Networking can seem inscrutable with its jargon, acronyms, and technical details. However, understanding network communication becomes easier with two key conceptual models: the OSI and TCP/IP models. These models provide abstract representations of how data is transmitted over a network through a stack of layers, each dependent on its adjacent layers.

The OSI Model

The Open Systems Interconnection (OSI) model, created by ISO in the 1970s, standardizes networking protocols and encourages interoperability between systems from different vendors. It has seven layers, divided into "media" (bottom 4) and "host" (top 3) layers:

  • Physical (Layer 1): Transmits raw data over physical media like cables or radio waves. It involves electrical signals and low-level data units (bits and symbols).
  • Data Link (Layer 2): Transmits data between nodes on a local network using MAC addresses. Switches operate at this layer.
  • Network (Layer 3): Manages data transmission between different networks using IP addresses. Routers operate at this layer.
  • Transport (Layer 4): Ensures reliable data transfer between hosts using protocols like TCP (reliable) and UDP (fast). It manages ports and breaks large data transfers into smaller segments.
  • Session (Layer 5): Manages communication sessions, including setup, maintenance, and teardown. It handles authentication and authorization.
  • Presentation (Layer 6): Formats and presents data, handling encryption, compression, and encoding to ensure data is in a usable format.
  • Application (Layer 7): Manages human-computer interaction, handling services and programs like web browsers and email clients.

Mnemonics for OSI Layers

L7-L1: "All People Seem To Need Data Processing"

L1-L7: "Please Do Not Throw Sausage Pizza Away"

The TCP/IP Model

The TCP/IP model is a practical implementation that underpins modern internet communications. It simplifies the OSI model by combining several layers:

  • Network Access (Layer 1): Combines OSI's Physical and Data Link layers.
  • Internet (Layer 2): Equivalent to OSI's Network layer, handling IP routing.
  • Transport (Layer 3): Similar to OSI's Transport layer, managing end-to-end data transfer using TCP and UDP.
  • Application (Layer 4): Combines OSI's Application, Presentation, and Session layers, handling high-level protocols like HTTP, FTP, and SMTP.

Lab Questions and Answers: 1.1 Core Concepts

1. The OSI and TCP/IP models can best be defined as which of the following:
A. Useful abstractions for describing the interoperation of network protocols.
B. Database models that describe the interactions between services in a web application.
C. Exact representations of how the network stack can be organized.
D. Outdated representations of networks in the past.
Answer: A

2. In terms of the OSI and TCP/IP network models, sending data from an application entails traveling ______ the stack in a process known as ________; receiving data from an application entails traveling _______ the stack in a process known as ______.
A. up, decapsulation; down, encapsulation
B. up, encapsulation; down, decapsulation
C. down, encapsulation; up, decapsulation
D. down, decapsulation; up, encapsulation
Answer: C

3. What layer of the TCP/IP model corresponds to the Physical and Data Link layers of the OSI model?
A. Network Access
B. Web Access
C. Application
D. Transport
Answer: A

4. A colleague has just informed you they are encountering issues with their Layer 3 Switch. Which layer of the OSI model does this switch operate at?
A. Physical
B. Application
C. Network
D. Data Link
Answer: C

5. A simple firewall has been set up that merely allows or drops packets that it receives, with no knowledge of TCP connections. Which layer of the OSI model does this firewall operate at?
A. Layer 3
B. Layer 4
C. Layer 7
D. None of the above
Answer: A

Lab Questions and Answers: 1.2 Guided Exercise

1. You’ve just sent an HTTP request to a website. List the order in which your request will traverse the layers of the TCP/IP model.
A. Application, Session, Presentation, Media, Transport
B. Application, Transport, Network Access, Data Link, Physical
C. Presentation, Session, Application, Internet Access, Physical
D. Application, Transport, Internet, Network Access
Answer: D

2. What is the MAC address of the WAP’s transmitter, as indicated in the Data Link layer of the Beacon packets?
Answer: 00:02:00:00:00:10
Hint: Use this filter wlan.fc.type_subtype == 0x08 to only list Beacon packets and expand the IEEE 802.11 Beacon frame row.
3. What is the IP address and port of the destination web server seen in this capture? You can find this information in the Transport and Internet/Network Layers, or the Application Layers.
Answer: 10.50.0.254:8080
Hint: Use the http flter to find only web requests and find the Source IP and Port(to check port click on edit from Wireshark menu and edit columns and add a column of Dest port (unresolved). 

4. What is the flag discovered in the Application layer data returned by the web server?
Answer: {CLAB-Practicum}
Hint: Use the http.response search string to list only the required result and expand "Line-based text data"

Lab Questions and Answers: 1.3 Challenge Exercise

It’s time to go alone! You will find another packet capture, Prove.pcapng, on your desktop. Open this thing up in Wireshark and use it to answer the questions in the Tasks pane.

1. What channel is the Wireless Access Point broadcasting on in this capture? You can find this information in the Physical Layer of the Beacon packets.
Answer: 36
Hint: Use this filter wlan.fc.type_subtype == 0x08 to only list beacon frames and expand RadioTap Header

2. What TCP port is the web server listening on (the receiver of the HTTP request) in this capture?
Answer: 1337
Hint: Use the http search string and follow HTTP Stream or you can find from Dest port.
3. What is the Network/Internet Layer address of the machine making an HTTP request?
Answer: 10.45.0.2
Hint: Use http flag and find the source port

4. What is the flag discovered in the Application layer data returned by the web server?
Answer: {CLAB_C3RT}
Hint: You can find it by following HTTP Stream in any http packet.

Conclusion

In this article, we explored the essential elements of analyzing network traffic captured using Wireshark, focusing on identifying critical information from different layers of the OSI model. By inspecting the Data Link layer, we discovered the MAC address of the WAP's transmitter, providing a unique identifier for the device in the wireless network. The examination of the Transport and Internet/Network layers revealed the destination IP address and TCP port of a web server, crucial for understanding the communication endpoints in the network. Finally, the inspection of the Application layer data provided insights into the data exchanged between the client and the server, highlighting potential flags or key pieces of information.