The Story That Explains the Entire Network Stack
That is exactly how a packet travels across the Internet. Your browser writes the "letter" (an HTTP request), and four more layers wrap it in envelopes — port numbers, IP addresses, MAC addresses — until it becomes pure voltage on a wire. This process is called encapsulation, and understanding it is the single most important skill for any cybersecurity professional, because every attack technique targets a specific layer of this journey.
As a Certified Ethical Hacker, I think about networking in exactly this layered way — not because it's academic trivia, but because every exploit, every defense, and every forensic investigation depends on knowing which layer you're operating at. This tutorial walks through the full journey of a single web request — from your browser to the literal copper or fiber that carries it — explaining what happens, why it matters, and how attackers and defenders fight at each stop.
Networking is built in layers so that each one only has to solve one problem. The application layer worries about meaning (what does this data say?). The network layer worries about direction (where does it go?). The physical layer worries about energy (how does it actually move?). Once you can place any protocol, device, or attack into one of these layers, the entire field of networking and network security becomes far less mysterious.
The OSI Model vs the TCP/IP Model
There are two mental maps used to describe networking: the academic 7-layer OSI model, and the practical 4-layer TCP/IP model that the real Internet actually runs on. You need both — OSI gives you precise vocabulary, TCP/IP tells you how it really works.
| OSI Layer | Name | Example Protocols | TCP/IP Equivalent |
|---|---|---|---|
| L7 | Application | HTTP, DNS, SMTP, SSH | Application |
| L6 | Presentation | TLS, JPEG, MIME | |
| L5 | Session | RPC, sockets, NetBIOS | |
| L4 | Transport | TCP, UDP, QUIC | Transport |
| L3 | Network | IPv4, IPv6, ICMP | Internet |
| L2 | Data Link | Ethernet, Wi-Fi, ARP | Link |
| L1 | Physical | Copper, fiber, RF |
In practice, the session and presentation layers (L5, L6) are usually folded into the application layer — TLS, for example, is technically L6 but is implemented and discussed as part of "the application stack." This tutorial focuses on the four layers that matter most for hands-on security work: Application, Transport (briefly), Network, and Physical.
Animated Diagram — Data Descending the Stack
Why Layering Matters — And Why Attackers Love It Too
Layering exists so complexity doesn't pile up in one place. But the same separation that makes networking manageable also gives attackers six distinct attack surfaces to choose from — one per layer.
ping tests L3, traceroute tests L3 hop-by-hop, curl tests L7.Encapsulation — How Data Gets Wrapped
Encapsulation is the process where each network layer wraps the data unit it receives from the layer above with its own header (and sometimes a trailer) before handing it down. Each layer's wrapped unit has its own name — its Protocol Data Unit (PDU).
| Layer | PDU Name |
|---|---|
| Application (L7–L5) | Data / Message |
| Transport (L4) | Segment (TCP) / Datagram (UDP) |
| Network (L3) | Packet |
| Data Link (L2) | Frame |
| Physical (L1) | Bits / Symbols |
By the time your data reaches L1, what started as 100 bytes of HTTP payload can be 154 bytes on the wire. Every byte of overhead is metadata that routers, switches, firewalls, and attackers all read.
Practical Example — Loading example.com
GET /index.html HTTP/1.1, Host: example.comDecapsulation — The Reverse Journey at the Receiver
When the packet arrives at its destination, the process runs in reverse — bottom to top. Each layer reads its own header, validates it, strips it off, and hands the rest upward.
Even with TLS encrypting your payload end-to-end, the IP and TCP headers remain plaintext — source/destination IPs, ports, and timing all leak. This is why traffic analysis (without decrypting anything) can still reveal who you're talking to and roughly what you're doing. Attackers also abuse encapsulation itself: tunneling means hiding command-and-control traffic inside DNS queries, HTTPS sessions, or ICMP echo payloads — smuggling malicious data inside what looks like legitimate protocol traffic.
Animated Diagram — Encapsulation in Motion
The Application Layer — Where Humans Meet the Network
The application layer is the top of the stack and the one users actually interact with. It defines how programs format messages, request services, authenticate, and transfer payloads — everything from your browser to your email client to your SSH terminal lives here.
Pocket Reference — Protocols, Ports, and Threats
| Protocol | Port | Purpose | Secure Variant | Common Threats |
|---|---|---|---|---|
| HTTP | 80 | Web traffic | HTTPS (443) | XSS, SQLi, request smuggling |
| DNS | 53 | Name resolution | DoT (853) / DoH (443) | Spoofing, tunneling, DDoS |
| SMTP | 25/587 | Email delivery | SMTPS / STARTTLS | Spoofing, relaying, phishing |
| IMAP | 143 | Email retrieval | IMAPS (993) | Credential theft, MITM |
| FTP | 21 | File transfer | SFTP (22) / FTPS | Cleartext creds, bounce attack |
| SSH | 22 | Remote shell | Always encrypted | Brute force, weak keys, MITM |
| Telnet | 23 | Remote shell (legacy) | None — DO NOT USE | Cleartext credentials |
| SNMP | 161 | Network management | SNMPv3 | Default community strings |
| LDAP | 389 | Directory services | LDAPS (636) | Injection, enumeration |
| RDP | 3389 | Remote desktop | TLS-wrapped | BlueKeep, credential spray |
Anatomy of a Real HTTP Request
This is what actually crosses the wire when your browser asks for a page:
GET /search?q=hello HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 ...
Accept: text/html
Accept-Encoding: gzip
Cookie: session=abc123...
Connection: keep-alive
(empty line - end of headers)
DNS — The Hidden Workhorse Behind Every Web Visit
Application Layer Security Toolkit
The Network Layer — How Packets Find Their Way
The network layer (Internet Protocol) has exactly one job: get a packet from any source IP to any destination IP on Earth. It does this through logical addressing, hop-by-hop routing, and fragmentation — handling the messy reality of underlying networks with different maximum packet sizes.
The IPv4 Header — Every Field Explained
Every router on Earth reads at least 20 bytes of this header on every single packet that crosses it. A few fields matter enormously for security:
| Field | What It Does | Security Relevance |
|---|---|---|
TTL | Hop count — decremented at every router | Sets max hops; exploited by traceroute to map paths |
Protocol | Identifies the next header (6=TCP, 17=UDP, 1=ICMP, 50=ESP) | Used by firewalls to filter by transport protocol |
Source IP | Identifies the sender | Often spoofed in DDoS attacks; needs BCP38 ingress filtering |
Fragment fields | Identification, flags, fragment offset | Abused in tiny-fragment and overlapping-fragment evasion attacks |
Practical Example — How a Packet Hops Across the Internet
A packet typically crosses 10–20 routers between your laptop and a remote server. Each router looks up the destination IP, picks the best next hop, decrements the TTL by one, and forwards the packet — repeating until it's delivered or the TTL hits zero.
| Hop | Device | TTL |
|---|---|---|
| 1 | Your Laptop (192.168.1.10) | 64 |
| 2 | Home Router (default gateway) | 63 |
| 3 | ISP Router (AS 7018) | 62 |
| 4 | Tier-1 Backbone (AS 1299) | 61 |
| 5 | Server (93.184.216.34) | 60 |
No router has a "map of the Internet." Each router only knows its directly connected neighbors and the rules it has learned via routing protocols like BGP or OSPF. The Internet works the way it does because thousands of independent, local decisions compose into a global delivery system — there is no central traffic controller.
ICMP — The Network's Diagnostic Sidekick
ICMP (Internet Control Message Protocol) sits at L3 alongside IP and carries error and informational messages — it's the protocol behind the tools you probably use every day.
| Type | Name | Used By |
|---|---|---|
| 0 | Echo Reply | ping response |
| 3 | Destination Unreachable | Network/host/port unreachable errors |
| 8 | Echo Request | ping query |
| 11 | Time Exceeded | TTL expired — the mechanism traceroute exploits |
# Diagnose connectivity with the tools ICMP powers
ping example.com # is the host alive?
traceroute example.com # map the path, hop by hop
mtr example.com # continuous ping + traceroute with stats
A Smurf attack spoofs a victim's IP and broadcasts ICMP echo requests, causing every host on the network to flood the victim with replies — a classic amplification DDoS. A Ping of Death sends an oversized ICMP packet to crash legacy network stacks. ICMP tunneling hides command-and-control data inside echo payloads, slipping past firewalls that allow ping traffic by default.
Routing Protocols — How Routers Learn the Map
Network Layer Threats and Defenses
| IP Spoofing | Forging source IP to impersonate or amplify DDoS |
| BGP Hijacking | False route announcements redirect global traffic |
| ICMP Tunneling | Covert channels hidden in echo payloads |
| Fragmentation Attacks | Tiny/overlapping fragments evade IDS, crash stacks |
| Routing Loops | Misconfigurations cause black-holes or oscillation |
| Ingress Filtering (BCP38) | Block spoofed source IPs at the network edge |
| RPKI Validation | Cryptographically sign route origin announcements |
| IPsec | L3 encryption + integrity (AH, ESP) — the VPN foundation |
| Stateful L3 Firewalls | Track session state, enforce src/dst/port rules |
| Reverse Path Forwarding | Drop packets arriving on unexpected interfaces |
The Physical Layer — Bits Become Energy
Everything above this point has been logical — headers, addresses, abstractions. The physical layer is where it all becomes real: voltage changes on copper, light pulses on fiber, or electromagnetic waves through the air. L1 transforms the logical frame built at L2 into physical signals, and defines connectors, pinouts, and timing.
Comparing Physical Media
| Medium | Typical Speed | Max Distance | EMI / Tapping Risk |
|---|---|---|---|
| Cat 5e UTP | 1 Gbps | 100 m | Susceptible / easy to tap |
| Cat 6 / 6a | 10 Gbps | 55–100 m | Better shielding |
| Coaxial | 1 Gbps+ | 500 m+ | Hard to tap unnoticed |
| Multimode fiber | 10–100 Gbps | 300–550 m | Immune to EMI; can leak via bend |
| Single-mode fiber | 100 Gbps – 1 Tbps | 40+ km | Immune to EMI |
| Wi-Fi 6 / 6E | up to 9.6 Gbps | 30–50 m | Broadcast — eavesdroppable |
| Submarine fiber | 100+ Tbps | 1000s km | Physical attack vector (cable cut) |
Signal Encoding — Turning Bits into Waves
How a bit pattern of 1011 actually looks on the medium:
Physical Layer Devices
Physical Layer Security — When Attackers Get Close
| Cable Tapping | Vampire taps on copper; bend-coupling on fiber |
| Implants | Hardware keyloggers or rogue USB devices dropped into ports |
| TEMPEST | Recovering screen/keyboard data from radio emanations |
| RF Jamming | Wi-Fi deauth attacks, GPS spoofing, IMSI catchers |
| Cable Cuts | Submarine cable severing; backhoe-driven outages |
| Locked Closets & Cages | Physical access control to wiring closets and racks |
| Fiber Tamper Detection | Optical Time-Domain Reflectometers (OTDR) detect taps |
| Faraday Shielding | TEMPEST-rated equipment for classified environments |
| Port Security / 802.1X | Authenticate devices at the switch port before they connect |
| CCTV & Sensors | Door sensors and tamper-evident seals on critical hardware |
L1 attacks bypass every higher layer entirely. If an attacker has physical access to your switch, your fiber run, or your server room, your firewall rules, your TLS certificates, and your WAF mean nothing. Physical access is total access. This is why physical security is always rule number one, not an afterthought.
Inspecting at the Right Layer — A Defense-in-Depth Practice
A common mistake security teams make is deploying a single control and assuming it covers the whole stack. It doesn't. An L3 firewall cannot read HTTP headers. An L7 WAF cannot see raw TCP flags. Real defense requires multiple inspection points working together.