Every layer explained — what it does, the protocols at it, how attackers abuse it
What is the OSI Model (and why does it survive)?
The OSI model is the most-taught and least-used reference framework in computing. It's in every networking textbook, asked in every interview, and yet nothing actually implements it. Real networks run TCP/IP, which collapses several OSI layers into one. So why bother?
Because the OSI model gives us shared vocabulary. When a senior engineer says "this is a Layer 7 problem", everyone instantly knows the issue is in the application — not in the cabling or the routing. It's the mental tool that turns "the website is down" into a structured diagnosis: "the TCP connection is up (L4), TLS handshake completes (L6), but the HTTP response is 500 (L7) — let's check the app logs."
Where it came from
The International Organization for Standardization (ISO) proposed OSI in 1984 — at a time when networking was being invented in many places at once and standards were a mess. OSI was supposed to be THE network stack of the future. It lost. TCP/IP, the messier, simpler, free Pentagon-funded protocol, took over.
But OSI's teaching value survived. Anyone explaining networking still falls back on the 7-layer cake.
The 7 layers, top to bottom
| # | Layer | What it does |
|---|---|---|
| 7 | Application | HTTP, SSH, DNS, SMTP — what your apps actually speak |
| 6 | Presentation | Encoding, encryption, compression — TLS lives here-ish |
| 5 | Session | Session setup/teardown — mostly absorbed into apps today |
| 4 | Transport | TCP / UDP — process-to-process delivery |
| 3 | Network | IP — host-to-host routing across the globe |
| 2 | Data Link | Ethernet / Wi-Fi — single-hop frames + MAC addresses |
| 1 | Physical | Signals on actual cables, fibre, radio |
Mnemonics to remember the order
| Direction | Mnemonic |
|---|---|
| Top-down (L7 → L1) | All People Seem To Need Data Processing |
| Bottom-up (L1 → L7) | Please Do Not Throw Sausage Pizza Away |
| Bottom-up (alt) | Physical Data-link Network Transport Session Presentation Application |
The 7 layers — quick tour
Watch the whole stack light up layer by layer:
Why the layered approach matters
| Win | Why it matters in practice |
|---|---|
| Separation of concerns | Each layer solves one problem. L1 worries about signals; L7 worries about HTTP. You can replace Wi-Fi with fibre without touching L3 onwards. |
| Interoperability | Vendor A's switch (L2) talks to vendor B's router (L3) talks to vendor C's server (L7) — as long as they follow the same protocols at each layer. |
| Encapsulation | Each layer wraps the layer above in its own header. Routers in the middle look only at L3 (IP) — they don't even know what's inside. |
| Debugging structure | When something breaks, you have a clear procedure: start at L1, work up. Cable plugged in? IP route correct? TCP connection ESTABLISHED? TLS handshake clean? App returning 200? |
Top to bottom — each layer in detail
We'll go through each layer top-to-bottom — the way the data actually flows from your app to the wire.
L7 — Application
The closest layer to you, the human. This is where browsers, web servers, mail clients, SSH clients, DNS resolvers — all the things you actually interact with — live.
| Protocols | HTTP, HTTPS, SSH, FTP, SMTP, IMAP, POP3, DNS, BGP, gRPC, MQTT, AMQP, … |
| PDU | Data (or "Message") |
| Devices | Application code, libraries (curl, OpenSSL, browsers). Sometimes "L7 load balancers" / WAFs — they inspect HTTP. |
| Where bugs live | OWASP Top 10 lives here. XSS, SQL injection, broken auth, SSRF — every web vuln class. |
L6 — Presentation
How data is REPRESENTED. Character encoding (UTF-8, ASCII), compression (gzip, brotli), encryption (TLS — debatable which layer, depends who you ask), media formats (JPEG, MPEG). Translates between app data and "bytes for the network".
| Protocols | TLS, SSL, JPEG, GIF, PNG, ASCII, UTF-8, MIME, JSON, Protobuf |
| PDU | Data |
| Devices | OpenSSL, libsodium, image/video codecs |
L5 — Session
The most-debated layer. Originally meant: managing the conversation between two endpoints — dialog control, session checkpointing, restart after disconnect. In modern TCP/IP, most 'session' work happens in applications (cookies, JWTs, app-level reconnect logic) or in TLS.
| Protocols | NetBIOS, RPC, SOCKS (vaguely), SQL session, NFS session |
| PDU | Data |
| Devices | Mostly app-layer state managers; SOCKS proxies operate here-ish |
L4 — Transport
Where TCP and UDP live. Adds the concept of ports — multiple processes on the same machine multiplex over one IP. Adds reliability (TCP) or doesn't (UDP). Adds flow + congestion control (TCP only).
| Protocols | TCP, UDP, QUIC, SCTP, DCCP |
| PDU | Segment (TCP) / Datagram (UDP) |
| Devices | L4 load balancers (HAProxy in TCP mode, AWS NLB), stateful firewalls |
L3 — Network
IP and routing. Takes a data chunk and figures out how to deliver it to any host on the planet by destination IP. Hops through routers. Best-effort: no reliability, may drop / dup / reorder.
| Protocols | IPv4, IPv6, ICMP, IGMP, IPsec, OSPF (routing), BGP (routing) |
| PDU | Packet |
| Devices | Routers, L3 switches, L3 firewalls |
# See L3 in action — show a packet's journey traceroute google.com # Each line = one router hop = one L3 forwarding decision
L2 — Data Link
Single-hop delivery between physically-connected devices on the same network. Uses MAC addresses (48-bit unique-per-NIC identifiers). Switches do their work here. Wi-Fi, Ethernet, PPP, MPLS — all L2 protocols.
| Protocols | Ethernet (IEEE 802.3), Wi-Fi (802.11), PPP, ARP, VLAN (802.1Q), MPLS |
| PDU | Frame |
| Devices | Switches, bridges, wireless APs, NICs (the actual ethernet card) |
L1 — Physical
Bits as actual signals — electrical pulses on copper, photons in fibre, radio waves through the air. Defines voltage levels, timing, connector pinouts, modulation schemes. The hardware layer.
| Standards | 1000BASE-T (gigabit ethernet), 10G-BASE-SR (10G fibre), 802.11ax (Wi-Fi 6), DOCSIS (cable), DWDM (fibre) |
| PDU | Bits / Symbols |
| Devices | Hubs (obsolete), repeaters, cables, fibre transceivers, antennas, modems |
Encapsulation — how data gets layered
This is THE concept you have to internalise. When data leaves your application, every layer wraps it in its own header (and sometimes a trailer). On the receiving side, every layer strips its header off before passing the payload up.
What's actually on the wire
On the wire (for an HTTPS GET): |--Ethernet Header--|--IP Header--|--TCP Header--|--TLS Record--|--HTTP Request--|--Ethernet FCS--| 14 bytes 20 bytes 20 bytes 5+ bytes body 4 bytes # Bandwidth overhead: # - Ethernet: 14 + 4 = 18 bytes per frame # - IPv4: 20 bytes (or 40+ for IPv6) # - TCP: 20 bytes # - TLS: 5 bytes minimum # = at least ~67 bytes of overhead before your HTTP byte 1
Every layer adds bytes. For tiny HTTP requests (a 50-byte GET), the overhead is bigger than the payload. This is why HTTP/2 compresses headers and HTTP/3 / QUIC consolidates layers.
PDU naming — small but useful
| Layer | Name for the unit at this layer |
|---|---|
| L7 / L6 / L5 | Data / Message |
| L4 | Segment (TCP) / Datagram (UDP) |
| L3 | Packet |
| L2 | Frame |
| L1 | Bit / Symbol |
Which devices live at which layer
Different network devices "live" at different layers — they only look at the headers up to that layer. Knowing this is critical for designing networks and debugging.
| Device | Operates at | Job |
|---|---|---|
| Hub | L1 | Dumb repeater. Receives bits on one port, blasts them out every other port. Half-duplex, collision-prone. Obsolete since the late 1990s. |
| Switch | L2 | Looks at MAC addresses. Learns which MAC is on which port. Forwards frames intelligently. The basic building block of every LAN. |
| L3 Switch | L2+L3 | A switch with IP routing capability. Common in enterprise / data centres for VLAN-to-VLAN routing at wire speed. |
| Router | L3 | Looks at IP. Forwards packets between different networks. Runs routing protocols (OSPF, BGP). Your home gateway is a router. |
| Firewall (stateless) | L3+L4 | Allows/blocks based on src IP, dst IP, port, protocol. Simple ACL-based. |
| Firewall (stateful) | L3+L4 (with state) | Tracks connection state. Allows reply traffic automatically. iptables, pf, AWS Security Groups. |
| NAT gateway | L3+L4 | Rewrites src IP + port on outbound, reverses on inbound. Your home router is doing this. |
| L4 load balancer | L4 | Distributes connections across backends by IP+port — doesn't inspect content. AWS NLB, HAProxy in TCP mode. |
| L7 load balancer / WAF | L7 | Inspects HTTP, can route by URL/header, terminate TLS, block malicious requests. nginx, Cloudflare, AWS ALB. |
| Reverse proxy | L7 | Terminates incoming connections, makes new ones to backends. Nginx, Apache, HAProxy in HTTP mode. |
OSI vs TCP/IP — head to head
The OSI model is theoretical. TCP/IP is what actually runs. Here's how they map.
| OSI (7 layers, theory) | TCP/IP (4 layers, practice) | Examples |
|---|---|---|
| L7 — Application | Application | HTTP, SSH, DNS — apps + libraries |
| L6 — Presentation | (folded into App) | TLS, encoding |
| L5 — Session | (folded into App) | Session cookies, JWT — app-managed |
| L4 — Transport | Transport | TCP, UDP, QUIC |
| L3 — Network | Internet | IP, ICMP, IPsec |
| L2 — Data Link | Link (combined L1+L2) | Ethernet, Wi-Fi, ARP |
| L1 — Physical | Link (combined L1+L2) | Cables, signals |
Why TCP/IP "wins" in reality
TCP/IP was already widely deployed when OSI was finalised. It was free, well-documented, and ran on every Unix. OSI was complex, slow to standardise, and required licensed implementations. By the time OSI was finished, TCP/IP had already won the internet.
Today, you'll see real-world reference material use a 4 or 5-layer model: Application / Transport / Network / Link [/ Physical]. The OSI 7-layer model survives mostly in textbooks and certifications.
Where do TLS and others fit?
Strict OSI would put TLS at L6 (presentation). Pragmatic engineers call it L4.5, or "between Transport and Application". Doesn't matter for day-to-day work — you just need to know that TLS wraps TCP and is wrapped by application data.
Attacks at every layer
Every layer has its famous attacks. Learning them in layer order is how every networking-security course is structured — and it's a great map of the whole offensive landscape.
Why this mapping matters
When you're investigating an incident or designing defences, knowing which layer the attack operates at tells you which controls can stop it. Anti-XSS rules at the firewall (L3/L4) are useless — XSS lives at L7. A VLAN segmentation strategy (L2) does nothing against an attacker who's already on the same VLAN spoofing ARP.
Match the defence layer to the attack layer.
Troubleshooting — layer-by-layer diagnosis
When things break — and they always break — having a layered model lets you eliminate layers one at a time, starting from the bottom. This is the troubleshooting muscle that separates senior engineers from juniors.
The bottom-up checklist
| Layer | Diagnostic questions |
|---|---|
| L1 Physical | Cable plugged in? LED on the NIC blinking? ethtool eth0 shows link up? Wi-Fi signal strong? |
| L2 Data Link | ARP table populated? ip neigh shows the gateway? On Wi-Fi, associated to the AP? |
| L3 Network | Can you ping your gateway? Your DNS server? An external IP (ping 1.1.1.1)? traceroute shows the path? |
| L4 Transport | Is the target port reachable? nc -zv host port. Firewall blocking? Service actually listening? |
| L5/L6 | TLS handshake completes? openssl s_client -connect host:443. Cert valid? |
| L7 Application | HTTP returning expected status? curl -v. App logs? Auth? |
Tools by layer
| Layer | Tools |
|---|---|
| L1 | ethtool, iwconfig, blinking LEDs, cable tester |
| L2 | arp -a, ip neigh, tcpdump -i eth0 -nn arp, wireshark with ARP filter |
| L3 | ping, traceroute, mtr, ip route |
| L4 | nc, ss -tnp, nmap, iperf3 |
| L5/L6 | openssl s_client, testssl.sh, nmap --script ssl-enum-ciphers |
| L7 | curl -v, httpie, browser DevTools, Burp Suite, wireshark HTTP filter |
Quick Reference Cheat Sheet
References that come up daily.
Layer → PDU → Device cheat sheet
| # | Name | PDU | Devices |
|---|---|---|---|
| L7 | Application | Data | Apps, WAFs, L7 LBs |
| L6 | Presentation | Data | OpenSSL, codecs |
| L5 | Session | Data | App session managers |
| L4 | Transport | Segment | L4 LBs, stateful firewalls |
| L3 | Network | Packet | Routers, L3 switches |
| L2 | Data Link | Frame | Switches, bridges, APs |
| L1 | Physical | Bit | Hubs, cables, NICs |
Headers / overhead summary
| Protocol | Layer | Header bytes |
|---|---|---|
| Ethernet | L2 | 14 bytes header + 4 byte FCS = 18 bytes overhead per frame |
| IPv4 | L3 | 20 bytes minimum (no options) |
| IPv6 | L3 | 40 bytes fixed (no options in main header) |
| TCP | L4 | 20 bytes minimum (no options) |
| UDP | L4 | 8 bytes — that's it |
| TLS record | ~L6 | 5 bytes per record + AEAD overhead |
Famous protocols → layer mapping
| Protocol | OSI layer (approx) |
|---|---|
| ARP | 2.5 (between L2 and L3) |
| ICMP | L3 (technically rides on IP, used for diagnostics) |
| DHCP | L7 (uses UDP at L4) |
| VPN — IPsec | L3 (or L4 with NAT-T) |
| VPN — OpenVPN | L7 (uses TLS at L6, TCP/UDP at L4) |
| VPN — WireGuard | L3 (kernel-level, runs over UDP) |
| QUIC | L4 (replacing TCP — built-in TLS = L6 baked in) |
| MPLS | L2.5 (between L2 and L3 — labels) |
Mnemonic refresher
Top-down (L7 → L1): A P S T N D P
All People Seem To Need Data Processing
Bottom-up (L1 → L7): P D N T S P A
Please Do Not Throw Sausage Pizza AwayClosing Thoughts
Here's the truth about the OSI model: nobody implements it, but everyone uses it as a mental map. Once you can think in layers, every network problem becomes diagnosable. Every attack has a defence at the same layer. Every load balancer / firewall / proxy slots into a place on the cake.
Memorise the seven layers. Burn the mnemonic. Practise narrating problems in layer terms — 'this is an L4 issue', 'wait, that's actually L7'. The first time someone in a meeting describes a bug and you instinctively know which layer to investigate, you'll feel why this 40-year-old theoretical model refuses to die.
Then go run tcpdump on your own laptop. Watch the Ethernet frames containing IP packets containing TCP segments containing TLS records containing HTTP. The cake is real.