OSI Model: The Complete Guide

What is the OSI Model?

The OSI (Open Systems Interconnection) model is a conceptual framework that describes how data travels from one computer to another over a network. Think of it as a 7-story building where data travels from the top floor (your application) down to the ground floor (the physical cable), crosses to another building, and travels back up.

The 7 Layers (Remember: “Please Do Not Throw Sausage Pizza Away”)

Layer	Name	Mnemonic	What it Does
7	Application	Away	User interfaces & applications
6	Presentation	Pizza	Data formatting & encryption
5	Session	Sausage	Manages connections
4	Transport	Throw	Reliable data delivery
3	Network	Not	Routing & addressing
2	Data Link	Do	Physical addressing (MAC)
1	Physical	Please	Cables, signals, bits

Real-World Scenario: Sending an Email

Let’s follow what happens when you send an email from your computer to your friend.

YOU: "I want to send an email!"
        ↓
    [Layer 7] - Application Layer
        ↓
    [Layer 6] - Presentation Layer
        ↓
    [Layer 5] - Session Layer
        ↓
    [Layer 4] - Transport Layer
        ↓
    [Layer 3] - Network Layer
        ↓
    [Layer 2] - Data Link Layer
        ↓
    [Layer 1] - Physical Layer
        ↓
    CABLE/WIFI → INTERNET → FRIEND'S COMPUTER
        ↓
    [Goes back up through all 7 layers]
        ↓
    FRIEND: "Got your email!"

Layer 7: Application Layer

What It Does

The interface between the user and the network. This is where applications interact with the network.

Real-World Example

You open Gmail and type “Hey, let’s meet at 3 PM!” and click send.

What Happens

Gmail (the application) uses SMTP (Simple Mail Transfer Protocol) to send email
Your browser uses HTTP/HTTPS to load web pages
WhatsApp uses its own protocol to send messages

Protocols at This Layer

HTTP/HTTPS - Web browsing
SMTP - Sending email
POP3/IMAP - Receiving email
FTP - File transfer
DNS - Domain name resolution
SSH - Secure remote access

Analogy

You’re writing a letter. Layer 7 is you writing the message in English (or any language).

In Linux

# Application layer commands
curl https://google.com           # HTTP
ssh user@server                   # SSH
ftp ftp.example.com               # FTP
nslookup google.com               # DNS
telnet smtp.gmail.com 25          # SMTP

# Check which applications are using the network
sudo netstat -tulnp

Data Unit: Message/Data

Layer 6: Presentation Layer

What It Does

Translates, encrypts, and compresses data so different systems can understand each other.

Real-World Example

Your email “Hey, let’s meet at 3 PM!” needs to be:

Encoded (ASCII, Unicode)
Encrypted (if using HTTPS/TLS)
Compressed (if sending large attachments)

What Happens

Converts data format (e.g., ASCII to binary)
Encrypts data with SSL/TLS for security
Compresses images/videos to save bandwidth

Protocols/Standards at This Layer

SSL/TLS - Encryption
JPEG, PNG, GIF - Image formats
MPEG, MP4 - Video formats
ASCII, Unicode - Character encoding

Analogy

You’re translating your English letter to French, putting it in a locked box (encryption), and compressing it to fit in an envelope.

In Linux

# Check SSL/TLS certificate
openssl s_client -connect google.com:443

# View encoding of a file
file -i document.txt
# Output: text/plain; charset=utf-8

# Compress data
gzip file.txt           # Compression happens here
tar -czf archive.tar.gz files/

Data Unit: Data

Layer 5: Session Layer

What It Does

Establishes, manages, and terminates connections between applications. Keeps track of who’s talking to whom.

Real-World Example

When you login to Gmail:

Session starts - You authenticate (login)
Session maintained - You can send multiple emails
Session ends - You logout or timeout

What Happens

Creates a session between your computer and Gmail server
Keeps the connection alive while you work
Synchronizes data transfer (checkpoints)
Handles reconnection if connection drops

Protocols at This Layer

NetBIOS - Network naming
PPTP - VPN tunneling
RPC - Remote Procedure Call
Session management in HTTP (cookies, tokens)

Analogy

You call someone on the phone:

Session start: “Hello, this is John”
Session active: You have a conversation
Session end: “Goodbye!” (hang up)

In Linux

# View active sessions
who                     # Logged in users
w                       # What users are doing

# SSH session management
screen                  # Create detachable sessions
tmux                    # Terminal multiplexer

# Check application sessions
ss -o                   # Shows socket options with timers

Real Example with SSH

# Start SSH session
ssh user@server
# Session established ✓
# Connection stays alive even if network hiccups briefly
# Session layer maintains it

# Lost connection? Session layer tries to recover
# Or timeout after specified time

Data Unit: Data

Layer 4: Transport Layer

What It Does

Ensures reliable data delivery from source to destination. Breaks data into segments and ensures they arrive correctly.

Real-World Example

Your email is too big to send in one piece, so it’s broken into smaller chunks (segments), each numbered. If any chunk gets lost, it’s resent.

Two Main Protocols

TCP (Transmission Control Protocol) - Reliable

Connection-oriented (handshake first)
Reliable (guarantees delivery)
Ordered (data arrives in correct order)
Error checking (resends lost data)

Used by: Email, Web browsing, File transfer

UDP (User Datagram Protocol) - Fast

Connectionless (no handshake)
Unreliable (no guarantee)
Faster (less overhead)
No error recovery

Used by: Video streaming, Gaming, VoIP, DNS

The TCP 3-Way Handshake

CLIENT                          SERVER
  |                               |
  |-------- SYN (Hello!) -------->|
  |                               |
  |<----- SYN-ACK (Hello back!)--|
  |                               |
  |-------- ACK (Great!) -------->|
  |                               |
  |====== Connection Ready =======|

Like making a phone call:

You: “Hello?” (SYN)
Friend: “Hello! I can hear you” (SYN-ACK)
You: “Great, I can hear you too” (ACK)
Conversation starts

What Happens

Email: "Hey, let's meet at 3 PM!"

Segment 1: "Hey, le"     [Seq: 1]
Segment 2: "t's mee"     [Seq: 2]
Segment 3: "t at 3 PM!"  [Seq: 3]

Each segment includes:
- Source Port (e.g., 54321)
- Destination Port (e.g., 25 for SMTP)
- Sequence Number
- Acknowledgment Number
- Checksum (error detection)

In Linux

# View TCP connections
netstat -tan
ss -tan

# View UDP connections
netstat -uan
ss -uan

# See connection states
ss -tan | grep ESTABLISHED
ss -tan | grep LISTEN

# Watch the 3-way handshake
sudo tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn|tcp-ack) != 0'

# Check which ports are listening
sudo lsof -i -P -n | grep LISTEN
# Port 80 (HTTP), 443 (HTTPS), 22 (SSH), 25 (SMTP), etc.

# Test TCP connection
telnet google.com 80
nc -zv google.com 80

# Test UDP (no handshake)
nc -u server 53           # DNS uses UDP

Port Numbers

Well-Known Ports (0-1023):
- 20, 21: FTP
- 22: SSH
- 23: Telnet
- 25: SMTP (Email)
- 53: DNS
- 80: HTTP
- 443: HTTPS
- 3306: MySQL
- 5432: PostgreSQL

Registered Ports (1024-49151):
- 3000: Node.js apps
- 8080: Alternative HTTP
- 8443: Alternative HTTPS

Dynamic Ports (49152-65535):
- Temporary client ports

Analogy

TCP is like registered mail (guaranteed delivery, you sign for it). UDP is like shouting across a room (fast, but might not be heard).

Data Unit: Segment (TCP) or Datagram (UDP)

Layer 3: Network Layer

What It Does

Routes data between networks using IP addresses. Decides the best path for data to travel.

Real-World Example

Your email segment needs to travel from your home (192.168.1.10) to Gmail’s server (172.217.14.229). The network layer figures out the route, possibly through 10-15 intermediate routers.

What Happens

Your Computer: 192.168.1.10
        ↓
Your Router: 192.168.1.1
        ↓
ISP Router 1: 10.5.23.1
        ↓
ISP Router 2: 10.5.45.1
        ↓
Internet Backbone
        ↓
Google Router: 172.217.0.1
        ↓
Gmail Server: 172.217.14.229

Each Packet Contains

IP Header:
- Source IP: 192.168.1.10
- Destination IP: 172.217.14.229
- TTL (Time To Live): 64
- Protocol: TCP (6) or UDP (17)
- Checksum

IP Addressing

IPv4 (32-bit)

192.168.1.10
- Total: ~4.3 billion addresses
- Format: xxx.xxx.xxx.xxx
- Classes: A, B, C, D, E

IPv6 (128-bit)

2001:0db8:85a3:0000:0000:8a2e:0370:7334
- Total: 340 undecillion addresses
- Solves IPv4 exhaustion

Protocols at This Layer

IP - Internet Protocol
ICMP - Ping, error messages
ARP - Converts IP to MAC address
OSPF, BGP - Routing protocols

In Linux

# View IP address
ip addr show
ifconfig                  # Older command

# View routing table
ip route show
route -n

# Trace route to destination
traceroute google.com
mtr google.com           # Better than traceroute

# Ping (uses ICMP)
ping -c 4 8.8.8.8

# Check if IP forwarding enabled (routers)
cat /proc/sys/net/ipv4/ip_forward

# ARP table (IP to MAC mapping)
arp -a
ip neigh show

# Add static route
sudo ip route add 10.0.0.0/8 via 192.168.1.1

# Capture IP packets
sudo tcpdump -i eth0 'icmp'
sudo tcpdump -i eth0 'ip'

TTL (Time To Live)

# TTL prevents packets from looping forever
# Each router decrements TTL by 1
# When TTL = 0, packet is dropped

ping google.com
# 64 bytes from 142.250.185.46: icmp_seq=1 ttl=116 time=12.3 ms
#                                              ↑
# This packet went through about 12 routers (128 - 116 = 12)

Analogy

Layer 3 is like the postal system. Your letter has an address (IP), and postal workers (routers) decide which route it should take.

Data Unit: Packet

Layer 2: Data Link Layer

What It Does

Transfers data between devices on the same network using MAC addresses. Handles physical addressing and error detection.

Real-World Example

Your packet reaches your router. The router needs to send it to your computer specifically, not to other devices on your WiFi. It uses your computer’s MAC address.

Two Sub-layers

MAC (Media Access Control)

Physical addressing (MAC addresses)
Controls access to transmission medium

LLC (Logical Link Control)

Flow control
Error checking

What Happens

IP Packet arrives at router
        ↓
Router checks: "Who is 192.168.1.10?"
        ↓
ARP: "192.168.1.10 is at MAC: AA:BB:CC:DD:EE:FF"
        ↓
Frame created with MAC address
        ↓
Frame sent to your computer only

Ethernet Frame Structure

Ethernet Frame:
+----------+----------+------+---------+-----+
| Dest MAC | Src MAC  | Type | Payload | FCS |
+----------+----------+------+---------+-----+
  6 bytes    6 bytes  2 bytes  46-1500  4 bytes

Example:
Destination MAC: AA:BB:CC:DD:EE:FF (Your computer)
Source MAC: 11:22:33:44:55:66 (Router)
Type: 0x0800 (IPv4)
Payload: IP Packet
FCS: Frame Check Sequence (error detection)

MAC Address

AA:BB:CC:DD:EE:FF
│  │  └─ Device-specific (assigned by manufacturer)
└─ Manufacturer ID (OUI - Organizationally Unique Identifier)

Examples:
- 00:1A:2B:3C:4D:5E (Wired Ethernet)
- A0:B1:C2:D3:E4:F5 (WiFi)
- FF:FF:FF:FF:FF:FF (Broadcast - everyone)

Switches vs Hubs

Hub (Old Technology)

Sends data to ALL devices
No intelligence
Causes collisions

Switch (Modern)

Sends data to SPECIFIC device
Uses MAC address table
Much more efficient

In Linux

# View MAC address
ip link show
ifconfig eth0

# ARP table (IP to MAC mapping)
arp -a
ip neigh show
# 192.168.1.1 dev eth0 lladdr aa:bb:cc:dd:ee:ff REACHABLE

# Change MAC address (MAC spoofing)
sudo ip link set dev eth0 down
sudo ip link set dev eth0 address 00:11:22:33:44:55
sudo ip link set dev eth0 up

# View switch MAC address table (on managed switches)
# This is usually done via switch CLI

# Capture data link layer
sudo tcpdump -e -i eth0
# Shows Ethernet headers with MAC addresses

# Monitor WiFi
sudo iwconfig
sudo iw dev wlan0 station dump

VLAN (Virtual LAN)

# VLANs segment networks at Layer 2
# Create VLAN
sudo ip link add link eth0 name eth0.10 type vlan id 10
sudo ip link set dev eth0.10 up
sudo ip addr add 192.168.10.1/24 dev eth0.10

Protocols at This Layer

Ethernet - Wired LANs
WiFi (802.11) - Wireless LANs
PPP - Point-to-Point Protocol
ARP - Address Resolution Protocol
STP - Spanning Tree Protocol (prevents loops)

Analogy

Layer 2 is like apartment numbers in a building. IP address is the building address (Layer 3), MAC address is the apartment number (Layer 2).

Data Unit: Frame

Layer 1: Physical Layer

What It Does

Transmits raw bits (0s and 1s) over physical medium. Deals with electrical signals, light pulses, or radio waves.

Real-World Example

Your data frame is converted to electrical signals (Ethernet cable), light pulses (fiber optic), or radio waves (WiFi) and transmitted.

How It Works

Binary Transmission

Letter "A" = 01000001 (binary)

Ethernet (Electrical):
High voltage = 1
Low voltage = 0

   1
   ___     ___         ___
0_|   |___|   |_______|   |___
  0 1 0 0 0 0 0 1

Fiber Optic (Light)

Light ON = 1
Light OFF = 0

LED/Laser sends pulses of light through glass fiber

WiFi (Radio Waves)

Different frequencies encode 0s and 1s
2.4 GHz or 5 GHz radio waves

Physical Media

Wired

Ethernet Cable (Cat5e, Cat6, Cat7)
- Cat5e: Up to 1 Gbps
- Cat6: Up to 10 Gbps (short distance)
- Cat7: Up to 10 Gbps (longer distance)
Fiber Optic
- Single-mode: Long distance (100+ km)
- Multi-mode: Short distance (2 km)
- Speed: 10 Gbps to 100+ Gbps
Coaxial Cable
- Cable internet
- Up to 1 Gbps

Wireless

WiFi
- 802.11n: 300 Mbps
- 802.11ac: 1.3 Gbps
- 802.11ax (WiFi 6): 9.6 Gbps
Bluetooth
- Short range (10-100 meters)
- 1-3 Mbps
Cellular (4G/5G)
- 4G LTE: 100 Mbps
- 5G: 1-10 Gbps

Hardware at This Layer

Network cables
Network interface cards (NICs)
Hubs (old)
Repeaters (signal boosters)
Modems
WiFi adapters
Fiber optic transceivers

In Linux

# View physical interface status
ip link show
# State: UP or DOWN
# Speed, duplex mode

# Detailed interface info
ethtool eth0
# Speed: 1000Mb/s
# Duplex: Full
# Link detected: yes

# WiFi signal strength
iwconfig wlan0
# Signal level: -45 dBm (strong)
# Link Quality: 70/70

# Check cable connection
sudo mii-tool eth0
# eth0: negotiated 1000baseT-FD flow-control, link ok

# View physical errors
ethtool -S eth0 | grep error
# rx_crc_errors: 0
# tx_errors: 0

# Test cable speed
iperf3 -s    # On server
iperf3 -c server-ip    # On client
# Measures actual throughput

# Enable/Disable interface
sudo ip link set eth0 up
sudo ip link set eth0 down

# Change interface speed (if supported)
sudo ethtool -s eth0 speed 1000 duplex full

Encoding Schemes

Manchester Encoding (Ethernet)
NRZ (Non-Return to Zero) (USB)
4B/5B (Fast Ethernet)
8B/10B (Gigabit Ethernet, Fiber)

Analogy

Layer 1 is the road itself. Whether it’s a highway (fiber optic), paved road (ethernet), or dirt path (slow connection), it’s the physical medium that carries the vehicles (data).

Data Unit: Bits (0s and 1s)

Complete Data Flow: Sending a Web Request

Step-by-Step: You visit https://google.com

=== YOUR COMPUTER ===

[Layer 7 - Application]
You type: "https://google.com"
Browser uses: HTTP GET request

[Layer 6 - Presentation]
- HTTPS encrypts with TLS
- URL encoded
- Data compressed

[Layer 5 - Session]
- Session established with Google
- TCP connection maintained

[Layer 4 - Transport]
- TCP connection initiated (3-way handshake)
- Source Port: 54321
- Destination Port: 443 (HTTPS)
- Data split into segments

[Layer 3 - Network]
- IP Packet created
- Source IP: 192.168.1.10 (You)
- Destination IP: 142.250.185.46 (Google)
- Routing: Check routing table

[Layer 2 - Data Link]
- Ethernet Frame created
- Source MAC: AA:BB:CC:DD:EE:FF (You)
- Destination MAC: 11:22:33:44:55:66 (Router)

[Layer 1 - Physical]
- Bits transmitted over Ethernet cable
- 01001000 01010100 01010100...

=== THROUGH NETWORK ===
→ Your Router
→ ISP Router 1
→ ISP Router 2
→ Internet Backbone
→ Google Router

=== GOOGLE'S SERVER ===

[Layer 1 - Physical]
- Receives electrical signals
- Converts to bits

[Layer 2 - Data Link]
- Reads Ethernet Frame
- Checks MAC address: "This is for me!"
- Removes frame header

[Layer 3 - Network]
- Reads IP Packet
- Checks IP: 142.250.185.46 "This is me!"
- Removes IP header

[Layer 4 - Transport]
- TCP segment processed
- Port 443: "This goes to HTTPS service"
- Sends ACK back to you
- Removes TCP header

[Layer 5 - Session]
- Session maintained
- Keeps track of your request

[Layer 6 - Presentation]
- Decrypts TLS data
- Decompresses

[Layer 7 - Application]
- Web server receives: "GET / HTTP/1.1"
- Processes request
- Generates response (Google homepage)

=== RESPONSE GOES BACK ===
(Goes through all 7 layers again in reverse)

Your Browser: Shows Google homepage!

Troubleshooting by Layer

Layer 1 Issues (Physical)

# Symptoms: Complete loss of connectivity

# Check cable
sudo ethtool eth0 | grep "Link detected"
# Link detected: no ← Cable unplugged!

# Check interface is up
ip link show eth0
# state DOWN

# Fix
sudo ip link set eth0 up

# Check hardware errors
ethtool -S eth0 | grep error

Layer 2 Issues (Data Link)

# Symptoms: Can reach some devices but not others on LAN

# Check MAC address conflicts
arp -a | sort
# Look for duplicate MAC addresses

# Check switch connection
sudo tcpdump -e -i eth0
# See if you're receiving frames

# ARP issues
ping 192.168.1.1
arp -a
# If no ARP entry, Layer 2 problem

Layer 3 Issues (Network)

# Symptoms: Can't reach external networks

# Check IP address
ip addr show
# No IP? DHCP issue

# Check routing
ip route show
# No default gateway? Can't reach internet

# Test gateway
ping 192.168.1.1
# If fails, can't reach router

# Test external
ping 8.8.8.8
# If fails, routing problem

# Traceroute
traceroute google.com
# See where packets stop

Layer 4 Issues (Transport)

# Symptoms: Connection timeouts, port issues

# Check if port is open
nc -zv google.com 443
# Connection refused ← Port closed/filtered

# Check firewall
sudo ufw status
sudo iptables -L

# Check listening services
sudo ss -tulnp
# Is service actually listening?

# TCP connection issues
ss -tan | grep SYN_SENT
# Stuck in SYN_SENT? Server not responding

Layer 5/6/7 Issues (Application)

# Symptoms: Service running but not working correctly

# Check application logs
sudo journalctl -u nginx -n 50

# Test application
curl -v http://localhost
# See detailed HTTP transaction

# DNS issues (Layer 7)
nslookup google.com
# If fails, DNS problem

# SSL/TLS issues (Layer 6)
openssl s_client -connect google.com:443
# Certificate errors?

OSI vs TCP/IP Model

The Two Models

OSI Model (7 Layers)          TCP/IP Model (4 Layers)
┌─────────────────────┐       ┌─────────────────────┐
│  7. Application     │       │                     │
├─────────────────────┤       │   Application       │
│  6. Presentation    │       │                     │
├─────────────────────┤       │                     │
│  5. Session         │       │                     │
├─────────────────────┤       ├─────────────────────┤
│  4. Transport       │       │   Transport         │
├─────────────────────┤       ├─────────────────────┤
│  3. Network         │       │   Internet          │
├─────────────────────┤       ├─────────────────────┤
│  2. Data Link       │       │                     │
├─────────────────────┤       │   Network Access    │
│  1. Physical        │       │                     │
└─────────────────────┘       └─────────────────────┘

OSI: Theoretical model (how it should work) TCP/IP: Practical model (how it actually works)

Practical Commands for Each Layer

Complete Network Diagnostic Script

#!/bin/bash
echo "=== Layer 1: Physical ==="
ethtool eth0 | grep "Link detected"
ip link show | grep "state UP"

echo -e "\n=== Layer 2: Data Link ==="
ip link show | grep "link/ether"
arp -a | head -5

echo -e "\n=== Layer 3: Network ==="
ip addr show | grep "inet "
ip route show
ping -c 2 8.8.8.8

echo -e "\n=== Layer 4: Transport ==="
ss -tulnp | grep LISTEN | head -5

echo -e "\n=== Layer 7: Application ==="
curl -I https://google.com 2>&1 | head -3
nslookup google.com | grep "Address" | tail -1

Summary Table

Layer	Name	Protocol Examples	Data Unit	Device	Command Examples
7	Application	HTTP, SMTP, DNS, SSH	Data	User Apps	`curl`, `ssh`, `nslookup`
6	Presentation	SSL/TLS, JPEG, ASCII	Data	Gateways	`openssl`, `file`
5	Session	NetBIOS, RPC	Data	Gateways	`screen`, `who`
4	Transport	TCP, UDP	Segment	Firewall	`ss`, `netstat`, `nc`
3	Network	IP, ICMP, ARP	Packet	Router	`ping`, `traceroute`, `ip route`
2	Data Link	Ethernet, WiFi	Frame	Switch	`arp`, `ip link`, `ethtool`
1	Physical	Cables, Signals	Bits	Hub, Cable	`ethtool`, `mii-tool`

Key Takeaways

Encapsulation: Each layer adds its header
Decapsulation: Each layer removes its header
Troubleshoot Bottom-Up: Start at Layer 1, work up
Each layer is independent: Changes at one layer don’t affect others
Headers: Each layer adds information for that layer

Application Data
↓ + TCP Header → Segment
↓ + IP Header → Packet
↓ + Ethernet Header → Frame
↓ Converted to Bits

Remember This!

When troubleshooting, ask:

Is cable plugged in? (Layer 1)
Can I see other devices on LAN? (Layer 2)
Do I have an IP? Can I ping gateway? (Layer 3)
Is the port open? (Layer 4)
Is the application working? (Layer 7)

The OSI model is a concept to help you understand networking. In real life, layers sometimes overlap, but the model helps you troubleshoot systematically!

🎯 Master this, and you’ll understand 90% of networking problems!