In the first part of this two part series I gave you an analogy for thinking about networks.
And now we’re going to dive in a little deeper. You’re going to peer into packet captures. You’ll see exactly how the data maps to the TCP/IP layers. I’ll also clarify a few terms like encapsulation. Finally, I’ll share a secret that most people miss when talking about data networks.
Are you ready for this!?
Encapsulate me, then De-encapsulate me
As the data moves down each layer, it gets encapsulated. When it’s received at the destination it moves back up the layers. This is called de-encapsulation. In other words, as the original message is passed along down the stack, new information is tacked on. The message essentially keeps getting bigger and bigger as each layer adds its own data to the message. This is important because it helps the computers know what kind of data is being sent and which application it should go to.
For example, the Network layer adds a header that contains the source and destination IP addresses.
And the Data Link layer adds another header that has the source and destination MAC address.
At the destination, the remote computer discards the headers from each layer as it moves back up the stack. That’s the de-encapsulation part.
Remembering the Layers
So the seven layers we just presented are known as the seven layers of the OSI (Open Systems Interconnect) Model. Here they are again:
- Data Link
You can remember this with this fancy mnemonic:
It’s probably better if you come up with your own. You’ll remember it better. Some people remember it in the reverse order with:
So here’s the deal: I need to tell you a secret: despite what you may have heard, no one actually uses the OSI model. You only need to remember it if you’re taking a class or studying for a certification such as the Network+ exam.
The OSI Model is mainly conceptual. Today, people use the TCP/IP network model. It was designed by the IETF (Internet Engineering Task Force). People started using the TCP/IP network model and so it’s the one we use today. 99% of production networks use the TCP/IP suite.
The TCP/IP Suite
TCP takes the Application, Presentation and Session layer and lumps it into one layer called the Application Layer.
The Transport layer is the same in TCP/IP. Remember the Transport layer decides whether to transmit the message across the network using reliable or unreliable methods. It also segments large messages into parts.
In the TCP/IP protocol stack, the Network Layer maps to the Internet Layer.
And the Data Link Layer and the Physical Layer are lumped into the Network Interface Layer.
Here’s the the layers of the TCP/IP suite.
- Network Interface
Do you want to know a secret?
But I’ve got to tell you anther secret!
No one really talks about the TCP/IP network model like this. In the real world people don’t think about the layers like this. For example, if you take a packet capture and analyze the layers you won’t see the layers listed like this. Instead you’ll see:
- Physical Layer (Ethernet Cables, Hubs, Bits)
- Data Link Layer (Switches, MAC Addresses)
- Network Layer (Routers, Packets, IPv4 and IPv6 addresses)
- Transport Layer
And the next layer is the Application layer but no one calls it Layer 5.
Let me show you a live packet capture so you can see what happens:
Checking out the packet captures
When you type in fixedbyvonnie.com, your computer contacts immediately gets to work finding a DNS to resolve the fixedbyvonnie.com domain name into an IP address. That’s what DNS does. It sends a Standard Query for an A record which means:
Give me the IPv4 address of fixedbyvonnie.com!
Once it gets that, it’s ready to communicate.
It all starts at the Application Layer. Your web browser uses the Hypertext Transfer Protocol (HTTP) to request a particular web document from a web server.
You can actually see the HTTP header and the GET request for a specific file called fixedbyvonnie-ebook-801.png.
At layer 4, you’ll see either a TCP or UDP segment. HTTP uses TCP, so in order to guarantee that the HTTP request will arrive at fixedbyvonnie.com, TCP uses acknowledgements, sequence numbers (so it can sort the segments at the destination) and port numbers (so it can make sure the right data gets to the right application)
In the screenshot below you can see the TCP Segment length is 623 bytes. You can also see the Sequence Numbers and Acknowledgements that TCP used to guarantee fixedbyvonnie.com was returned to my web browser.
Next at Layer 3, you’ll see the IP header added to the TCP segment. The main thing to focus on is the source IP address (street name and house number of your computer) and the destination address. (street name and house number of fixedbyvonnie.com)
You can see my source IP address (the IP address of my computer) is 172.31.77.168 and the IP address of fixedbyvonnie.com (resolved via DNS) is 220.127.116.11.
Next at Layer 2, in the Data Link layer, you’ll see the physical addresses; namely, the MAC address of your computer and the MAC address of your default gateway.
If your computer was sitting on the same street (network) as fixedbyvonnie.com the destination MAC address would be the MAC of the fixedbyvonnie.com web server. But alas! You aren’t on my network so you need to send it to your gateway to the internet first.
In the graphic below you can see the MAC address of my default gateway (the destination) and my source MAC.
And then, finally, at Layer 1, you’ll see all the bits. In WireShark this is basically the summary or snapshot of all the information in the frame.
My favorite section is where it says [Protocols in frame].
It shows you a snapshot of all the protocols in the current frame. You can also see the length of the frame and a bunch of other mouth watering goodies.
Everything is a packet right!?
So what’s the data called? You might hear people erroneously referring to all network data as a Packet. But this is technically incorrect. It’s only a packet at Layer 3.
The general term is for network data is a Protocol Data Unit, (PDU) but when it hits the Transport Layer it becomes a Segment. Then at the Network Layer it becomes a Packet and at the Data Link Layer it becomes a Frame. Incidentally, it’s called a frame because the Data Link layer is the only layer that adds both a header and trailer to the packet.
As long as both the source and destination devices use the same frame format they will understand each other because the bits will be in the expected order.
- Segment (Transport Layer)
- Packet (Network Layer)
- Frame (Data Link Layer)
- Bits (Physical Layer)
So now you know that everything on the network isn’t a packet!
The Bottom Line
Believe it or not, if you can read everything here and can communicate it in your own words (without missing anything) then you truly understand how networks work.
I’ve given you a framework for understanding the entire process!
Please let me know if this helped you. Just shoot me a comment or an email firstname.lastname@example.org.