OSI Model — The 7 Layers, Deep Dive

The reference model every networking interview asks about. All 7 layers explained with the actual protocols, devices, and PDUs at each. Animated encapsulation walkthrough. Real-world attacks at every layer. The mental tool that turns "the network is down" into a layer-by-layer diagnosis.

Every layer explained — what it does, the protocols at it, how attackers abuse it

What is the OSI Model (and why does it survive)?

The OSI model is the most-taught and least-used reference framework in computing. It's in every networking textbook, asked in every interview, and yet nothing actually implements it. Real networks run TCP/IP, which collapses several OSI layers into one. So why bother?

Because the OSI model gives us shared vocabulary. When a senior engineer says "this is a Layer 7 problem", everyone instantly knows the issue is in the application — not in the cabling or the routing. It's the mental tool that turns "the website is down" into a structured diagnosis: "the TCP connection is up (L4), TLS handshake completes (L6), but the HTTP response is 500 (L7) — let's check the app logs."

Where it came from

The International Organization for Standardization (ISO) proposed OSI in 1984 — at a time when networking was being invented in many places at once and standards were a mess. OSI was supposed to be THE network stack of the future. It lost. TCP/IP, the messier, simpler, free Pentagon-funded protocol, took over.

But OSI's teaching value survived. Anyone explaining networking still falls back on the 7-layer cake.

The 7 layers, top to bottom

#LayerWhat it does
7ApplicationHTTP, SSH, DNS, SMTP — what your apps actually speak
6PresentationEncoding, encryption, compression — TLS lives here-ish
5SessionSession setup/teardown — mostly absorbed into apps today
4TransportTCP / UDP — process-to-process delivery
3NetworkIP — host-to-host routing across the globe
2Data LinkEthernet / Wi-Fi — single-hop frames + MAC addresses
1PhysicalSignals on actual cables, fibre, radio

Mnemonics to remember the order

DirectionMnemonic
Top-down (L7 → L1)All People Seem To Need Data Processing
Bottom-up (L1 → L7)Please Do Not Throw Sausage Pizza Away
Bottom-up (alt)Physical Data-link Network Transport Session Presentation Application
💡 Pro tip: Most interview questions assume you remember the order. Pick one mnemonic and burn it in. "Please Do Not Throw Sausage Pizza Away" is the one I drilled into my head 20 years ago and still use.

The 7 layers — quick tour

Watch the whole stack light up layer by layer:

Why the layered approach matters

WinWhy it matters in practice
Separation of concernsEach layer solves one problem. L1 worries about signals; L7 worries about HTTP. You can replace Wi-Fi with fibre without touching L3 onwards.
InteroperabilityVendor A's switch (L2) talks to vendor B's router (L3) talks to vendor C's server (L7) — as long as they follow the same protocols at each layer.
EncapsulationEach layer wraps the layer above in its own header. Routers in the middle look only at L3 (IP) — they don't even know what's inside.
Debugging structureWhen something breaks, you have a clear procedure: start at L1, work up. Cable plugged in? IP route correct? TCP connection ESTABLISHED? TLS handshake clean? App returning 200?

Top to bottom — each layer in detail

We'll go through each layer top-to-bottom — the way the data actually flows from your app to the wire.

L7 — Application

The closest layer to you, the human. This is where browsers, web servers, mail clients, SSH clients, DNS resolvers — all the things you actually interact with — live.

ProtocolsHTTP, HTTPS, SSH, FTP, SMTP, IMAP, POP3, DNS, BGP, gRPC, MQTT, AMQP, …
PDUData (or "Message")
DevicesApplication code, libraries (curl, OpenSSL, browsers). Sometimes "L7 load balancers" / WAFs — they inspect HTTP.
Where bugs liveOWASP Top 10 lives here. XSS, SQL injection, broken auth, SSRF — every web vuln class.

L6 — Presentation

How data is REPRESENTED. Character encoding (UTF-8, ASCII), compression (gzip, brotli), encryption (TLS — debatable which layer, depends who you ask), media formats (JPEG, MPEG). Translates between app data and "bytes for the network".

The pedantic "TLS is L6 or L5 or L4-ish" argument has raged since 2000. Practically: TLS adds an encryption layer between TCP and HTTP. Call it L6, call it L4.5, call it "presentation-ish" — everyone understands.
ProtocolsTLS, SSL, JPEG, GIF, PNG, ASCII, UTF-8, MIME, JSON, Protobuf
PDUData
DevicesOpenSSL, libsodium, image/video codecs

L5 — Session

The most-debated layer. Originally meant: managing the conversation between two endpoints — dialog control, session checkpointing, restart after disconnect. In modern TCP/IP, most 'session' work happens in applications (cookies, JWTs, app-level reconnect logic) or in TLS.

ProtocolsNetBIOS, RPC, SOCKS (vaguely), SQL session, NFS session
PDUData
DevicesMostly app-layer state managers; SOCKS proxies operate here-ish
💡 Pro tip: Fun trivia: when something says 'L5 load balancer', usually it just means 'reads enough to route by hostname / session ID without going full L7 inspection'. Marketing layer talk.

L4 — Transport

Where TCP and UDP live. Adds the concept of ports — multiple processes on the same machine multiplex over one IP. Adds reliability (TCP) or doesn't (UDP). Adds flow + congestion control (TCP only).

ProtocolsTCP, UDP, QUIC, SCTP, DCCP
PDUSegment (TCP) / Datagram (UDP)
DevicesL4 load balancers (HAProxy in TCP mode, AWS NLB), stateful firewalls

L3 — Network

IP and routing. Takes a data chunk and figures out how to deliver it to any host on the planet by destination IP. Hops through routers. Best-effort: no reliability, may drop / dup / reorder.

ProtocolsIPv4, IPv6, ICMP, IGMP, IPsec, OSPF (routing), BGP (routing)
PDUPacket
DevicesRouters, L3 switches, L3 firewalls
shell
# See L3 in action — show a packet's journey
traceroute google.com
# Each line = one router hop = one L3 forwarding decision

L2 — Data Link

Single-hop delivery between physically-connected devices on the same network. Uses MAC addresses (48-bit unique-per-NIC identifiers). Switches do their work here. Wi-Fi, Ethernet, PPP, MPLS — all L2 protocols.

ProtocolsEthernet (IEEE 802.3), Wi-Fi (802.11), PPP, ARP, VLAN (802.1Q), MPLS
PDUFrame
DevicesSwitches, bridges, wireless APs, NICs (the actual ethernet card)
ARP (Address Resolution Protocol) sits weirdly between L2 and L3. It maps L3 (IP) addresses to L2 (MAC) addresses on a LAN. Without ARP, you couldn't actually send your IP packet onto Ethernet — you need to know what MAC to put in the frame header.

L1 — Physical

Bits as actual signals — electrical pulses on copper, photons in fibre, radio waves through the air. Defines voltage levels, timing, connector pinouts, modulation schemes. The hardware layer.

Standards1000BASE-T (gigabit ethernet), 10G-BASE-SR (10G fibre), 802.11ax (Wi-Fi 6), DOCSIS (cable), DWDM (fibre)
PDUBits / Symbols
DevicesHubs (obsolete), repeaters, cables, fibre transceivers, antennas, modems

Encapsulation — how data gets layered

This is THE concept you have to internalise. When data leaves your application, every layer wraps it in its own header (and sometimes a trailer). On the receiving side, every layer strips its header off before passing the payload up.

What's actually on the wire

shell
On the wire (for an HTTPS GET):

|--Ethernet Header--|--IP Header--|--TCP Header--|--TLS Record--|--HTTP Request--|--Ethernet FCS--|
   14 bytes            20 bytes      20 bytes      5+ bytes        body            4 bytes

# Bandwidth overhead:
# - Ethernet: 14 + 4 = 18 bytes per frame
# - IPv4:    20 bytes (or 40+ for IPv6)
# - TCP:     20 bytes
# - TLS:     5 bytes minimum
# = at least ~67 bytes of overhead before your HTTP byte 1

Every layer adds bytes. For tiny HTTP requests (a 50-byte GET), the overhead is bigger than the payload. This is why HTTP/2 compresses headers and HTTP/3 / QUIC consolidates layers.

PDU naming — small but useful

LayerName for the unit at this layer
L7 / L6 / L5Data / Message
L4Segment (TCP) / Datagram (UDP)
L3Packet
L2Frame
L1Bit / Symbol
💡 Pro tip: 'Frame' and 'packet' are NOT interchangeable in conversation with networking people. Saying 'tcp packet' is a giveaway you're not L4-trained — say 'tcp segment'. Saying 'ethernet packet' should be 'ethernet frame'.

Which devices live at which layer

Different network devices "live" at different layers — they only look at the headers up to that layer. Knowing this is critical for designing networks and debugging.

DeviceOperates atJob
HubL1Dumb repeater. Receives bits on one port, blasts them out every other port. Half-duplex, collision-prone. Obsolete since the late 1990s.
SwitchL2Looks at MAC addresses. Learns which MAC is on which port. Forwards frames intelligently. The basic building block of every LAN.
L3 SwitchL2+L3A switch with IP routing capability. Common in enterprise / data centres for VLAN-to-VLAN routing at wire speed.
RouterL3Looks at IP. Forwards packets between different networks. Runs routing protocols (OSPF, BGP). Your home gateway is a router.
Firewall (stateless)L3+L4Allows/blocks based on src IP, dst IP, port, protocol. Simple ACL-based.
Firewall (stateful)L3+L4 (with state)Tracks connection state. Allows reply traffic automatically. iptables, pf, AWS Security Groups.
NAT gatewayL3+L4Rewrites src IP + port on outbound, reverses on inbound. Your home router is doing this.
L4 load balancerL4Distributes connections across backends by IP+port — doesn't inspect content. AWS NLB, HAProxy in TCP mode.
L7 load balancer / WAFL7Inspects HTTP, can route by URL/header, terminate TLS, block malicious requests. nginx, Cloudflare, AWS ALB.
Reverse proxyL7Terminates incoming connections, makes new ones to backends. Nginx, Apache, HAProxy in HTTP mode.

OSI vs TCP/IP — head to head

The OSI model is theoretical. TCP/IP is what actually runs. Here's how they map.

OSI (7 layers, theory)TCP/IP (4 layers, practice)Examples
L7 — ApplicationApplicationHTTP, SSH, DNS — apps + libraries
L6 — Presentation(folded into App)TLS, encoding
L5 — Session(folded into App)Session cookies, JWT — app-managed
L4 — TransportTransportTCP, UDP, QUIC
L3 — NetworkInternetIP, ICMP, IPsec
L2 — Data LinkLink (combined L1+L2)Ethernet, Wi-Fi, ARP
L1 — PhysicalLink (combined L1+L2)Cables, signals

Why TCP/IP "wins" in reality

TCP/IP was already widely deployed when OSI was finalised. It was free, well-documented, and ran on every Unix. OSI was complex, slow to standardise, and required licensed implementations. By the time OSI was finished, TCP/IP had already won the internet.

Today, you'll see real-world reference material use a 4 or 5-layer model: Application / Transport / Network / Link [/ Physical]. The OSI 7-layer model survives mostly in textbooks and certifications.

Where do TLS and others fit?

Strict OSI would put TLS at L6 (presentation). Pragmatic engineers call it L4.5, or "between Transport and Application". Doesn't matter for day-to-day work — you just need to know that TLS wraps TCP and is wrapped by application data.

Attacks at every layer

Every layer has its famous attacks. Learning them in layer order is how every networking-security course is structured — and it's a great map of the whole offensive landscape.

Why this mapping matters

When you're investigating an incident or designing defences, knowing which layer the attack operates at tells you which controls can stop it. Anti-XSS rules at the firewall (L3/L4) are useless — XSS lives at L7. A VLAN segmentation strategy (L2) does nothing against an attacker who's already on the same VLAN spoofing ARP.

Match the defence layer to the attack layer.

Troubleshooting — layer-by-layer diagnosis

When things break — and they always break — having a layered model lets you eliminate layers one at a time, starting from the bottom. This is the troubleshooting muscle that separates senior engineers from juniors.

The bottom-up checklist

LayerDiagnostic questions
L1 PhysicalCable plugged in? LED on the NIC blinking? ethtool eth0 shows link up? Wi-Fi signal strong?
L2 Data LinkARP table populated? ip neigh shows the gateway? On Wi-Fi, associated to the AP?
L3 NetworkCan you ping your gateway? Your DNS server? An external IP (ping 1.1.1.1)? traceroute shows the path?
L4 TransportIs the target port reachable? nc -zv host port. Firewall blocking? Service actually listening?
L5/L6TLS handshake completes? openssl s_client -connect host:443. Cert valid?
L7 ApplicationHTTP returning expected status? curl -v. App logs? Auth?

Tools by layer

LayerTools
L1ethtool, iwconfig, blinking LEDs, cable tester
L2arp -a, ip neigh, tcpdump -i eth0 -nn arp, wireshark with ARP filter
L3ping, traceroute, mtr, ip route
L4nc, ss -tnp, nmap, iperf3
L5/L6openssl s_client, testssl.sh, nmap --script ssl-enum-ciphers
L7curl -v, httpie, browser DevTools, Burp Suite, wireshark HTTP filter
💡 Pro tip: My personal rule when something\'s broken: 'always start at L1 and work up'. 80% of 'network problems' are actually app problems at L7. But the 20% that aren't will eat your day if you don't check the lower layers first.

Quick Reference Cheat Sheet

References that come up daily.

Layer → PDU → Device cheat sheet

#NamePDUDevices
L7ApplicationDataApps, WAFs, L7 LBs
L6PresentationDataOpenSSL, codecs
L5SessionDataApp session managers
L4TransportSegmentL4 LBs, stateful firewalls
L3NetworkPacketRouters, L3 switches
L2Data LinkFrameSwitches, bridges, APs
L1PhysicalBitHubs, cables, NICs

Headers / overhead summary

ProtocolLayerHeader bytes
EthernetL214 bytes header + 4 byte FCS = 18 bytes overhead per frame
IPv4L320 bytes minimum (no options)
IPv6L340 bytes fixed (no options in main header)
TCPL420 bytes minimum (no options)
UDPL48 bytes — that's it
TLS record~L65 bytes per record + AEAD overhead

Famous protocols → layer mapping

ProtocolOSI layer (approx)
ARP2.5 (between L2 and L3)
ICMPL3 (technically rides on IP, used for diagnostics)
DHCPL7 (uses UDP at L4)
VPN — IPsecL3 (or L4 with NAT-T)
VPN — OpenVPNL7 (uses TLS at L6, TCP/UDP at L4)
VPN — WireGuardL3 (kernel-level, runs over UDP)
QUICL4 (replacing TCP — built-in TLS = L6 baked in)
MPLSL2.5 (between L2 and L3 — labels)

Mnemonic refresher

shell
Top-down (L7 → L1):     A P S T N D P
                        All People Seem To Need Data Processing

Bottom-up (L1 → L7):    P D N T S P A
                        Please Do Not Throw Sausage Pizza Away

Closing Thoughts

Here's the truth about the OSI model: nobody implements it, but everyone uses it as a mental map. Once you can think in layers, every network problem becomes diagnosable. Every attack has a defence at the same layer. Every load balancer / firewall / proxy slots into a place on the cake.

Memorise the seven layers. Burn the mnemonic. Practise narrating problems in layer terms — 'this is an L4 issue', 'wait, that's actually L7'. The first time someone in a meeting describes a bug and you instinctively know which layer to investigate, you'll feel why this 40-year-old theoretical model refuses to die.

Then go run tcpdump on your own laptop. Watch the Ethernet frames containing IP packets containing TCP segments containing TLS records containing HTTP. The cake is real.

Reactions

Related Articles