OSI and TCP/IP Model
The OSI model is a 7-layer conceptual framework for networking. The TCP/IP model is what the internet actually uses — 4 layers that map roughly onto OSI. Both describe how data moves from an application on one machine to an application on another.
Why It Matters
Networking bugs live at specific layers. If DNS resolves but TCP connects time out, the problem is layer 3/4, not layer 7. Understanding the layer model lets you reason about where packets fail, which tools to use, and how protocols compose.
OSI vs TCP/IP
| OSI Layer | Name | TCP/IP Layer | Protocols | PDU |
|---|---|---|---|---|
| 7 | Application | Application | HTTP, DNS, SMTP, SSH | Data |
| 6 | Presentation | ↑ | TLS, compression | Data |
| 5 | Session | ↑ | (connection management) | Data |
| 4 | Transport | Transport | TCP, UDP, QUIC | Segment/Datagram |
| 3 | Network | Internet | IP, ICMP, ARP | Packet |
| 2 | Data Link | Link | Ethernet, WiFi (802.11) | Frame |
| 1 | Physical | ↑ | Copper, fiber, radio | Bits |
In practice, the 4-layer TCP/IP model is what matters. OSI layers 5-7 collapse into “Application.”
Encapsulation
Each layer wraps the previous layer’s data with its own header:
Application: [HTTP request data ]
↓
Transport: [TCP hdr][HTTP request data ] = segment
↓
Internet: [IP hdr][TCP hdr][HTTP data ] = packet
↓
Link: [Eth hdr][IP hdr][TCP hdr][HTTP data ][FCS] = frame
↓
Physical: 10110010 01101... (bits on the wire)
Receiving host strips headers in reverse order (decapsulation).
What Happens When You Visit a Website
Walking through all layers for http://example.com/page:
1. Application: browser constructs HTTP GET request
2. DNS lookup: resolve "example.com" → 93.184.216.34 (UDP port 53)
3. Transport: TCP 3-way handshake to port 80 (SYN → SYN-ACK → ACK)
4. Transport: HTTP data split into TCP segments with sequence numbers
5. Internet: each segment wrapped in IP packet (src IP, dst 93.184.216.34)
6. Internet: routing table lookup → next hop → ARP for MAC address
7. Link: IP packet wrapped in Ethernet frame (src MAC, dst MAC)
8. Physical: frame sent as electrical/optical/radio signals
On the way back, the response traverses the same layers in reverse.
Key Concepts Per Layer
Link Layer
- MAC address: 48-bit hardware address (unique per NIC), e.g.,
aa:bb:cc:dd:ee:ff - Ethernet frame: dst MAC + src MAC + type + payload + FCS (checksum)
- ARP: maps IP → MAC on local network (“who has 192.168.1.1?“)
- MTU: maximum frame payload, typically 1500 bytes for Ethernet
Internet Layer
- IP: addressing (src/dst IP), routing (hop-by-hop forwarding), TTL
- ICMP: error messages and diagnostics (
ping,traceroute) - Fragmentation: splitting packets larger than path MTU (avoided when possible)
Transport Layer
- TCP: reliable ordered stream — handshake, sequence numbers, retransmission
- UDP: unreliable datagrams — no connection, no guarantees, minimal overhead
- Ports: 16-bit numbers multiplexing connections (0-1023 well-known, 1024-65535 ephemeral)
Application Layer
Everything above transport: HTTP, DNS, SMTP, SSH, TLS, MQTT, gRPC…
Debugging by Layer
| Symptom | Likely Layer | Tool |
|---|---|---|
| No link light | 1 (Physical) | Cable, ip link show |
| No ARP response | 2 (Link) | arping, tcpdump -e |
| Can’t ping | 3 (Internet) | ping, traceroute, ip route |
| Connection refused/timeout | 4 (Transport) | ss -tlnp, nc -zv host port |
| HTTP 500, bad response | 7 (Application) | curl -v, openssl s_client |
tcpdump -i eth0 -n port 80 # capture packets on wire (layers 2-7)
wireshark # GUI packet analysis
ss -tlnp # list listening TCP sockets
ip route # routing table
ip neigh # ARP cacheRelated
- TCP Protocol — transport layer deep dive
- UDP Protocol — connectionless transport
- IP and Routing — internet layer addressing and forwarding
- DNS Protocol — application layer name resolution
- TLS and Encryption — security between transport and application