OSI Model vs TCP/IP — 7 Layers Explained for Beginners
What Is the OSI Model vs TCP/IP Model and Why Does It Matter?
Section titled “What Is the OSI Model vs TCP/IP Model and Why Does It Matter?”The OSI (Open Systems Interconnection) model, defined in ISO/IEC 7498-1, is the international standard reference framework for network communication, dividing it into seven layers. The TCP/IP model, specified across IETF RFCs including RFC 1122, is the four-layer practical model that powers the internet. Both are tested on CompTIA Network+ (N10-009) and CompTIA Security+ (SY0-701).
The OSI model vs TCP/IP model comparison is the single most foundational concept in cybersecurity networking. Every packet you capture in Wireshark, every firewall rule you write, every attack you investigate — all of it maps back to these two models. If you understand the layers, you understand where attacks happen, what defenses apply, and how data actually moves between systems.
The OSI (Open Systems Interconnection) model has seven layers. It is the theoretical reference framework — the way security professionals talk about network communication. The TCP/IP model has four layers. It is the practical model — the way the internet actually works. Both describe the same process: getting data from one application on one computer to another application on another computer. They just divide that process differently.
If you are preparing for CompTIA Security+ (SY0-701), CompTIA Network+ (N10-009), or the Certified Ethical Hacker (CEH) exam, both models will be tested. SOC analysts reference them daily when investigating incidents.
When I first encountered the OSI model during my self-study, I thought it was an abstract academic concept that had nothing to do with real work. Seven layers with names like “Presentation” and “Session” felt disconnected from anything practical. Then I started my home lab, ran Wireshark, and watched an actual HTTPS request. I could see the TCP handshake at Layer 4, the IP addresses at Layer 3, and the Ethernet frames at Layer 2 — all in the same packet capture. Suddenly the OSI model was not an abstract chart. It was a map that told me exactly where to look when something went wrong. That shift from memorisation to understanding changed everything for me. I wrote about it in more detail in OSI Model: 7 Layers Explained for Beginners.
What Do Real-World OSI and TCP/IP Attacks Look Like?
Section titled “What Do Real-World OSI and TCP/IP Attacks Look Like?”Understanding network layers is not academic exercise. It directly impacts how security teams work every day.
| Scenario | Why Layers Matter |
|---|---|
| A SOC analyst sees suspicious DNS traffic in SIEM logs | DNS operates at Layer 7 (Application). Knowing this helps you isolate the relevant logs and understand what type of exfiltration might be happening |
| A penetration tester performs ARP spoofing | ARP operates at Layer 2 (Data Link). Understanding this tells you the attack only works on the local network segment |
| A firewall engineer writes rules to block specific traffic | Firewall rules reference Layer 3 (IP addresses), Layer 4 (ports), and sometimes Layer 7 (application protocols) |
| A security engineer investigates a SYN flood attack | SYN floods target Layer 4 (Transport). Knowing this points you toward TCP-specific mitigations |
| An incident responder traces a phishing attack | The malicious link uses HTTP (Layer 7), DNS (Layer 7 for resolution), TCP (Layer 4 for transport), and IP (Layer 3 for routing) |
| A compliance auditor reviews network segmentation | Segmentation operates at Layer 2 (VLANs) and Layer 3 (subnets and routing) |
Every security investigation involves asking “at which layer did this happen?” The models give you the vocabulary and framework to answer that question precisely.
How Does the OSI Model Work?
Section titled “How Does the OSI Model Work?”According to ISO/IEC 7498-1, the OSI model partitions network communication into seven hierarchical layers, each providing services to the layer above and consuming services from the layer below. The TCP/IP model (IETF RFC 1122) condenses this into four functional layers that map directly to real protocol implementations.
Before diving into the layers, think of network communication like sending a physical letter through a postal system.
When you write a letter, you do not think about all the steps between your pen and the recipient’s mailbox. You write the content (the message), put it in an envelope (addressing), hand it to the postal service (transport), which loads it onto trucks and planes (physical delivery). Each step adds its own wrapper and handling.
Network communication works the same way. Your web browser creates an HTTP request (the message). TCP wraps it with port numbers and sequence data (reliable delivery). IP adds source and destination addresses (routing). Ethernet frames the whole thing for the local network (physical delivery). Each layer adds a header — a wrapper with information that layer needs — in a process called encapsulation. The receiving computer reverses the process, stripping headers layer by layer in decapsulation, until the original message reaches the application.
The OSI model divides this process into seven steps. The TCP/IP model simplifies it to four. Both describe the same journey — they just draw the boundaries between steps differently.
Certification objective: CompTIA Security+ SY0-701 tests networking models and protocols. CompTIA Network+ N10-009 tests them in significant depth. CEH v13 maps specific attacks to OSI layers.
The 7 Layers of the OSI Model — Step by Step
Section titled “The 7 Layers of the OSI Model — Step by Step”Each layer has a specific job. Data passes through every layer when it is sent and received. Here is what each layer does, starting from the top where you interact with applications, down to the bottom where electrical signals travel through cables.
Layer 7 — Application
Section titled “Layer 7 — Application”The Application layer is where users interact with the network. It provides network services directly to applications — your web browser, email client, or file transfer tool.
Protocols: HTTP, HTTPS, DNS, FTP, SMTP, POP3, IMAP, SSH, SNMP, Telnet
Security relevance: Most application-level attacks happen here. SQL injection, cross-site scripting (XSS), phishing, and DNS poisoning all target Layer 7. Web Application Firewalls (WAFs) operate at this layer.
Layer 6 — Presentation
Section titled “Layer 6 — Presentation”The Presentation layer translates data between the application format and the network format. It handles encryption, compression, and data formatting.
Functions: TLS/SSL encryption, data compression, character encoding (ASCII, Unicode), image formatting (JPEG, PNG)
Security relevance: TLS/SSL encryption happens at this layer. Certificate validation, encryption negotiation, and data format vulnerabilities are Layer 6 concerns.
Layer 5 — Session
Section titled “Layer 5 — Session”The Session layer establishes, manages, and terminates connections between applications. It keeps track of which conversation belongs to which application.
Protocols: NetBIOS, RPC, PPTP, session management in SMB
Security relevance: Session hijacking attacks target this layer. If an attacker steals a session token, they can take over an authenticated connection without knowing the user’s credentials.
Layer 4 — Transport
Section titled “Layer 4 — Transport”The Transport layer ensures reliable (or fast) data delivery between endpoints. It segments data into manageable pieces, handles flow control, and manages error correction.
Protocols: TCP (reliable, connection-oriented), UDP (fast, connectionless)
Security relevance: SYN flood attacks exploit TCP’s three-way handshake at this layer. Port scanning (what Nmap does) operates here. Firewalls use Layer 4 information (port numbers) to allow or block traffic.
Key concept: TCP uses a three-way handshake to establish connections: SYN → SYN-ACK → ACK. This handshake is fundamental to understanding many network attacks.
Layer 3 — Network
Section titled “Layer 3 — Network”The Network layer handles logical addressing and routing. It determines the best path for data to travel from source to destination across multiple networks.
Protocols: IP (IPv4, IPv6), ICMP (ping, traceroute), IPsec
Security relevance: IP spoofing attacks forge source addresses at this layer. DDoS amplification attacks exploit Layer 3 protocols. Routers and Layer 3 firewalls filter traffic based on IP addresses.
Layer 2 — Data Link
Section titled “Layer 2 — Data Link”The Data Link layer handles node-to-node delivery on the local network segment. It uses physical (MAC) addresses to identify devices and organises data into frames.
Protocols: Ethernet (802.3), Wi-Fi (802.11), ARP, VLANs (802.1Q), PPP
Security relevance: ARP spoofing (also called ARP poisoning) is the primary Layer 2 attack. Because ARP has no built-in authentication, an attacker on the same network segment can redirect traffic to themselves. MAC flooding attacks can overwhelm switches to force them into hub mode, exposing all traffic. VLAN hopping can bypass network segmentation.
Layer 1 — Physical
Section titled “Layer 1 — Physical”The Physical layer deals with the actual transmission of raw bits over a physical medium — electrical signals through copper cables, light pulses through fiber optic, or radio waves through wireless.
Components: Ethernet cables (CAT5e, CAT6), fiber optic cables, wireless radio frequencies, network interface cards, hubs, repeaters
Security relevance: Physical layer security includes preventing unauthorized cable access, securing server rooms, detecting rogue wireless access points, and protecting against electromagnetic eavesdropping. Physical security is often overlooked but is the foundation everything else rests on.
The 7 OSI Model Layers
Section titled “The 7 OSI Model Layers”📊 Visual Explanation
Section titled “📊 Visual Explanation”The 7 Layers of the OSI Model
Data travels down through layers when sending (encapsulation), up when receiving (decapsulation)
Memory aid: Remember the layers from top to bottom with “All People Seem To Need Data Processing” (Application, Presentation, Session, Transport, Network, Data Link, Physical). From bottom to top: “Please Do Not Throw Sausage Pizza Away.”
The 4 Layers of the TCP/IP Model
Section titled “The 4 Layers of the TCP/IP Model”While the OSI model is the theoretical reference, the TCP/IP model is what the internet actually uses. It was developed by the US Department of Defense in the 1970s and became the foundation of the modern internet. It combines several OSI layers into four practical layers.
Layer 4 — Application
Section titled “Layer 4 — Application”The TCP/IP Application layer combines OSI Layers 5, 6, and 7 into one layer. It handles everything from session management through data formatting to end-user application protocols.
Protocols: HTTP, HTTPS, DNS, FTP, SSH, SMTP, SNMP, Telnet, DHCP
Layer 3 — Transport
Section titled “Layer 3 — Transport”Identical to OSI Layer 4. Handles end-to-end communication and data delivery.
Protocols: TCP, UDP
Layer 2 — Internet
Section titled “Layer 2 — Internet”Corresponds to OSI Layer 3. Handles logical addressing and routing across networks.
Protocols: IP (IPv4, IPv6), ICMP, ARP (sometimes placed at Network Access layer), IGMP
Layer 1 — Network Access
Section titled “Layer 1 — Network Access”Combines OSI Layers 1 and 2. Handles everything related to the local network — from physical transmission to framing and MAC addressing.
Protocols/technologies: Ethernet, Wi-Fi, PPP, DSL, fiber optic
The TCP/IP Model Layers
Section titled “The TCP/IP Model Layers”📊 Visual Explanation
Section titled “📊 Visual Explanation”The 4 Layers of the TCP/IP Model
The practical model that powers the internet — simpler than OSI but maps directly to real protocols
OSI Model vs TCP/IP Model — Complete Comparison
Section titled “OSI Model vs TCP/IP Model — Complete Comparison”This is the comparison that matters most. Understanding how the two models map to each other — and when to use which framework — is a core networking skill tested on every major cybersecurity certification.
Layer Mapping Table
Section titled “Layer Mapping Table”| OSI Layer | OSI Name | TCP/IP Layer | TCP/IP Name | Key Protocols | PDU (Data Unit) |
|---|---|---|---|---|---|
| 7 | Application | 4 | Application | HTTP, DNS, FTP, SSH, SMTP | Data |
| 6 | Presentation | 4 | Application | TLS/SSL, JPEG, ASCII | Data |
| 5 | Session | 4 | Application | NetBIOS, RPC | Data |
| 4 | Transport | 3 | Transport | TCP, UDP | Segment (TCP) / Datagram (UDP) |
| 3 | Network | 2 | Internet | IP, ICMP, ARP | Packet |
| 2 | Data Link | 1 | Network Access | Ethernet, Wi-Fi, ARP | Frame |
| 1 | Physical | 1 | Network Access | CAT6, fiber, radio | Bits |
Key takeaway: The TCP/IP model is not “simpler” in a bad way — it is simpler because the real internet does not need the Presentation and Session layers as separate concepts. Most modern protocols handle session management and data formatting within the application itself.
OSI vs TCP/IP Side by Side
Section titled “OSI vs TCP/IP Side by Side”📊 Visual Explanation
Section titled “📊 Visual Explanation”OSI Model vs TCP/IP Model
- 7 distinct layers — Granular separation of concerns
- Session and Presentation layers — Dedicated layers for session management and encryption
- Vendor-neutral reference — Used to describe any networking technology
- Theoretical model — Does not directly correspond to real protocol stacks
- More complex to learn — Seven layers require more memorisation
- Industry standard for discussion — Security professionals reference OSI layers daily
- 4 practical layers — Maps directly to real internet protocols
- Battle-tested — The actual model the internet runs on since the 1970s
- Simpler to understand — Fewer layers, more intuitive for beginners
- Less granular — Combines 3 OSI layers into one Application layer
- Harder to pinpoint attacks — Layer 7 attack in OSI vs 'Application layer' in TCP/IP is less specific
- Foundation of all networking — Every device on the internet uses TCP/IP
When to Use Which Model
Section titled “When to Use Which Model”- Use OSI when: describing where an attack occurs (“Layer 2 ARP spoofing”), writing incident reports, discussing security controls, preparing for certification exams, or communicating with other security professionals.
- Use TCP/IP when: configuring network devices, analyzing packet captures in Wireshark, troubleshooting connectivity issues, or working with actual protocol stacks.
- In practice: most security professionals reference OSI layer numbers in conversation (“this is a Layer 7 attack”) while using TCP/IP concepts when working hands-on with tools and configurations.
Encapsulation and Decapsulation — How Data Flows
Section titled “Encapsulation and Decapsulation — How Data Flows”When you click a link in your browser, here is what actually happens, layer by layer:
Encapsulation (sending data — top to bottom):
- Application layer — Your browser creates an HTTP GET request:
GET /index.html HTTP/1.1 - Presentation layer — If using HTTPS, TLS encrypts the request
- Session layer — A session is established or maintained with the server
- Transport layer — TCP wraps the data in a segment, adding source port (e.g., 49152) and destination port (80 or 443). TCP’s three-way handshake (SYN → SYN-ACK → ACK) establishes the connection
- Network layer — IP wraps the segment in a packet, adding source IP (e.g., 192.168.1.100) and destination IP (e.g., 93.184.216.34)
- Data Link layer — Ethernet wraps the packet in a frame, adding source MAC and destination MAC addresses. ARP resolves the next-hop MAC address
- Physical layer — The frame is converted to electrical signals (copper), light pulses (fiber), or radio waves (Wi-Fi) and sent
At each layer, a header is added. This wrapping process is encapsulation. The data unit gets a new name at each layer: Data → Segment → Packet → Frame → Bits.
Decapsulation (receiving data — bottom to top):
The receiving computer reverses the process. The Physical layer receives bits, the Data Link layer reads the frame header and strips it, the Network layer reads the IP header, the Transport layer reads the TCP header, and eventually the Application layer receives the original HTTP request.
Sending (encapsulation):┌─────────────────────────────────────────────────┐│ HTTP Data │ Layer 7 - Data├──────┬──────────────────────────────────────────┤│ TCP │ HTTP Data │ Layer 4 - Segment├──────┼──────┬───────────────────────────────────┤│ IP │ TCP │ HTTP Data │ Layer 3 - Packet├──────┼──────┼──────┬────────────────────────────┤│ ETH │ IP │ TCP │ HTTP Data │ FCS │ Layer 2 - Frame└──────┴──────┴──────┴────────────────────────────┘ ↓ Converted to electrical/light/radio signals Layer 1 - BitsReceiving (decapsulation):Layer 1: Bits received → converted to frameLayer 2: Ethernet header read → MAC verified → strippedLayer 3: IP header read → destination IP verified → strippedLayer 4: TCP header read → port/sequence verified → strippedLayer 7: HTTP data delivered to the applicationHow Does the OSI Model Fit Into a Security Architecture?
Section titled “How Does the OSI Model Fit Into a Security Architecture?”According to the NIST Cybersecurity Framework and CompTIA Security+ SY0-701, security controls must be deployed at every layer of the network stack to achieve defence in depth. Each OSI layer presents distinct attack vectors and requires layer-specific mitigations.
This is where the OSI model becomes a practical security tool. Every layer has specific attacks and corresponding defenses. As a security professional, knowing which layer an attack targets tells you where to look for evidence and what controls to deploy.
| OSI Layer | Common Attacks | Defense Measures | Example Tools |
|---|---|---|---|
| 7 - Application | SQL injection, XSS, phishing, DNS poisoning, buffer overflow | WAF, input validation, secure coding, email filtering, DNSSEC | Burp Suite, OWASP ZAP |
| 6 - Presentation | SSL stripping, weak encryption, certificate spoofing | Enforce TLS 1.2+, certificate pinning, HSTS | SSLyze, testssl.sh |
| 5 - Session | Session hijacking, session fixation, cookie theft | Secure session tokens, session timeout, HTTPS everywhere | Browser DevTools |
| 4 - Transport | SYN flood, port scanning, UDP flood, TCP reset attack | SYN cookies, rate limiting, IDS/IPS, firewall rules | Nmap, hping3 |
| 3 - Network | IP spoofing, ICMP flood, route hijacking, DDoS amplification | Ingress/egress filtering, ACLs, anti-spoofing, BGP security | Wireshark, traceroute |
| 2 - Data Link | ARP spoofing, MAC flooding, VLAN hopping, rogue access points | Dynamic ARP Inspection, port security, 802.1X, WIDS | arpwatch, Bettercap |
| 1 - Physical | Cable tapping, device theft, rogue devices, jamming | Physical access controls, locked cabinets, cable management, RF shielding | Physical security audits |
ASD Essential Eight and OSI Layers
Section titled “ASD Essential Eight and OSI Layers”For those in Australia or working with Australian organisations, the Australian Signals Directorate (ASD) Essential Eight mitigation strategies map to specific OSI layers:
| Essential Eight Strategy | Primary OSI Layers | Why |
|---|---|---|
| Application control | Layer 7 | Controls which applications can execute |
| Patch applications | Layer 7 | Fixes vulnerabilities in application-layer software |
| Configure Microsoft Office macros | Layer 7 | Restricts application-layer macro execution |
| User application hardening | Layer 7 | Reduces application-layer attack surface |
| Restrict admin privileges | Layers 5-7 | Limits session and application access |
| Patch operating systems | Layers 3-7 | OS vulnerabilities span multiple layers |
| Multi-factor authentication | Layers 5-7 | Strengthens authentication at session/application layers |
| Regular backups | All layers | Recovery from attacks at any layer |
The Essential Eight focuses heavily on Layers 5-7 because that is where the majority of successful attacks against Australian organisations occur. Understanding this mapping helps you explain why these mitigations work, not just what they are.
What Are the Limitations of the OSI and TCP/IP Models?
Section titled “What Are the Limitations of the OSI and TCP/IP Models?”While ISO/IEC 7498-1 provides a rigorous theoretical framework and IETF RFCs define practical protocol behaviour, neither model perfectly describes the complexity of modern networks. Understanding their limitations prevents false confidence in security design.
Understanding the models is essential, but they have limitations you should be aware of.
The OSI model is not how networks actually work. No real protocol stack has exactly seven cleanly separated layers. TLS spans Layers 5 and 6. DNS is nominally Layer 7 but operates over UDP at Layer 4. The model is a useful abstraction, not a literal description of reality.
The TCP/IP model is too coarse for security work. When you say “Application layer attack,” that could mean SQL injection, session hijacking, or SSL stripping — very different things that require different responses. The OSI model’s granularity is more useful for security classification.
Neither model covers modern complexity well. Encapsulation in real networks can be nested (VPNs, tunnels, containers). A single packet might traverse multiple encapsulation layers that do not map neatly to either model.
Protocol placement is debated. ARP is placed at Layer 2 by some references and Layer 3 by others. TLS is sometimes called Layer 6 and sometimes Layer 5. Do not get caught up in these debates — understand what the protocol does and where in the network stack it operates.
The models do not teach you how to use tools. Knowing that Nmap operates at Layers 3-4 tells you what it does conceptually, but you still need hands-on practice to use it effectively. The models are a framework for understanding, not a substitute for practical skills.
What Interview Questions Should You Expect About the OSI and TCP/IP Models?
Section titled “What Interview Questions Should You Expect About the OSI and TCP/IP Models?”Both CompTIA Security+ SY0-701 and the CEH v13 exam test practical understanding of OSI and TCP/IP layers, not rote memorisation. Interviewers for SOC analyst and security engineer roles consistently ask candidates to map attacks and defences to specific layers.
Interviewers use OSI and TCP/IP questions to test whether you actually understand networking or just memorised a table. Here is how to approach the most common questions.
| Question | What They Are Testing | Strong Answer Approach | Weak Answer |
|---|---|---|---|
| Describe the OSI model layers | Whether you understand function, not just names | Describe what each layer does with an example: “Layer 4 is Transport — it handles reliable delivery using TCP or fast delivery using UDP” | Listing all seven names without explaining what they do |
| At which OSI layer does a firewall operate? | Understanding that firewalls span layers | ”Traditional firewalls operate at Layers 3-4, filtering by IP and port. Next-generation firewalls also inspect Layer 7 application data." | "Layer 3” (incomplete — modern firewalls are multi-layer) |
| What happens during a TCP three-way handshake? | Practical Transport layer knowledge | ”The client sends SYN, the server responds with SYN-ACK, the client confirms with ACK. This establishes a reliable connection before data transfer." | "They shake hands three times” |
| What is the difference between OSI and TCP/IP? | Whether you understand both models and when to use each | ”OSI has 7 layers and is used as a reference model. TCP/IP has 4 layers and is the actual protocol stack the internet uses. TCP/IP combines OSI Layers 5-7 into one Application layer." | "TCP/IP is newer” or “OSI is outdated” (both incorrect) |
| How would you investigate a suspected ARP spoofing attack? | Applying layer knowledge to a real scenario | ”ARP operates at Layer 2, so I would check ARP tables for duplicate IP-to-MAC mappings, look for gratuitous ARP packets in Wireshark, and verify with arpwatch logs." | "I would run a virus scan” |
Tip for career changers: When answering layer questions, always connect the layer to a practical example. Interviewers want to see that you can apply the knowledge, not just recite it.
How Is the OSI Model Used in Real Security Operations?
Section titled “How Is the OSI Model Used in Real Security Operations?”The Verizon 2024 Data Breach Investigations Report (DBIR) found that over 80% of breaches involved the application layer (Layer 7), underscoring why SOC analysts must map every alert to the correct OSI layer to guide triage and response. In production environments, the OSI model is not theory — it is the daily language of security operations.
In a SOC environment, you will reference the OSI model constantly. Here is what that looks like on day one.
Triaging alerts by layer: When a SIEM alert fires, one of your first questions is “at which layer did this happen?” A Layer 7 alert (suspicious HTTP request) requires different investigation than a Layer 2 alert (unusual ARP activity). The layer tells you which logs to check, which tools to use, and who to escalate to.
Reading Wireshark captures:
Wireshark displays packets with their OSI layer information. You can filter by layer — tcp.port == 443 filters at Layer 4, ip.addr == 10.0.0.1 filters at Layer 3, http.request.method == GET filters at Layer 7. Understanding layers makes Wireshark usable rather than overwhelming.
Writing firewall rules: Firewall rules reference specific layers. A rule that blocks traffic from a specific IP address operates at Layer 3. A rule that blocks traffic on port 22 (SSH) operates at Layer 4. A rule that blocks specific HTTP requests operates at Layer 7. Knowing the layers helps you write precise rules.
Incident documentation: When writing incident reports, SOC analysts describe attacks using OSI layer terminology: “The attacker conducted ARP spoofing (Layer 2) to perform a man-in-the-middle attack, intercepting HTTP traffic (Layer 7) containing unencrypted credentials.” This precision helps other team members understand exactly what happened.
Australian SOC context: Australian SOCs operating under the ASD Essential Eight framework map their monitoring and controls to specific layers. If your organisation is subject to the Information Security Manual (ISM), understanding which controls apply at which layers is essential for compliance reporting.
What Does the OSI Model Look Like in Practice?
Section titled “What Does the OSI Model Look Like in Practice?”Hands-on exploration of OSI layers requires only built-in operating system tools and is the fastest way to move from theory to practical understanding — a core objective of CompTIA Network+ (N10-009) and CompTIA Security+ (SY0-701) exam preparation.
You can explore OSI layers on your own computer right now.
Example 1: See Layer 3 and Layer 4 in action
# View active network connections with IP addresses (L3) and ports (L4)# Windows:netstat -ano
# Linux/Mac:ss -tulnp
# Sample output:# tcp LISTEN 0 128 0.0.0.0:443 0.0.0.0:* users:(("nginx",pid=1234))# ↑ L3 addr ↑ L4 port ↑ L7 applicationExample 2: Trace the route through Layer 3
# See every router (Layer 3 hop) between you and a destination# Windows:tracert google.com
# Linux/Mac:traceroute google.com
# Each line is a Layer 3 router making a forwarding decision# based on the destination IP address in the packet headerExample 3: See Layer 2 addresses
# View the ARP table — mapping Layer 3 (IP) to Layer 2 (MAC)# Windows:arp -a
# Linux/Mac:arp -n
# Sample output:# 192.168.1.1 00:1a:2b:3c:4d:5e eth0# ↑ L3 (IP) ↑ L2 (MAC) ↑ L1 (interface)Example 4: DNS resolution at Layer 7
# Perform a DNS lookup — this is an Application layer (L7) query# sent over UDP (L4) to a DNS server's IP address (L3)nslookup mycybersecuritypath.com
# Or with more detail:dig mycybersecuritypath.com +traceExample 5: Wireshark layer analysis
# In Wireshark, a single captured packet shows all layers:## Frame 1: 342 bytes on wire ← Layer 1 (Physical)# Ethernet II, Src: aa:bb:cc:dd:ee:ff ← Layer 2 (Data Link)# Internet Protocol, Src: 192.168.1.5 ← Layer 3 (Network)# TCP, Src Port: 49152, Dst: 443 ← Layer 4 (Transport)# TLS 1.3 Application Data ← Layers 5-6 (Session/Presentation)# HTTP/2 GET /index.html ← Layer 7 (Application)Protocol Reference by Layer
Section titled “Protocol Reference by Layer”This table is a quick reference for the most important protocols at each OSI layer. You do not need to memorise all of them, but the highlighted ones appear on CompTIA Security+ and in daily SOC work.
| Layer | Protocol | Port(s) | Purpose | Security Note |
|---|---|---|---|---|
| 7 | HTTP | 80 | Web browsing (unencrypted) | Cleartext — credentials visible in captures |
| 7 | HTTPS | 443 | Web browsing (encrypted) | TLS-encrypted — standard for all modern sites |
| 7 | DNS | 53 | Domain name resolution | Used for tunneling and exfiltration |
| 7 | FTP | 20, 21 | File transfer (unencrypted) | Cleartext — avoid in production |
| 7 | SSH | 22 | Secure remote access | Encrypted alternative to Telnet |
| 7 | SMTP | 25 | Email sending | Commonly exploited for spam and phishing |
| 7 | DHCP | 67, 68 | Automatic IP assignment | Rogue DHCP servers can redirect traffic |
| 7 | SNMP | 161 | Network device management | v1/v2c use cleartext community strings |
| 7 | Telnet | 23 | Remote access (unencrypted) | Never use — cleartext credentials |
| 4 | TCP | — | Reliable transport | SYN floods exploit the handshake |
| 4 | UDP | — | Fast transport | Amplification attacks exploit connectionless nature |
| 3 | IP | — | Addressing and routing | Spoofing forges source addresses |
| 3 | ICMP | — | Diagnostics (ping) | Used in ping floods and network reconnaissance |
| 2 | ARP | — | IP-to-MAC resolution | No authentication — spoofing is trivial |
| 2 | Ethernet | — | Local network framing | MAC flooding attacks target switches |
Summary and Key Takeaways
Section titled “Summary and Key Takeaways”The OSI model and TCP/IP model are your roadmap for understanding every network interaction, every attack, and every defense in cybersecurity.
- The OSI model has 7 layers (Application, Presentation, Session, Transport, Network, Data Link, Physical). It is the standard reference for security discussions, incident reports, and certification exams.
- The TCP/IP model has 4 layers (Application, Transport, Internet, Network Access). It is the practical model that powers the actual internet.
- OSI Layers 5-7 map to TCP/IP’s single Application layer. OSI Layer 4 maps to Transport. OSI Layer 3 maps to Internet. OSI Layers 1-2 map to Network Access.
- Every attack targets a specific layer. Knowing the layer tells you what logs to check, what tools to use, and what defenses to deploy.
- Encapsulation adds headers at each layer as data travels down the stack. Decapsulation strips headers as data travels up. The data unit changes name: Data → Segment → Packet → Frame → Bits.
- Use OSI for security discussions and TCP/IP for hands-on work. Most security professionals reference OSI layer numbers in conversation but work with TCP/IP protocols in practice.
- The ASD Essential Eight maps primarily to Layers 5-7 because most successful attacks against Australian organisations target the application and session layers.
Related
Section titled “Related”- Networking Basics for TCP vs UDP, DNS, IP addressing, and common ports
- Security Concepts for the foundational principles (CIA triad, defense in depth) that apply at every layer
- Threat Landscape for real-world attack examples mapped to the techniques described here
- Wireshark Guide for hands-on packet analysis where you will see these layers in practice
- Nmap Guide for network scanning that operates at Layers 3-4
Frequently Asked Questions
What is the difference between the OSI model and TCP/IP model?
The OSI model has 7 layers and is a theoretical reference framework used for security discussions and certification exams. The TCP/IP model has 4 layers and is the practical model that powers the actual internet. They describe the same networking process but divide it differently — TCP/IP combines OSI Layers 5, 6, and 7 into a single Application layer, and OSI Layers 1 and 2 into a single Network Access layer.
Why do I need to learn the OSI model if TCP/IP is what networks actually use?
Security professionals use OSI layer numbers as a common language. When someone says 'Layer 7 attack' or 'Layer 2 spoofing,' everyone in the industry knows exactly what they mean. The OSI model provides more granularity for classifying attacks, writing incident reports, and discussing defenses. Both models are tested on CompTIA Security+, Network+, and CEH exams.
How many layers does the OSI model have?
The OSI model has 7 layers: Application (7), Presentation (6), Session (5), Transport (4), Network (3), Data Link (2), and Physical (1). A common mnemonic to remember them top to bottom is 'All People Seem To Need Data Processing.' From bottom to top: 'Please Do Not Throw Sausage Pizza Away.'
What is encapsulation in networking?
Encapsulation is the process of adding headers at each layer as data travels down the OSI model. The Application layer creates the data, the Transport layer wraps it in a segment with port numbers, the Network layer wraps it in a packet with IP addresses, and the Data Link layer wraps it in a frame with MAC addresses. The receiving device reverses this process (decapsulation) to extract the original data.
At which OSI layer do firewalls operate?
Traditional firewalls operate at Layers 3 and 4, filtering traffic based on IP addresses and port numbers. Next-generation firewalls (NGFWs) also inspect Layer 7 application data, allowing them to block specific applications or HTTP requests. Web Application Firewalls (WAFs) operate specifically at Layer 7 to protect web applications from attacks like SQL injection and XSS.
What is ARP spoofing and which OSI layer does it target?
ARP spoofing targets Layer 2 (Data Link). ARP maps IP addresses to MAC addresses on a local network, but it has no built-in authentication. An attacker on the same network segment can send fake ARP replies to associate their MAC address with another device's IP address, redirecting traffic to themselves for a man-in-the-middle attack. Defenses include Dynamic ARP Inspection and 802.1X port-based authentication.
What is a SYN flood attack?
A SYN flood is a Layer 4 (Transport) denial-of-service attack that exploits TCP's three-way handshake. The attacker sends a massive number of SYN packets but never completes the handshake with the final ACK. This fills the target's connection queue with half-open connections, preventing legitimate users from connecting. Defenses include SYN cookies, rate limiting, and IDS/IPS systems.
How do the OSI layers relate to the CompTIA Security+ exam?
CompTIA Security+ SY0-701 tests networking models across multiple domains. You need to understand both OSI and TCP/IP layers, know which protocols operate at each layer, identify which layer common attacks target, and match security controls to specific layers. The exam does not ask you to simply list the layers — it tests whether you can apply layer knowledge to security scenarios.
What is the TCP three-way handshake?
The TCP three-way handshake is a Layer 4 process that establishes a reliable connection. Step 1: the client sends a SYN (synchronise) packet. Step 2: the server responds with SYN-ACK (synchronise-acknowledge). Step 3: the client sends ACK (acknowledge). After these three steps, data can flow. Understanding this handshake is essential because several attacks — including SYN floods and TCP reset attacks — exploit weaknesses in this process.
Which OSI layer should I focus on for SOC analyst work?
SOC analysts work across all layers but spend most of their time at Layers 3, 4, and 7. Layer 3 (IP addresses) tells you where traffic is coming from and going to. Layer 4 (ports) tells you what service is being used. Layer 7 (application data) shows you what the traffic is actually doing. Start with these three layers and expand your knowledge to Layers 2, 5, and 6 as you encounter them in real alerts.
More resources
The foundational IETF RFC defining the TCP/IP communication layers and host requirements.
Cisco — OSI Model ReferenceCisco's practical guide to the OSI model layers with networking examples.
ASD Essential Eight Maturity ModelAustralian Signals Directorate's Essential Eight mitigation strategies — mapped to network layers in cybersecurity practice.
Network models and protocol implementations evolve. Verify protocol details against current IETF RFCs and vendor documentation. The OSI model is defined in ISO/IEC 7498-1. TCP/IP specifications are maintained by the IETF. Individual results vary based on background, effort, and market conditions.