer (as shown on the right).

In addition to the Layer 3 logical addressing fields in the header, an addressing structure is also applied in the Layer 2 header (i.e., the MAC address). Every network device has a physical BIA located in a special field in the Data Link Layer header. This address changes as the packet passes from one device to another (e.g., from the source PC to the switch to the router to another switch and, finally, to the destination PC), but the original IP source and destination addresses do not change when transiting the network because the packet is stripped of its Layer 3 header once it goes beyond a router. When a packet stays within the same LAN, it passes through switches only and is decapsulated until it reaches the Layer 2 header, which contains the MAC address. This header changes as the packet is re-encapsulated, as do the MAC address fields.

Finally, different protocols are available at each layer. For example, IP packets are different from IPX packets. Proper network operation implies that both the source and the destination endpoints are communicating using the same protocol. 

TCP/IP Protocol Suite

Although the OSI model does a great job of describing in detail how the network operates, it is actually considered a reference model. To ensure proper communication between network devices, the TCP/IP protocol suite is used instead.

Note:     The OSI reference model was created by the International Organization for Standardization (ISO), while the TCP/IP protocol suite was created and first implemented by the Internet Engineering Task Force (IETF).

The TCP/IP protocol suite is a modern adaptation of the OSI reference model and it contains five layers:

  • Application Layer
  • Transport Layer
  • Internet Layer
  • Data Link Layer
  • Physical Layer

In some documentation, the Data Link Layer and the Physical Layer are combined into a single layer called the Network Access Layer or the Network Interface Layer. Figure 1.4 below shows the TCP/IP protocol suite next to the OSI reference model:

TCP/IP Protocol Suite

Figure 1.4 – TCP/IP Protocol Suite

TCP/IP Application Layer

The Application Layer in the TCP/IP protocol suite covers the functionality of the Session, Presentation, and Application Layers in the OSI reference model. Various protocols can be used at this layer, among which include the following:

  • SMTP, POP3: used to provide e-mail services
  • HTTP: World Wide Web browser content delivery protocol
  • FTP: used in file transfers
  • DNS: used in domain name translation
  • SNMP: network management protocol
  • DHCP: used to automatically assign IP addresses to network devices
  • Telnet: used to manage and control network devices

TCP/IP Transport Layer

Both the TCP/IP Transport Layer and the Internet Layer display considerable differences when compared with the corresponding OSI layers. The Transport Layer is based on two protocols:

  • Transmission Control Protocol (TCP): This protocol provides a connection-oriented transmission. This means that the path the data travels on through the network is reliable, as the endpoints establish a synchronized connection before sending the data. Every data packet is acknowledged by the receiving host. File Transfer Protocol (FTP) is an example of a protocol that uses TCP.
  • User Datagram Protocol (UDP): This protocol provides an unreliable, connectionless transmission between hosts. Unlike TCP, UDP does not check the segments that arrive at the destination to make sure that they are valid and in the proper order. This means that integrity verifications and the error correction process will occur at the Application Layer. On the other hand, UDP has a smaller overhead compared with TCP because the UDP header is much smaller. Trivial File Transfer Protocol (TFTP) is an example of a protocol that uses UDP.

The TCP and UDP protocol data units are segments, and each segment contains a number of fields that carry different information about the data, as shown in Figure 1.5 below:

UDP and TCP Segment Fields

Figure 1.5 – UDP and TCP Segment Fields

The UDP fields are described in Table 1.3 below: 

Table 1.3 – UDP Fields

Field Size Description
Source Port Number 16 bits Identifies the application used by the sender
Destination Port Number 16 bits Identifies the application used by the receiver
Length 16 bits The size of the header and the data
Checksum 16 bits The checksum of the header and the data, used to verify integrity of the segment
Data Variable Application data

The TCP fields are described in Table 1.4 below:

Table 1.4 – TCP Fields

Field Size Description
Source Port Number 16 bits Identifies the application used by the sender
Destination Port Number 16 bits Identifies the application used by the receiver
Sequence Number 32 bits Verifies the correct order of segments received
Acknowledgement Number 32 bits Verifies the correct order of segments received
Header Length 4 bits The size of the header
Reserved 6 bits Unused field
Code Bits 6 bits Indicates the segment type
Window Size 16 bits The number of bytes received before sending an acknowledgement
Checksum 16 bits The checksum of the header and the data, used to verify integrity of the segment
Urgent 16 bits Marks the end of urgent data
Option 0 to 32 bits Defines the maximum TCP segment size
Data Variable Application data

The TCP header is larger than the UDP header because extra fields are needed to ensure a reliable connection.

Port numbers can have values up to 65535. Most of the common applications are assigned well-known port numbers, which are 0 to 1023. Port numbers 1024 through 49151 are registered port numbers, and the range of 49152 to 65535 defines dynamic port numbers (automatically assigned by network devices). Port numbers are used to distinguish applications running on the same device. Examples of well-known port numbers include the following:

  • HTTP: TCP port 80
  • FTP: TCP port 20 (data) and port 21 (control)
  • TFPT: UDP port 69
  • POP3: TCP port 110
  • SMTP: TCP port 25
  • DNS: TCP and UDP port 53
  • SNMP: UDP ports 161/162
  • Telnet: TCP port 23

When a TCP connection is established, it follows a process called a three-way handshake. This process uses a TCP segment with SYN and ACK bits, and this segment includes the Code Bits, Sequence Number, and Acknowledgement Number fields. The three-way handshake process is illustrated in Figure 1.6 below:

TCP Three-Way Handshake Process

Figure 1.6 – TCP Three-Way Handshake Process

In Figure 1.6 above, Host A tries to establish a TCP connection with Host B. Host A sends a segment with a SYN bit set, letting the other device know that it wants to synchronize, and this segment includes the initial sequence number that Host A is using, which is 5. Host B accepts synchronization with Host A and sends back a segment with a SYN bit set and an ACK bit set to acknowledge that it has received the initial segment sent by Host A. The acknowledgement number sent by Host B represents the next segment it expects to receive, which is 6 (this is also called an expectational acknowledgment). The new segment also includes the initial sequence number that Host B is using, which is 14. Host A replies with an ACK segment that contains a sequence number of 6 (because that is what Host B is expecting) and an acknowledgement number of 15, informing Host B that it can send the next segment. This concludes the TCP session establishment phase.

During the window size negotiation phase, the remote host learns the number of bytes a device will accept before it must send an ACK. The window sizes of the two endpoints may not match, so negotiation must take place. In Figure 1.6, Host A has a window size of 2 and Host B has a window size of 3. When Host A sends data, it can send 3 bytes before waiting for an ACK, while Host B can send only 2 bytes before receiving an ACK.

Note:     The Window Size field specifies the number of bytes (octets) a device will accept, not the number of segments.

After all the data has been sent between the two hosts during the data transmission phase, the session closing phase begins. Host A sends a segment with a FIN bit set, letting Host B know that it wants to end the TCP session. This segment includes the sequence number Host B is using at that specific moment, which is 341. Host B acknowledges the request and sends an ACK bit set with an acknowledgement number of 342 to confirm that it received acknowledgement number 341. This segment also includes the current sequence number of Host B, which is 125. Host B sends a new segment with a FIN bit set, announcing that the application it is running also requests an end to the session. In the last step before the session is closed, Host A sends an ACK segment with the number 126 to confirm that it received number 125 from Host B.

TCP/IP Internet Layer

The Internet Layer in the TCP/IP protocol suite corresponds to OSI Layer 3 (Network Layer) and includes the following protocols:

  • Internet Protocol (IP): This protocol is a connectionless protocol that offers best-effort delivery of packets in the network. It relies on Transport Layer protocols such as TCP to ensure a reliable connection. IP addresses are assigned to each network device or interface in the network. The IP protocol comes in two flavors: IPv4 and IPv6. These aspects will be covered in detail later in this book.
  • Internet Control Message Protocol (ICMP): This protocol sends messages and error reports through the network. The most commonly used application that relies on ICMP is ping. The ping application sends an ICMP Echo Request message to the destination and expects an ICMP Echo Reply back to test that the destination can be reached and to get information about any delays between the two endpoints.

TCP/IP Network Access Layer

The Network Access Layer is comprised of the Data Link Layer and the Physical Layer and has the same functionality as the same two layers in the OSI reference model.

A common protocol used at the Data Link Layer is the Address Resolution Protocol (ARP), which requests the MAC addresses of a host with a known IP address. Once the MAC address is known, it is used as a destination address in the frames sent in that specific direction.

Traffic Analysis

In this section we will analyze a specific example that involves a communication flow (i.e., an FTP Request) between two network devices, specifically an FTP client and an FTP server, as depicted in Figure 1.7 below:

Traffic Flow Example

Figure 1.7 – Traffic Flow Example 

Note:     This example presents an FTP Request packet but the specific Application Layer information is not relevant in analyzing the overall layer structure in a generic packet.

Traffic flow in this example will be analyzed from the perspective of the TCP/IP layers, as inspected by traffic analyzer software (Wireshark in this case) that captures packets as they are transmitted over the wire between the two devices.

Traffic Analysis of the Overall Layer Structure

Figure 1.8 – Traffic Analysis of the Overall Layer Structure

Figure 1.8 above shows the overall TCP/IP layers as presented by the traffic analyzer, with the Network Access Layer divided into the Physical Layer and the Data Link Layer. Each line in the output above represents a specific TCP/IP layer, as follows:

  • First line: Physical Layer
  • Second line: Data Link Layer
  • Third line: Network Access Layer
  • Fourth line: Transport Layer
  • Fifth line: Application Layer

Next, each layer will be described in detail as it is presented by the traffic analyzer, starting with the Physical Layer.

Traffic Analysis – Physical Layer

Traffic Analysis of the Physical Layer

Figure 1.9 – Traffic Analysis of the Physical Layer

The Physical Layer fields in Figure 1.9 above contain information about the actual packet signaling and bits as they are passed over the wire. Of particular importance is the total number of bits included on the first line, which is 576 bits. The remaining output in Figure 1.9 is not relevant at the moment.

Traffic Analysis – Data Link Layer

Traffic Analysis of the Data Link Layer

Figure 1.10 – Traffic Analysis of the Data Link Layer

The Data Link Layer presented in Figure 1.10 above shows the following important Layer 2 (Ethernet in this case) information:

  • Destination device MAC address (Layer 2 address): 00:ff:58:fd:fa:0b (FTP server)
  • Source device MAC address (Layer 2 address): 00:ff:57:fd:fa:0b (FTP client)
  • EtherType: 0x0800, indicates which protocol is encapsulated in the payload of the Ethernet Frame (IPv4 in this case)

Traffic Analysis – Network Access Layer

Traffic Analysis of the Network Access Layer

Figure 1.11 – Traffic Analysis of the Network Access Layer

 As shown in Figure 1.11 above, Layer 3 contains relevant information about the Network Access Layer protocol used, which is IPv4 in this case. The information structure of Layer 3 correlates with the IPv4 packet structure that will be presented in subsequent sections. This includes IP addressing information and other Layer 3 overhead:

  • Internet protocol version: 4 (identifying IPv4)
  • Header length
  • Differentiated Services field (QoS marking)
  • Total packet length
  • Identification, flags, and fragment offset
  • TTL (Time To Live) information
  • Transport Layer protocol: TCP in this case
  • Header checksum
  • Source IP address: 10.7.0.6 (FTP client)
  • Destination IP address: 192.168.1.250 (FTP server)

Traffic Analysis – Transport Layer

Traffic Analysis of the Transport Layer

Figure 1.12 – Traffic Analysis of the Transport Layer

As shown in Figure 1.12 above, the Transport Layer contains information about the Layer 4 protocol in use: TCP in this case. Because TCP is a reliable protocol, it uses the overhead of sending sequence numbers and acknowledgements. The tracking information includes the following fields:

  • Source Port Number (random high port number)
  • Destination Port Number (FTP port 21)
  • Sequence Number
  • Acknowledgement Number
  • Window Size
  • Flags
  • Checksum
Note:     Port numbers are assigned by the Session Layer when the transmission parameters are negotiated to ensure that the data goes to the proper application on the destination device.

Traffic Analysis – Application Layer

Traffic Analysis of the Application Layer

Figure 1.13 – Traffic Analysis of the Application Layer

The Application Layer contains relevant information related to the specific application used (i.e., service provided for the user) and the specific packet type, which is an FTP Request in this case.

Summary

The OSI reference model and the TCP/IP protocol suite were defined in order to understand the structure and the processes that make a network function. While the OSI reference model is beneficial for describing how network communications occur, it represents more of a theoretical approach, unlike the TCP/IP protocol suite used in production. The TCP/IP approach to network communications is comprised of a set of protocols that operate together to accomplish various tasks that allow network devices to communicate with each other.

The seven layers of the OSI reference model and the corresponding five layers of the TCP/IP protocol suite, starting from the top, are shown in Table 1.5 below:

Table 1.5 – TCP/IP Layers Mapped to the OSI Layers

OSI Layers TCP/IP Layers
(7) Application Application
(6) Presentation
(5) Session
(4) Transport Transport
(3) Network Internet
(2) Data Link Data Link
(1) Physical Physical

The OSI model is a key concept in the networking industry and it plays an important role in the design phase of a network using a modular (layered) approach.

A protocol is a set of rules. Network devices need to agree on a set of rules in order to communicate and they must use the same protocol to understand each other. A wide variety of network protocols exist at different OSI layers. For example, at the lower OSI layers, LAN and WAN protocols are used. Going up the reference model, routed and routing protocols are found at Layer 3.

The process of sending data down the protocol stack is called encapsulation. Data sent by the upper layer is received by each subsequent layer, which adds its own specific information. The opposite process is called decapsulation; after the destination device receives the message, it analyzes and removes information as it moves up through the protocol stack.

A PDU is a group of data used to exchange information at a particular OSI layer. The Layer 1 to Layer 4 PDU types, signifying the group of data and the specific headers and trailers, are summarized in Table 1.6 below:

Table 1.6 – PDU Types

Layer PDU Types
Layer 1 Bit
Layer 2 Frame
Layer 3 Packet (Datagram)
Layer 4 Segment

OSI model on Wikipedia.

content-filler