CyberSchool Module 1 · Networking
Home › Module 1 › The OSI Model
Lesson 2

The OSI Model

The OSI model is the single most useful map in all of networking. It breaks the messy business of “how computers talk” into 7 tidy layers. Once you can picture the layers, you can picture exactly where every attack happens and every defence lives.

Introduction — what is the OSI model?

OSI stands for Open Systems Interconnection. It is a conceptual model (a way of thinking, not a physical thing) that describes the journey your data takes in 7 layers, from the app you're using all the way down to the electrical signals on the wire, and back up again on the other side.

Analogy — Sending a parcel overseas Imagine posting a gift to a friend abroad. You choose the gift (the app). You write a letter (the data). You put it in a box, then that box goes in a bigger shipping crate, then onto a truck, then a ship. At each stage something is wrapped around the previous thing. On the other end, your friend un-wraps it in the reverse order. The OSI model is exactly this — each layer wraps the data in its own “envelope” of information, and the receiver unwraps them one by one.

The 7 layers, top to bottom

A famous memory trick (mnemonic) reads the layers from top (7) to bottom (1): “All People Seem To Need Data Processing.”

#LayerJob (in plain words)Real exampleData is called
7ApplicationThe stuff you actually see and useWeb browser, email, WhatsApp (HTTP, DNS)Data
6PresentationTranslating & encrypting so both sides understandSSL/TLS, JPEG, character encodingData
5SessionStarting, managing and ending conversationsKeeping you logged inData
4TransportReliable delivery & port numbersTCP, UDPSegment
3NetworkAddressing & choosing the route between networksIP addresses, routersPacket
2Data LinkDelivery within one local networkMAC addresses, switchesFrame
1PhysicalThe actual signals: cables, radio, lightEthernet cable, Wi-Fi radioBits

Layer 1 — Physical (the road itself)

The raw, physical connection: copper cables, fibre-optic light, Wi-Fi radio waves. It deals only in bits — 1s and 0s as electricity, light, or radio.

Analogy: the tarmac road the trucks drive on. Security angle: cutting a cable, or someone plugging a rogue device into a wall socket, is a Layer 1 attack.

Layer 2 — Data Link (delivery within the building)

Moves data between two directly-connected devices using MAC addresses. Switches live here. Data is packaged into frames.

Analogy: the mail sorter inside one office building. Security angle: MAC spoofing and ARP poisoning (tricking devices about who's who) are Layer 2 attacks — the classic “man-in-the-middle” starts here.

Layer 3 — Network (choosing the route between cities)

Handles IP addresses and decides the best path across many networks. Routers live here. Data is a packet.

Analogy: the city post office deciding which route a letter takes to another town. Security angle: IP spoofing and many denial-of-service floods target Layer 3.

Layer 4 — Transport (registered vs. ordinary post)

Ensures data arrives correctly and in order, and introduces ports (numbered doors on a computer). Two key protocols:

Security angle: port scanning (which we'll do with Nmap) works at Layer 4. SYN-flood attacks abuse how TCP starts conversations.

Layer 5 — Session (managing the phone call)

Opens, maintains, and closes conversations between two applications. It's why you stay logged in while browsing. Analogy: a receptionist who connects your call, keeps it open, and hangs up at the end.

Layer 6 — Presentation (the translator)

Formats, compresses, and — crucially for security — encrypts data so both sides understand it. TLS/SSL, the technology behind HTTPS, is usually placed here. Analogy: a translator who also seals the letter in a tamper-proof envelope.

Layer 7 — Application (what you actually touch)

The top layer — the software you interact with and the protocols it speaks: HTTP/HTTPS (web), DNS (name lookups), SMTP (email). Security angle: most modern attacks — phishing, SQL injection, cross-site scripting — happen up here at Layer 7.

Encapsulation — the big idea As your data travels down the layers on the sending side, each layer wraps it in its own header (this wrapping is called encapsulation). On the receiving side it travels up and each layer unwraps its header (de-encapsulation). Same parcel, wrapped and unwrapped.

Where every attack lives (the security map)

LayerExample threatExample defence
7 ApplicationPhishing, SQL injection, XSS, malwareInput validation, WAF, user training
6 PresentationWeak/broken encryption, SSL strippingStrong TLS, certificate checks
5 SessionSession hijacking, stolen cookiesSecure tokens, session timeouts
4 TransportPort scanning, SYN floodsFirewalls, rate limiting
3 NetworkIP spoofing, ICMP floodsRouter ACLs, anti-spoofing filters
2 Data LinkARP poisoning, MAC spoofingDynamic ARP inspection, port security
1 PhysicalCable tapping, rogue devicesLocked rooms, disabled unused ports

Command demo: see the layers in action

You don't just have to trust the theory — you can watch different layers work.

$ ip neigh # Layer 2: shows the ARP table — which MAC address goes with which IP on your LAN. $ ping -c 2 8.8.8.8 # Layer 3: ICMP packets test reachability using IP addresses. $ ss -tuln # Layer 4: lists open TCP/UDP ports (the "doors") on your machine. $ curl -I https://example.com # Layer 7: speaks HTTP to fetch just the headers of a web page.
Try It Yourself (practice terminal)

Type one of: ip neigh, ss -tuln, or curl -I https://example.com and notice which OSI layer each one lives on.

kali@lab: ~
Watch the layers. Try a command below.
kali@lab:~$
Practical Exercise 2.1 — Label the layers of a real connection
  1. Run curl -v https://example.com 2>&1 | head -n 20.
    The -v (verbose) flag prints the connection story.
  2. Find and label these lines with their OSI layer:
    • “Trying 93.184.x.x” → Layer 3 (IP address).
    • “Connected to ... port 443” → Layer 4 (port).
    • “TLS handshake / SSL certificate” → Layer 6 (encryption).
    • “GET / HTTP/2” → Layer 7 (application).
  3. Write one sentence for each layer explaining what it did. You now understand a real HTTPS request the way a security analyst does.
Quick check: At which layer do IP addresses and routing decisions happen?
Layer 2 — Data Link
Layer 3 — Network
Layer 4 — Transport
Layer 7 — Application
IP addressing and routing between networks is the job of Layer 3, the Network layer. MAC addresses are Layer 2; ports are Layer 4.
Why does this matter for your career? Security teams speak in layers every single day: “that's a Layer 7 attack,” “block it at Layer 3.” When you troubleshoot an incident, the OSI model tells you exactly where to look. It appears on the CompTIA Network+, Security+, and Cisco CCNA exams, and interviewers love to ask about it because it instantly reveals whether you truly understand networking.

Key takeaways

  • The OSI model splits networking into 7 layers: Physical, Data Link, Network, Transport, Session, Presentation, Application.
  • Remember it with “All People Seem To Need Data Processing.”
  • Each layer wraps the data in its own header (encapsulation) going down, and unwraps it going up.
  • Every attack and defence maps to a layer — knowing which one tells you where to act.
CyberSchool · Module 1, Lesson 2.