Introduction to the OSI Model

Hello Narad

In order for the PC to reach the Google web server, it must have an IP address associated with the domain name. So the first thing it will do is send a request to the configured DNS server requesting the IP address that corresponds to google.com. Once the DNS server responds, it can then send the HTTP request to the web server to get the web page.

Now the reason you don’t see that request in Wireshark is that your PC will keep a cache of DNS entries. Every time you go to google.com, your PC will first look in the local DNS cache to see if an entry already exists. If it does, it won’t send a request to the DNS server. It is likely that you already visited this site before and it was stored in the cache, so there was no need for a DNS lookup. By default, a Windows device will keep an entry in the DNS cache for 24 hours.

On a Windows device, you can display the DNS cache using the ipconfig /displaydns command in the command prompt. You can also flush the cache using the ipconfig /flushdns command. So you can do your experiment again by first flushing the cache and then visiting google.com. You should then see the DNS lookup.

I hope this has been helpful!

Laz

Thanks sir…Its really helpful…!!

1 Like

Hi Rene,
I have a doubt regarding the lower layers(4,3,2). The application takes care of the application, presentation, and session layer. Then what about the lower layers? Will the application itself encapsulate the data into the transport layer, network layer, and data-link layer? Or will the computer encapsulate the lower layers for the application?

Hello Roshan

When we talk about the application layer in the OSI or the TCP/IP model, we’re not actually talking about the software application on your computer. We’re talking about subprocesses that make your software applications “network-aware”. You can see many of these in the Task Manager of a Windows device categorized under “Windows processes”.

Let’s first talk about the TCP/IP model. The application layer is where protocols such as HTTP, SMTP, and FTP actually live and operate. When, say, a web browser wants to send a request to fetch a web page, it will create an HTTP GET message. This is done within the application layer. This message is then encapsulated into one or more transport layer segments. This is then further encapsualted into an IP packet with the appropriate headers, and then into an Ethernet frame with the appropriate headers and traliers. Finally, this is then translated into bits and encoded onto the physical medium.

Now, this process of encapsulation takes place at various locations within a PC.

  • The application layer operations take place in those subprocesses I mentioned before.
  • The transport, and network layer, and the “top half” of the data link layer, called the logical link control (LLC) sublayer, encapsulations take place and are executed by the operating system.
  • The operations of the “bottom half” of the data link layer, known as the MAC sublayer, takes place in the hardware of the network interface, specifically, the NIC, or the wireless interface.

Take a look at this diagram:
image

The border between the logical link control and the media access control sublayers is essentially the separation between hardware and software operations for the OSI model.

One more thing, the presentation and session layers are essentially found within the application layer of the TCP/IP model, so you can take those three layers as a single layer in most modern networks.

I hope this has been helpful!

Laz

1 Like

Hi professor,

The instruction is not clear when I want to check my packets.

I am using a laptop and when I am pasting the http.host==“cisco.com in my Wifi interface card on Wireshark it displays nothing when I am typing the URL http://cisco.com in a new browser

Am I doing anything wrong why are my packets not shown?
Am I missing any steps?

Hello Abdul

I tried the lab on my computer as well, and I found that when I use Chrome or Edge, I too cannot find any packets that match the http.host=="cisco.com" filter. This filter will show all HTTP packets that contain the cisco.com string. This should be found within an HTTP GET statement.

I researched it a little deeper and found that newer browsers don’t actually use a plain HTTP GET statement to receive web data. Using Wireshark, I searched for “cisco.com” as a string of text in any location within any packet, and I found a single entry in a packet using the TLSv1.2 protocol as a client hello:

This means that the browser is establishing a TLS session (sometimes incorrectly referred to as an SSL session, but SSL is the predecessor of TLS). It is within that session that the HTTP GET request is sent, but this is encrypted, so Wireshark cannot see it. More about how Wireshark sees TLS can be found here:

https://wiki.wireshark.org/TLS

Now if you want to be able to see it, you can try the following. On my Windows 10 computer, I still have Internet Explorer (IE). The version I have is:

image

I tried going to cisco.com and capturing those packets, and I was able to see the GET request as shown in the lesson:


Notice here that you can’t actually see the “cisco.com” in the HTTP portion of the packet. That’s because even this version of IE is using HTTPS, which is a secure version. So it is encrpyted. However, Wireshark is able to decrypt and detect this text within the GET request.

I hope this has been helpful!

Laz

1 Like

Hi @lagapidis,

Thankyou so much for taking your time and helping me out. It means a lot.

I understood now. I also went further and tried to install Mozilla Firefox and finally I was able to get the captures for the URL cisco.com Here is the screen shot of my result.

I just had this idea in the back of mind and it worked but I still didn’t understand the logic behind changing the browsers as it didn’t work in Chrome and Edge but it worked on Mozilla.

Hello Abdul

Great to hear, and it’s good that you too are experimenting with various options. I’ve asked @ReneMolenaar to update the lesson to include some more information that will help future readers as well…

Thanks again!

Laz

Hello! I have a question about the WireShark in the intro to the OSI model. I am having an issue where I should receive the Hypertext Transfer Protocol after I go the http://cisco.com. but nothing is coming up and I am not sure how to deal with it. I tried clearing history, closing Wireshark and starting the process again but it did not work. I have a screenshot to show what am seeing. Hope you can help. Thank you!

Dear @superyaseen96

Cisco.com uses https nowaydays. You can see these packets when you use this filter instead:

tcp.port==443

The problem is that this traffic is encrypted which makes it less interesting to look at. Another option is to try this URL:

http://neverssl.com

This site only uses HTTP so your filter will work. It’s clear text so you can see everything.

Rene

Hello,
I’m not sure I understand this part:
"
Session: The session layer takes care of establishing, managing, and terminating sessions between two hosts. When you are browsing a website on the internet, you are probably not the only user of the web server hosting that website. This web server needs to keep track of all the different “sessions.”
"

Specifically, this idea: “you are probably not the only user of the web server hosting that website. This web server needs to keep track of all the different “sessions.””

Doesn’t the web server keep track of all of the different users that connect to it via their (=the users’s) IP addresses? If I connect to this site, and my friend connects to it as well, the site sees both of our IP addresses, and that’s how it knows to send me the contents of this forum page, and the homepage to my friend (assuming I have this forum page open, and my friend clicked on the home page).

Can someone please explain?
Thanks.
Attila

Hello Attila

Yes, I understand what you are saying. However, keep in mind that the IP address identifies the host or the device that is being served by the server. What happens if from my PC I open up four tabs and connect to the same web server? On one tab I click on one particular hyperlink, and on another tab I click on another. Both requests were made from the same IP address, so how does the server know which “session” to respond to? It knows from the port numbers being used within the session layer. That’s why Rene states that each individual session, from web browser tab to web server must be kept track of.

Does that make sense?

I hope this has been helpful!

Laz

1 Like

Hello Laz,

Thank you again for the thorough response.

Please correct me if I’m wrong, but aren’t we talking about session multiplexing, which is a Transport layer function? So when multiple users connect to the same web server, doesn’t the server keep track of each user’s activities by using the socket (which is, if I’ve learned it correctly, the combination between the destination IP, destination port, and source ephemeral port)? And within each user’s Transport layer segment, doesn’t the Session layer data keep the streams apart? So if I remember correctly from other resources, it should be the Session layer that makes it possible for me to log in to the same site using different accounts, among other things.

So doesn’t the web server should keep track of the different user sessions by using the sockets (which is a Transport layer function, instead of Session layer as indicated by the article)? I’m still new to the networking field so please apologize if I’m mixing things up.

Thank you for your help.
Have a nice week.
Attila

Hello Attila

First of all, you are correct that an application will indeed keep track of each communication based on what is called the internet socket address, which is a combination of the transport protocol, the IP address, and the port number. These three elements can be used to differentiate between communications with a server. This is the case because even if they come from the same host, and the same transport layer protocol, they will still have a different port number (on the host side) making sure that it is separate.

Now I think from here on the confusion takes place due to terminology. The word “session” is often used to refer to a communication created using a socket that uses TCP as the transport layer. So we often talk about a transport layer session or TCP session. But the word session is also used to talk about the Session Layer of the OSI model. In my posts, I was using the word “session” as a transport layer communication, and not the OSI model layer.

Although the OSI model was developed as a framework for all network protocols to adhere to, it has been superseded by the TCP/IP model (which I’ll talk about shortly). Today, the OSI model is primarily used for training purposes. Although there are some OSI-based protocols still in use today, the vast majority use TCP/IP.

In the lesson, the Session Layer does actually preform many of the session functions described in the lesson, however, in most communications today, the Session layer doesn’t exist because we now use the TCP/IP model which is further described in this lesson:

With the TCP/IP model, the separation of sessions is performed exclusively by the socket described above. Does that make sense?

I hope this has been helpful!

Laz

1 Like

Hello Laz,

Thank you very much for the continued discussion.

If I understand everything correctly, the following things must happen when I use a website:

I open facebook.com. My computer creates a pair of sockets: one socket consists of my own IP address, the protocol, and an ephemeral port (eg 123.123.123.123, TCP, 49152); and the other socket consists of the server’s IP address, the protocol, and port 80 (eg 157.240.22.35, TCP, 80). When I enter my login credentials and log in to my account, another pair of sockets is created (with the only different piece of information being the ephemeral port). Then, when I click on someone’s profile within Facebook and a new page loads, a third pair of sockets is created (same as before: new ephemeral port, everything else the same). If I then close facebook.com and open networklessons.com, a fourth pair of sockets is created (with a new ephemeral port, and networklessons.com’s public IPv4 address as the destination IP in the socket, everything else is the same).

The information for a socket is gathered from L3 and L4:

  • the IP addresses are in the packet (source and destination IP) (=L3);
  • the protocol information is also in the packet (in IPv4: in the Protocol field; and in IPv6: in the Next Header field) (=L3);
  • the ports are in the Transport layer’s (=L4) segment: both the
    (a) well-known/system (0-1023) or the user/registered (1024-49151) port (as the case may be), and
    (b) the ephemeral/dynamic/private port.

So session multiplexing is due to Layer 3 and Layer 4. Layer 5, the Session layer, doesn’t play a part. Or am I missing something?

I’ve just now subscribed to the full year membership, in big part due to your many helpful answers. :slight_smile:
Have a great weekend! :slight_smile:

Attila

(Note to anyone else reading: 123.123.123.123 is of course just a made-up IPv4 address and not my actual public IPv4 address.)

Hello Attila

Your description sounds just about right. Just a couple of comments.

  • Your computer doesn’t create a pair of sockets, even though each communication has two sides to it. Your computer sees the socket as the IP address, transport layer protocol and port of the device it is connecting to. So the socket it sees is 157.240.22.35:80 using TCP. The web server sees the socket as 123.123.123.123:49152 using TCP.
  • Secondly, when you go to Facebook, each click may be established using a different socket, or it may be part of the same socket. It depends on the way the web site is designed. Typically you will have several sockets created when communicating even with one web site.
  • Finally, I keep using the word socket as you did as well, but we must keep in mind that this terminology has been largely replaced with the word “session.” So when using TCP, the word session is used to refer to each individual, independent communication that takes place using a particular socket.

Yes, that is correct. The session layer plays no role in this because when using TCP/IP there is no session layer. Above the transport layer we have the Application layer as seen here:
image

Great to hear that you are finding these conversations useful! It makes our job all the more rewarding.

I hope this has been helpful!

Laz

PS

I remember my first computer which had a 2400 baud modem with WIndows 3.1, we’d use a software utility called Winsock which would create this socket with an Internet provider’s server to gain access to the Internet. Those were the days… :nerd_face:

1 Like

Hi Laz,

Thank you again for the correspondence.
So when I’m browsing a website on the internet, then I’m probably not the only user of the web server hosting that website. The way this web server keeps track of all the different “sessions” is using the L3 and L4 information that used to be named the sockets, but a more modern term is “session?”

Have a nice week.
Attila

Hello Atilla

Yes that is correct. Let’s assume that we have a web server at 20.20.20.1, and let’s assume we have five hosts accessing this web server with IP addresses 5.5.5.5, 6.6.6.6, 7.7.7.7, 9.9.9.9, and 10.10.10.10. You will have five separate sessions like so:

Source IP   Source Port   L4 Protocol  Destination IP   Destination Port        
-------------------------------------------------------------------------
5.5.5.5     26580         TCP          20.20.20.20      80
6.6.6.6     33544         TCP          20.20.20.20      80
7.7.7.7     22588         TCP          20.20.20.20      80
9.9.9.9     36555         TCP          20.20.20.20      80
9.9.9.9     36556         TCP          20.20.20.20      80
10.10.10.10 18999         TCP          20.20.20.20      80

The elements used by the webserver to differentiate between these sessions are the source IP, the source port, and the Layer 4 protocol being used. These are unique for each communication and constitute a session.

Notice I put in two sessions from the 9.9.9.9 host with different source ports, to emphasize that a single host may have multiple sessions with the same web server.

I hope this has been helpful!

Laz

1 Like

Hello Laz,
Thank you. In that case, it isn’t the Layer 5 (Session) of the OSI layer that takes care of this function, but Layer 4 (Transport) and Layer 3 (Network). But the article gives this definiton:

“Session: The session layer takes care of establishing, managing, and terminating sessions between two hosts. When you are browsing a website on the internet, you are probably not the only user of the web server hosting that website. This web server needs to keep track of all the different “sessions.””

So the article seems to assign the function of session multiplexing to Layer 5, but as we’ve discussed, it’s actually Layer 4 and Layer 3 combined which is responsible for session multiplexing. Or am I interpreting something incorrectly?

Have a nice week.
Attila

Hello Attila

I understand the confusion. Let me try to clarify.

The OSI model was developed in the 1980s in the hope that all present and future networking protocols would conform to its layers and operate within its framework. However, the TCP/IP model took precedence primarily due to its prevalent use on the Internet, and by the end of the 1990s, the vast majority of networking protocols adhered to the TCP/IP model rather than the OSI model.

However, the OSI model still remains today, primarily as a teaching tool to help students and learners understand the concepts involved in layered models in general. Today, very few protocols in networking strictly adhere to all the layers of the OSI mode. Most conform to the TCP/IP model.

In this lesson, Rene is explaining what the particular layers 5 and 6 deliver within the context of the OSI model. But these descriptions are relevant only to protocols that adhere strictly to these layers. TCP is not one of these protocols, therefore you cannot talk about TCP in the context of the OSI model. It must be discussed within the framework of the TCP/IP model.

When we’re talking about lower layer protocols such as Ethernet, IP and others, there is a general counterpart to the lower layers of the OSI and TCP/IP but once you get to the transport layer, things differ vastly.

The mechanisms found in the Transport, Session, Presentation, and Application layer of the OSI model are distributed between the Transport and Application layers of the TCP/IP model, and you can only talk about particular protocols within the context of the stack they belong to.

Does that make sense?

I hope this has been helpful!

Laz

2 Likes