Networks pass data through seven conceptual layers. Each layer adds its own envelope on the way out and strips that envelope on the way in. Watch Alice's message "Hello, Bob!" get wrapped, transmitted, and unwrapped, one layer at a time, from chat window to chat window.
The Open Systems Interconnection (OSI) reference model splits the work of moving data across a network into seven distinct layers. Each layer has one job. The application layer worries about what the data means. The physical layer worries about voltages on copper or photons in fiber. The layers in between handle everything that has to happen so the bytes typed on Alice's keyboard reach Bob's screen intact.
When data leaves Alice's computer it travels down her stack. At each layer a header is added that lets that layer's counterpart on the other side do its job. This is called encapsulation. When data arrives at Bob's computer it travels up his stack. At each layer the corresponding header is read and stripped. This is called decapsulation. The packet that crosses the wire carries every header from every layer it passed through, nested like envelopes inside envelopes.
Every attack you will study lives at a specific layer. ARP poisoning is layer 2. IP spoofing is layer 3. SYN floods are layer 4. SQL injection and phishing are layer 7. Firewalls and intrusion detection systems each operate at one or more specific layers. If you cannot say what layer an attack lives at, you cannot pick the right defense.
Old standard for memorizing layer 7 down to layer 1:
All People Seem To Need Data Processing
Bottom up, often used to remember the order data is encapsulated:
Please Do Not Throw Sausage Pizza Away
Alice sends Bob a one-line message from her chat client. Step through each state to watch the message grow as it descends Alice's stack, fly across the network, and shrink as it ascends Bob's stack. Click any layer card to see the protocol description.
Alice has typed her message but has not pressed send. The OSI stack is idle.
No active layer
Select a state or press Play to begin the walkthrough.
Each card below describes one OSI layer, the kind of data unit it works with (its PDU, or Protocol Data Unit), what protocols ride at that layer, and the typical header fields you will see in a packet capture.
The layer the user actually touches. It defines the rules of the conversation the application is having: how to ask for a webpage, how to send an email, how to look up a domain. The application does not concern itself with how the bytes get delivered, only with what they should say.
Translates between the application's view of the data and what is actually sent on the wire. Character encoding (UTF-8, ASCII), compression, and most importantly the cryptographic envelope (TLS) live here. By the time the bytes leave this layer they should look like noise to anyone watching the cable.
Opens, manages, and closes the long-running conversation between two endpoints. Tracks dialogues, synchronizes checkpoints, and decides who can speak next. In modern TCP/IP stacks this responsibility is often blended into the application and transport layers, but the OSI model gives it its own seat at the table.
End-to-end delivery between two specific processes on two specific hosts. TCP guarantees the bytes arrive in order with no duplicates or losses by using sequence numbers, acknowledgments, and retransmissions. UDP does no such thing and gets out of the way for speed. Port numbers identify the application on each side.
Moves packets between networks. Provides the logical addressing (IP) that lets a packet starting in Columbus reach a server in Chicago by hopping through routers that have never met either endpoint. Each router reads the destination IP, picks the next hop, decrements the TTL, and forwards.
Moves a frame across one physical link, from one network interface to the next directly connected interface. Uses MAC addresses, which are local to that link only, and verifies the frame survived transit with a Frame Check Sequence (CRC32). Routers strip and rebuild this header at every hop.
The bytes from layer 2 become electrical voltages on copper, light pulses in fiber, or radio waves in the air. Defines the cable type, connector, signaling scheme, and bit rate. The physical layer has no idea what the bits mean. It just transports them faithfully.
Every OSI layer adds something useful, and every OSI layer therefore adds something to attack. The card for each layer below names the kinds of threats that live there and the controls a defender can stand up to mitigate them. As you progress through the rest of Rolling Thunder Security you will go deeper into many of these.
Going down the stack means adding a header. Going up the stack means stripping that same header. Headers are not magic, they are bytes.
Each layer reads only its own header. Layer 3 does not care what is inside the layer 4 segment, and layer 4 does not care what is in the application data.
MAC addresses are good for one hop. IP addresses cross routers. Ports identify processes. Application data is only meaningful to the two endpoints.
Every router along the path strips the layer 2 frame, looks at the layer 3 destination, and rewraps the packet in a fresh layer 2 frame for the next link.
When troubleshooting or investigating an attack, the first question is always: at what layer is this happening? The answer narrows the suspect list dramatically.
Real-world TCP/IP stacks combine layers 5, 6, and 7 into a single Application layer. The OSI model still gives you sharper vocabulary when describing what is happening.