Application Layer

Application Layer Overview

The Application Layer is the layer closest to the end user. When you are using a program that is going to send something or contact someone over the internet you are using a network application that operates at the Application Layer. Each program/application that sends data over a network is identified by a particular protocol, at Layer 4 this protocol is associated with a port number. For example a web browser like Internet Explorer requests and receives pages from web servers its protocol is HTTP the hyper text transfer protocol and its correlative port number is port 80.

The applications that we use at Layer 7, the Application Layer are web browsers (HTTP) like Internet Explorer, a file transfer programs (FTP) like Filezilla, email clients (SMTP) like Microsoft Outlook Express and all flavors of Instant Messaging programs and P2P applications. There are also processes that run in the background that run at Layer 7, like DHCP which automates the process of requesting and receiving an IP address from a DHCP server. If you want to see these protocols in action all you need to do is use Wireshark. For instance, if we use the example of DHCP we learn that initiating DHCP involves a DHCP client talking to a DHCP server. The process is: 1. Client sends a DHCP DISCOVER 2. Server responds with a DHCP OFFER 3. Client sends a DHCP REQUEST 4. Server responds with a DHCP ACKnowledgement You can see the process of a client obtaining an IP address with DHCP in Wireshark (see video tutorial below).

This is a diagram of the OSI and TCP/IP Models and how they correspond to PDUs, Protocols and Devices 

This is a visual diagram of the process data goes through when sent over a network in a layered architecture


Video Tutorials – Wireshark, nslookup, Telnet

In this video I show the process of DHCP address acquisition by analyzing the PDUs using Wireshark

In this video, I use nslookup to resolve domain name servers to their ip addresses

Data Link Layer

Data Link Layer Overview

The data link layer provides the upper layers access to the network media. It is responsible for controlling access to the media, encapsulating packets into appropriately sized frames for the media used, physical addressing, the exchange of frames between nodes on the local network, and error detection.

Media Access Control

Layer 2, Local Area Network Technologies
and their Media Access Control Characteristics

Wireless Ethernet
Token Ring
Contention Based
(first come first serve)
Control Based
Collisions No Collisions
Send anytime
Wait for your turn
Physical Star Topology

Logical Multi-Access
or Bus Topology

Token Ring = Physical Star, Logical Ring Topology
FDDI = Physical Dual Ring, Logical Ring
efficient use of bandwidth
(send anytime)
Inefficient use of bandwidth
(you have to wait your turn)
CSMA/CD (ethernet)
CSMA/CA (wireless ethernet)
Token Passing

Control Based Access – Controlled access means that devices or nodes take turns in sequence. It is deterministic in that there is scheduled access of the medium. If one device is putting data on the network then no other device can. Well ordered and predictable throughput, can be an inefficient use of bandwidth, as a device has to wait it’s turn.

{loadposition adposition5}Contention Based Access – Contention based access is also called non-deterministic. This means that the devices on the network don’t need to take turns using shared media. However, to avoid total chaos, a Carrier Sense Multiple Access (CSMA) process is used to make sure the media is not in use before a device begins to transmit. Though devices attempt to make sure the media is not busy, data collisions still occur with contention based access. Also, as more nodes are added to the network, the probability of collisions increases.

CSMA-CD (Carrier Sense Multi-Access with Collision Detection) is a media access method in which an ethernet host detects if a signal is being transmitted. If no signal is detected on the wire, then the host will transmit. There does exist the possibility that two or more hosts may sense the absence of a signal and transmit at the same time. If this happens, there is a collision of signals.

CSMA-CA (Carrier Sense Multi-Access with Collision Avoidance) stands for Collision Sense Multiple Access with Collision Avoidance. This is used for wireless media access control. It uses a send and reply like the TCP three way hand shake, in this way it reserves the right to send before sending. After each message is sent the hosts associated to the wireless access point run a randomization algorithm which sets a random priority on who gets to send next. That along with many control fields help to mitigate some of the interferences and other radio related wireless problems.


Network Topologies

Physical Topology versus Logical Topology – The physical topology is the arrangement of devices (nodes) and how they are physically connected to the network. The logical topology is the way data is transferred from one device (node) to another regardless of how the devices are physically connected. It is also related to how each host sees other hosts on the network and how each host accesses the media. A network’s logical topology is not necessarily the same as its physical topology. For instance, in an Ethernet network, computers are often connected to a switch or hub forming a physical star topology, but logically the way the data travels is a bus or multi-access topology. In a Token Ring network, computers are connected to a MAU multistation access unit, forming a physical star, but logically information travels clockwise from host to host in a ring topology. In FDDI, the physical topology is a dual ring (expensive) and logically it is also a ring. For additional information see:

Bus or Multi-Access
Ring or Dual Ring
Full Mesh

Point to Point Topology – directly connects two nodes. All frames are placed on the media by one node and taken off by the other. It can be both a physical and logical topology. Physically it is two nodes directly connected. Logically it is two nodes virtually connected directly, but passing through a network. It does not include the other devices in separate locations, that the data travels through. In this way it forms a virtual circuit between the two nodes. A virtual Circuit is a logical connection between two nodes and end users do not notice the intermedate devices.

Multi Access Topology – means that the nodes are communicating on the same shared media. Only one node can use the media at a time, and every node sees every frame on the medium. Of course, only the node to which the frame is addressed actually processes the frame. When sharing media, CSMA/CD and token passing are used to reduce collisions.

Ring Topology – In a physical ring topology each device is connected to two neighboring devices creating a physical ring almost like a physical bus. In a logical ring topology each node receives a frame in turn, and if the frame is not addressed to that node, it passes it on. In a Token Ring network, a node cannot send data on the network unless it has the token, the token is then passed to the next node and so on in a logical ring. For more information see:

Data Link Layer Sub Layers

LLC – Logical Link Control sub layer – Helps interface with the upper layers meaning the Network layer. Logical Link Control (LLC) places information in the frame that identifies which Network layer protocol is being used. This information allows multiple Layer 3 protocols, such as IP, IPX, Apple Talk, and DECNet, to utilize the different types of local media and interfaces, like Ethernet, Token Ring, different WAN serial protocols and interfaces such as PPP, HDLC, etc. .

MAC – Media Access Control sub layer – Media Access Control provides data link layer addressing with source and destination MAC addresses. These addresses are 48 bit physical addresses, usually written in hexadecimal format and burned into the NIC. Media Access Control is also responsible for marking the beginning and the ending of a frame with a start-of-frame and an end-of-frame delimiter. For more information see: 

Layer 2 Frames

Layer 2 frame characteristics are similar to other layers. There is a header, the data payload, and the trailer. The specifics of the frame differ in regards to the type of frame in question. There are LAN layer 2 technology frames (Ethernet, Token Ring) and WAN layer 2 technology frames (PPP, HDLC). One of the main differences is that ethernet frames have source and destination MAC addresses in their frame headers and serial technologies like PPP and HDLC do not.

Communicating on a Network – Page 3

OSI Model Overview

As the individual packets are encapsulated from the segmented data each layer adds information to the packet in whats called a header. This header is called a PDU or Protocol Data Unit. The header or PDU has important information that is needed to get the packet from point A to point B. One important piece of information that is contained in the PDU headers is the source and destination addresses.


OSI Layer TCP/IP Layer PDU
7 Application Application Data
6. Presentation Data
5. Session Data
4. Transport Transport Segment
3. Network Internet Packet
2. Data Link Network Access Frame
1. Physical Bits

The addressing that is put into the header of the packets is very important because as the packets travel across the network and encounter networking devices, the devices will strip off the different header addresses which helps send the data to the proper destination.

Layer 7 – Application – Application Data
Layer 6 – Presentation – Formatting Data
Layer 5 – Session – Control Data
Layer 4 – Transport – Source and Destination Service – Port Numbers
Layer 3 – Network – Source and Destination Logical Addresses – IP addresses
Layer 2 – Data Link – Source and Destination Physical Addresses – MAC addresses
Layer 1 – Physical – Encoding, Timing and Bit Sequence

Source and destination MAC addresses handle the delivery of packets to hosts on a local area network. Every NIC or network interface card has a unique MAC address and using Ethernet, packets are delivered at the Network Access layer of the TCP/IP model. At this layer the PDU is called a frame and the source and destination addresses identify a single host. The Frame is stripped off and the packet is moves to the Network or Internet Layer. The MAC address is often called the physical address because it is burned into the NIC and not normally configured through software.

Source and destination IP addresses handle the delivery of packets to the correct network host. For TCP/IP networking every host must have an IP address which correctly identifies the network they are on and the host number they occupy in that network. Routers are able to read the source and destination addresses in the layer 3 packet header and forward the packet to the correct network. Later a switch will facilitate the delivery of the packet to the correct host NIC by means of the Layer 2 MAC address.

Source and destination ports identify the correct application or service that has made the request. For instance a port 80 request would mean that a web page is requested as opposed to an email which would be port 25.

The layered protocols, addresses, and source and destination addresses are very abstract because when we request a web page with a web browser we do not see all the protocols and network layers at work. We do not see individual packets just a finished web page in our browser. To help make these protocols and layers more concrete you can capture the packets as they arrive at your computer and look inside the different layer headers. To do this you need to use a program called Wireshark. Wireshark is very handy ‘packet sniffer,’ and is a free program to download. See my short video tutorial for a quick intro on how to use it.

Physical Layer

Physical Layer Overview

The purpose of the Physical layer is to put digital bits on the media as encoded signals and to also receive encoded signals and turn them back into binary digits. Media at the Physical layer refers to either copper cables, fiber optic cables or wireless radio waves. Along with all the different types of cables the Physical layer also refers to the different connectors like RJ-45 connectors and ST/SC fiber optic connectors.

The Physical layer takes place in hardware as opposed to software, so instead of protocols and addressing the Physical layer is comprised of engineering standards defined by organizations like the IEEE, the ITU and the ISO.


Signaling is changing bits in to a form that can be transmitted over distances and read by connectors on each end. In general terms, 1’s and 0’s are represented on the medium as variations in voltage, the presence or absence of light and changes in radio waves. In this way, 1’s and 0’s are signaled by changes in amplitude, frequency, and phase.

Two early signaling standards were Manchester Encoding (Ethernet) and Non-Return Zero (NRZ). NRZ uses the voltage on the wire as a 1 or 0. Since this is a very simple method of signaling it can only be used in low speed links. Manchester Encoding uses segments register a change in signal that goes up or down. If the change is down then it will be a 0 if the change is up it will be a 1.


Encoding is used to improve efficiency and speed of data transmission. Code groups are used to encode bits into larger symbols prior to placing them on the media. For example, in the 4B/5B code group, four bit long codes are translated into five bit long symbols. One reason for this is that devices know that when they see a five byte symbol that doesn’t correspond to a four byte code or control code, the bits are an error or noise on the media. Another reason for this is that a long series of 1s could wear out or overheat media or network devices. Also, using code groups prevents data bits from accidentally matching a control signal, such as the bit pattern signaling the end of a frame.

Copper Media

The most commonly used network media uses copper wires to carry data between network devices. Copper media can refer to early ethernet implementations using coaxial cables like 10Base2 (Thinnet) and the predominant Fast Ethernet and Gigabit Ethernet using Cat5E UTP (unshielded twisted pair) cables. Unshielded twisted pair cables (UTP) use four twisted pairs of wires that are used for signaling and transmission, and coaxial cable uses a single copper conductor that is insulated by a shield. Cables used for networking all have requirements that are spelled out in Physical layer standards.

One problem with copper media is that it is susceptible to electromagnetic and radio interference from things such as motors, fluorescent lights, and radio transmitters. Interference problems can be solved by using different media, avoiding sources of interference when designing infrastructure, and properly handling and terminating cables. Unshielded twisted pair cables use the effect of “cancellation.” created by the twists in the cable pairs to resist electromagnetic interference.

Fiber Media

Fiber cabling uses glass or plastic fibers to let light signals travel from the source to the destination. Encoding schemes use light pulses for the signaling method. The speed with which light travels allows fiber optic cabling to deliver large data bandwidth rates and longer cabling runs. Downsides to fiber optic cabling is that it is more expensive than copper cabling and requires careful installation techniques to avoid sharp bends in the cable which will break the glass core. Because of its cost fiber cabling has been used mainly for backbones and vertical runs in networks. There are generally two types of fiber optic cabling, multimode cable and single mode cable. Single mode is more expensive, can be run farther distances, uses a laser as a light source, and has an 8 to 10 micron glass core. Multimode fiber uses a LED as its light signal, has a glass core of 50 to 60 microns, bounces the light inside of the cable, suffers from more light dispersion, and is cheaper than single-mode.


Wireless Media

Carries electromagnetic signals at radio and microwave frequencies and works well in open environments. Wireless media requires no physical access like copper cables and jacks, however, the easy open access that wireless provides also presents security risks.

  • IEEE 802.11 (WiFi) is considered a wireless LAN
  • IEEE 802.15 (WiPAN) is considered a wireless Personal Area Network, commonly known as “Bluetooth”
  • IEEE 802.16 (WiMAX) is considered a point-to-multipoint topology for wireless broadband access
  • 802.11a – 5 Ghz frequency, 54 Megabit per second,
  • 802.11b – 2.4 Ghz frequency, 11 Megabit per second,
  • 802.11g – 2.4 Ghz frequency, 54 Megabit per second,
  • 802.11n –  2.4 Ghz frequency, 100 Megabit per second

Media Connectors

EIA-TIA 568A and 568B are the unshielded twisted pair RJ-45 connector standards for wire colors used for pinouts for Ethernet straight-through and crossover cables. See the following diagrams:

A 568B “Straight Through” cable will have the following pin-outs on both ends of the cable

white/orange orange white/green blue white/blue green white/brown brown
1 2 3 4 5 6 7 8
1 2 3 4 5 6 7 8
white/orange orange white/green blue white/blue green white/brown brown


A 568A “Straight Through” cable will have the following pin-outs on both ends of the cable

white/green green white/orange blue white/blue orange white/brown brown
1 2 3 4 5 6 7 8
1 2 3 4 5 6 7 8
white/green green white/orange blue white/blue orange white/brown brown


A “Crossover” cable will have the 568B and the 568A standards on either ends of the cable
Notice: that pins 1&3 and 2&6 are crossed in a Fast Ethernet Crossover cable

white/orange orange white/green blue white/blue green white/brown brown
1 2 3 4 5 6 7 8
1 2 3 4 5 6 7 8
white/green green white/orange blue white/blue orange white/brown brown

Common Optical Fiber Connectors

Straight-Tip (ST) Trademarked by AT&T
-bayonet style connector used with multi-mode fiber
Subscriber Connector (SC)
– push-pull mechanism ensures positive insertion
– used with single-mode fiber
Lucent Connector (LC)
– small connector
– used with single-mode fiber
– supports multi-mode fiber

Common Fiber Termination and Splicing Errors
– media not precisely aligned together
End Gap
– Media does not completely touch
End Finish
– Dirt is present or the ends are not polished well enough

Optical Time Domain Reflectometer (OTDR)
– recommended test equipment
– injects a test pulse of light into the cable
– measures back scatter and reflection as a function of time
– calculates the approximate distance of detected faults

Field Test
– can be performed with a flashlight
– if light is visible at the other end cable is capable of passing light
– does not ensure performance
– used as a quick way to find broken fiber

Network Layer

Network Layer Overview

The Network Layer is all about networks and routing packets to the correct network, it is the “Layer of The Internet” the layer of the IP protocol. The IP protocol is a connectionless protocol, it doesn’t care about setting up a connection prior to sending like TCP’s three way handshake, it just sends. IP is also a best effort protocol in that it isn’t reliable, it leaves reliability up to TCP with its sequence numbers and syns and acks. IP is only concerned with getting the packets to the right network, i.e the Best Path. The Network Layer header specifies the network addressing i.e. source and destination IP addresses. Along the packet’s travels across the internet the source and destination ip addresses never change. IP or the Internet Protocol is a special protocol that we call a routed protocol. In other words IP is a protocol that is routable, it gets this from the fact that it uses hierarchical addressing that can be tiered into levels of greater and smaller networks as well as the ability to differentiate between the network portion and the host portion of the address. This last part is crucial, think of another hierarchical addressing scheme for instance, a post office mailing address. When you mail a letter, it is sent to a host or recipient like “John Doe,” but what if you only wrote the person’s name on the letter, like “To: John Doe,” would it get there? No, it wouldn’t, because it wouldn’t contain any routable information like State, City, and street address only the recipient John Doe. We can liken a complete mailing address to an IP address like /24. The routable portion like city, state, and street address is the network portion the 192.168.1 part and the recipient is the host portion or the .108 part. We can easily differentiate the network portion from the host portion by means of the network mask or subnet mask. The network mask has 4 octets just like the IP address. The portions with the 255’s ( identify the network portion and the portion with the 0’s tells us where the host portion is.

IP Addressing – Example  – If this is the ip address  – and this is the netmask or subnet mask   – then the network is red, and the host is green … why?
255.255.255.– the network portion is defined by the red 255s and the host portion is defined by the green 0 portion.  – the first address is the network address and cannot be assigned to a host  – the last address is the broadcast address and cannot be assigned to a host{loadposition adposition6} thru 254  – are available for host addresses

If we convert the netmask from decimal to binary the 1s represent the network portion and the zeros represent the host portion:
11111111.11111111.11111111.00000000 – Binary – Decimal

The above ip address and netmask together can be represented as: /24 – The /24 represents the number of binary 1s in the netmask counted from left to right
11111111.11111111.11111111.00000000 – 24 x1s or /24

Broadcast Domains

The Protocols of the Network Layer

IPv4 – The most widely used network layer protocol, and part of the TCP/IP suite used on the internet. A connectionless, best effort protocol.

IPv6 – The successor to IPv4, with 128 bit addresses instead of 32 bit addresses to solve address space and other issues.

ICMP – Internet Control Message Protocol, part of the TCP/IP suite responsible for error messages when services or destinations are unreachable. ICMP is used directly by the ping and trace route utilities.

IPsec – Internet Protocol Security is a TCP/IP suite protocol that provides authentication and encryption similar to SSH, but at the network level for packets, making any type of TCP/IP communication secure. It has been back-engineered into IPv4, and is required under IPv6 for interoperability.

IPX – Novell Internetwork Packet Exchange, a protocol used by Novell NetWare systems that has become depreciated since the acceptance of TCP/IP

Appletalk – A proprietary Apple protocol, depreciated and no longer supported in the latest releases of Apple’s operating system.

CLNS/DECNet – Connectionless Network Service. A connectionless protocol that is not found on the internet, but still used in many telecommunications networks.

Video Tutorials – Routing Basics

Transport Layer

Transport Layer Overview

The transport layer of both the OSI and TCP/IP models is very important. At this layer the data being prepared to be sent over the internet is broken into pieces called segments. The PDU or protocol data unit at this layer is called a segment. Their are two main protocols that function at this layer TCP and UDP. TCP or transmission control protocol is a very reliable and connection oriented protocol. TCP is characterized as being reliable because of the fact that it will only send data once a three way handshake has first been established, it uses sequence numbers to track all segments and it also uses system of syns and acks (acknowledgments), and it will not send new data until an acknowledgement has been received for data already sent. If the acknowledgement is not received it will resend data. UDP or user datagram protocol on the other hand is not reliable, it is a best effort delivery system, a connectionless protocol, that does not require an established connection with another computer before sending data. UDP’s advantage is the fact that its header fields or control information is a lot smaller than TCP’s so there is a lot less to process and as a result it is a faster  but less reliable protocol.



segments– sequence numbers, acknowledgements, many header
fields, lots of overhead
datagrams– no sequence numbering, few header fields, little overhead = fast


reliability -due to sequence numbering, and resending of data if no acknowledgement is received unreliable – sends all data regardless of whether or not it was received
connection oriented – Three way handshake receiving computer prior to sending data connectionless –  no handshake to establish connection
source and destination port numbers in the header source and destination port numbers in the header
flow control – dynamically change the windows size to not overwhelm the receiver with data no flow control

Here is a short list of some of the most useful port numbers. You should memorize these ports.

 Port Number
















Well Known Ports

0 – 1023

Registered Ports

1024 – 49151

Dynamic Ports

49152 – 65535

Video Tutorials – Packet Tracer for Beginners

Packet Tracer for Beginners – Part 1: How to connect a client and a server to a switch, test connectivity with Ping and Run server services like HTTP and FTP