Introduction to the OSI Model

georgehalmai · April 24, 2021, 8:31pm

Hello NetworkLessons,

My name is Alexandru, and I want to point out something that got stuck in my mind.
These are the following lines
"Remember that you can’t skip any layers in the OSI-model, it’s impossible to jump from the Application layer directly to the Network layer. You always need to go through all the layers to send data over the network. " and “Once again, you are unable to “skip” any layers of the OSI model. You always have to work your way through ALL layers.”
I think that the above lines are misleading, because there are applications that do not need to go through all the layers to be sent over the network.
One example is the application PTP - Precision Time Protocol, which can be sent over the network with only the help of the Network layer.
How would you comment on this topic ?

Thank you,
Alexandru

lagapidis · April 26, 2021, 5:27am

Hello George

The key word here is “skip”. For example, you can’t go directly from the network layer to the physical layer, there must be some protocols and mechanisms that get that IP packet onto the wire. The PTP protocol actually operates on top of the transport layer. Here’s an example packet capture of a PTP packet found at this cloudshark capture:

You’ll notice:

the physical layer indicated by Frame 2
the Data Link layer indicated by Ethernet II
the network layer where the Internet Protocol lives
the transport layer where the User Datagram Protocol is shown
and finally the PTP protocol that functions on top of that. This is actually the application layer!!

Keep in mind that the TCP/IP model is being used for this data communication, so there are no Session or Presentation layers.

From the physical layer to the application layer, no layers were skipped. You can’t skip a layer and have data communications function.

However, you may have some protocols that don’t use some of the upper layers in the stack. For example, OSPF messages that are exchanged sit on top of the Network layer. They don’t have an application or transport layer. CDP messages sit on top of the Data Link layer, so they don’t even use the network layer at all.

In these cases, layers aren’t being skipped, because these are not in between, but the upper layers are simply being omitted.

I hope this has been helpful!

Laz

georgehalmai · April 26, 2021, 8:46am

Hello Laz,

Yes, PTP operates on top of the transport layer, but it can even operates on top of data link layer.

I will quote from the book The All-New Switch Book: The Complete Guide to LAN Switching Technology, Second Edition by James Edwards and Rich Seifert:
“An application can use the network at any layer, not just the Application layer…Layers can be skipped if the functionality adds no benefit.”

What is your opinion about this comment?

Thank you,
Alexandru

ccnp.manami · April 26, 2021, 9:29am

Hi Rene,
I have couple of small doubts. Can you please help me to clear these?

what would be the packet flow ?
Scenario 1) Host > Switch > Router > Internet Cloud
Scenario 2) Host > Switch > Switch > Router
BGP Neighbor flapping. What should be the steps to check?
PE1 > P1 > P2
| |
P3 > P4 > PE2
P1 connects to P2 & P3
P2 connects to P1 & P4
If P1 & P3 Doesn’t build LDP neighbor then what points need to check?

Thanks
Manami

lagapidis · April 28, 2021, 6:08am

Hello George

I believe that the word “skipped” is being used differently by Rene and differently by the author of the book you quote. When Rene made the statement, the meaning is that in any defined communication, such as that used by sending an Email, you can’t skip a layer on your way down. For example, using the TCP/IP model, the layers you would traverse when sending an email are:

Application layer - SMTP
Transport layer - TCP
Network layer - IP
Data Link layer - Ethernet
Physical layer - Pulse Amplitude Modulation level 5 (PAM-5) encoding

As you send your data down the stack, you can’t simply skip the network layer. The communication would not be complete. There would be no IP addresses defined, and thus, devices down the line will not know what to do with the recieved packets. Do you agree? This is the meaning of Rene’s statement.

Now there are cases, as I mentinoed before, where the protocol being served functions on top of a particular layer, but does not go higher. That protocol is the top layer of that particular stack. This is the case in the example you state, where you say that PTP can function on top of the Data Link layer. In such a case the stack is like so:

PTP
Data Link layer
Physical layer

Again, you can’t skip the Data Link layer to get to the physical layer, it just won’t work.

Now if we consider that the PTP protocol is on the application layer, then yes, the term “skip” can be used to say essentially that we skip the transport and network layers in the above example. I believe that is what the author intended. However, my opinion is that the word skip, in this case, is misleading. It can give the impression that layers are sometimes unnecessary.

I believe it is better to simply say that a particular protocol only uses the stack from the bottom, up to a particular layer. For example,

the CDP protocol uses only the physical and data link layers
the OSPF protocol (for exchange of routing information) uses only the physical, data link, and network layers
the SMTP protocol uses all layers of the TCP/IP stack

Does that clarify the terminology a little more for you?

I hope this has been helpful!

Laz

lagapidis · April 29, 2021, 6:17am

Hello Manami

I’m not sure what you mean about this question. Do you mean how will the packet be decapsulated and encapsulated up and down the OSI model as it reaches each device? If that is the case, the Host will encapsulate all of the layers, while the switch would decapsulate up to Layer 2 to read the MAC addresses so it knows to which port it should forward the frame. The router will decapsulate up to layer 3 (and sometimes layer 4 if access lists or other mechanisms obligate it to do so), and then when it gets to the Internet cloud, it really depends upon what device receives the packet.

Take a look at this comprehensive Cisco documentation:

There could be many reasons for this. For troubleshooting LDP neighbor adjacencies, take a look at these lessons and documentation:

https://learningnetwork.cisco.com/s/question/0D53i00000KswB4CAJ/mpls-ldp-neighbor-relationship-not-working

If there is a particular problem that you would like us to help you with, please let us know the details so that we can help you more specifically.

I hope this has been helpful!

Laz

ccnp.manami · May 1, 2021, 6:30am

Hi Laz,

Thank you for your response.

Scenario,
=======
PC > SWITCH > Router > INTERNET CLOUD > Router > SERVER

QUESTION1
=========

If I ping from PC to 8.8.8.8, how the packet will traverse from one hop to another till it reaches 8.8.8.8

QUESTION2
=========
2) If I ping A Server IP on the other side of the CLOUD how it will traverse across the hop till Destination IP

If P1 & P3 Doesn’t build LDP neighbor then what points need to check

Well I know there is an answer in cisco.com for everything but for me when Rene explains, he covers all the points in so nice way that clear all kinds of doubt I have about this topic .

Does it make sense now?

Thanks
Manami

lagapidis · May 6, 2021, 5:20am

Hello Manami

Based on your scenario, the following should take place:

The PC will prepare an ICMP packet, and encapsulate it, putting the destination IP in the appropriate field in the header of the IP packet, and the next hop MAC of the router in the destination MAC address field, and will send it on its way.
The switch will read the destination MAC, and will switch the frame to the appropriate exit interface
the router will read the destination MAC, see that the frame is indeed intended for itself, and will decapsulate to Layer 3. It will read the destination IP address and examine the routing table for the appropriate exit interface. It is then sent out the interface to the Internet Cloud.
Within the internet cloud, the same process takes place multiple times as the packet reaches various routers and is forwarded on its way.
The packet will reach the 8.8.8.8 device, be decapsulated, and the ICMP header will be read. The device will then prepeare an ICMP echo response with the destination IP address of the PC and be sent back. The same process will be followed in reverse.

The same process takes place as described before. The only difference is that the packet will reach the router, and then the server, rather than going to 8.8.8.8.

There is no single answer to this question, and this is why I linked to Cisco documentation. There can be many reasons for an LDP neighborship to fail. One of the things that we network professionals must get good at is interpreting and finding information from documentation as well as from other sources online, such as the Cisco learning network thread I had shared before.

If you want a comprehensive description and explanation of specific concepts and topics, then you would require a whole other lesson. Feel free to make a suggestion for a lesson at the following link:

There you will find the suggestions of others as well, and you may find that others have asked for something similar to what you suggested. That way you can add your voice to theirs.

I hope this has been helpful!

Laz

narad · June 11, 2021, 6:13pm

lets say i open up the browser and typed the google.com , so what should my PC do first ??
Will it resolve the DNS first and then send the HTTP request ??
if it does DNS resolution first then why wireshark not showing me that in packet flow ?

lagapidis · June 14, 2021, 6:55am

Hello Narad

In order for the PC to reach the Google web server, it must have an IP address associated with the domain name. So the first thing it will do is send a request to the configured DNS server requesting the IP address that corresponds to google.com. Once the DNS server responds, it can then send the HTTP request to the web server to get the web page.

Now the reason you don’t see that request in Wireshark is that your PC will keep a cache of DNS entries. Every time you go to google.com, your PC will first look in the local DNS cache to see if an entry already exists. If it does, it won’t send a request to the DNS server. It is likely that you already visited this site before and it was stored in the cache, so there was no need for a DNS lookup. By default, a Windows device will keep an entry in the DNS cache for 24 hours.

On a Windows device, you can display the DNS cache using the ipconfig /displaydns command in the command prompt. You can also flush the cache using the ipconfig /flushdns command. So you can do your experiment again by first flushing the cache and then visiting google.com. You should then see the DNS lookup.

I hope this has been helpful!

Laz

narad · June 14, 2021, 7:52pm

Thanks sir…Its really helpful…!!

roshanneelmegam · July 10, 2021, 7:56am

Hi Rene,
I have a doubt regarding the lower layers(4,3,2). The application takes care of the application, presentation, and session layer. Then what about the lower layers? Will the application itself encapsulate the data into the transport layer, network layer, and data-link layer? Or will the computer encapsulate the lower layers for the application?

lagapidis · July 13, 2021, 6:30am

Hello Roshan

When we talk about the application layer in the OSI or the TCP/IP model, we’re not actually talking about the software application on your computer. We’re talking about subprocesses that make your software applications “network-aware”. You can see many of these in the Task Manager of a Windows device categorized under “Windows processes”.

Let’s first talk about the TCP/IP model. The application layer is where protocols such as HTTP, SMTP, and FTP actually live and operate. When, say, a web browser wants to send a request to fetch a web page, it will create an HTTP GET message. This is done within the application layer. This message is then encapsulated into one or more transport layer segments. This is then further encapsualted into an IP packet with the appropriate headers, and then into an Ethernet frame with the appropriate headers and traliers. Finally, this is then translated into bits and encoded onto the physical medium.

Now, this process of encapsulation takes place at various locations within a PC.

The application layer operations take place in those subprocesses I mentioned before.
The transport, and network layer, and the “top half” of the data link layer, called the logical link control (LLC) sublayer, encapsulations take place and are executed by the operating system.
The operations of the “bottom half” of the data link layer, known as the MAC sublayer, takes place in the hardware of the network interface, specifically, the NIC, or the wireless interface.

Take a look at this diagram:

The border between the logical link control and the media access control sublayers is essentially the separation between hardware and software operations for the OSI model.

One more thing, the presentation and session layers are essentially found within the application layer of the TCP/IP model, so you can take those three layers as a single layer in most modern networks.

I hope this has been helpful!

Laz

qadeerkhan4278 · November 21, 2021, 10:01am

Hi professor,

The instruction is not clear when I want to check my packets.

I am using a laptop and when I am pasting the http.host==“cisco.com” in my Wifi interface card on Wireshark it displays nothing when I am typing the URL http://cisco.com in a new browser

Am I doing anything wrong why are my packets not shown?
Am I missing any steps?

lagapidis · November 24, 2021, 9:42am

Hello Abdul

I tried the lab on my computer as well, and I found that when I use Chrome or Edge, I too cannot find any packets that match the http.host=="cisco.com" filter. This filter will show all HTTP packets that contain the cisco.com string. This should be found within an HTTP GET statement.

I researched it a little deeper and found that newer browsers don’t actually use a plain HTTP GET statement to receive web data. Using Wireshark, I searched for “cisco.com” as a string of text in any location within any packet, and I found a single entry in a packet using the TLSv1.2 protocol as a client hello:

This means that the browser is establishing a TLS session (sometimes incorrectly referred to as an SSL session, but SSL is the predecessor of TLS). It is within that session that the HTTP GET request is sent, but this is encrypted, so Wireshark cannot see it. More about how Wireshark sees TLS can be found here:

https://wiki.wireshark.org/TLS

Now if you want to be able to see it, you can try the following. On my Windows 10 computer, I still have Internet Explorer (IE). The version I have is:

I tried going to cisco.com and capturing those packets, and I was able to see the GET request as shown in the lesson:

Notice here that you can’t actually see the “cisco.com” in the HTTP portion of the packet. That’s because even this version of IE is using HTTPS, which is a secure version. So it is encrpyted. However, Wireshark is able to decrypt and detect this text within the GET request.

I hope this has been helpful!

Laz

qadeerkhan4278 · November 24, 2021, 12:58pm

Hi @lagapidis,

Thankyou so much for taking your time and helping me out. It means a lot.

I understood now. I also went further and tried to install Mozilla Firefox and finally I was able to get the captures for the URL “cisco.com” Here is the screen shot of my result.

I just had this idea in the back of mind and it worked but I still didn’t understand the logic behind changing the browsers as it didn’t work in Chrome and Edge but it worked on Mozilla.

lagapidis · November 26, 2021, 7:38am

Hello Abdul

Great to hear, and it’s good that you too are experimenting with various options. I’ve asked @ReneMolenaar to update the lesson to include some more information that will help future readers as well…

Thanks again!

Laz

superyaseen96 · December 27, 2022, 11:17pm

Hello! I have a question about the WireShark in the intro to the OSI model. I am having an issue where I should receive the Hypertext Transfer Protocol after I go the http://cisco.com. but nothing is coming up and I am not sure how to deal with it. I tried clearing history, closing Wireshark and starting the process again but it did not work. I have a screenshot to show what am seeing. Hope you can help. Thank you!

ReneMolenaar · December 29, 2022, 6:28pm

Dear @superyaseen96

Cisco.com uses https nowaydays. You can see these packets when you use this filter instead:

tcp.port==443

The problem is that this traffic is encrypted which makes it less interesting to look at. Another option is to try this URL:

http://neverssl.com

This site only uses HTTP so your filter will work. It’s clear text so you can see everything.

Rene

molnarattila1221 · March 19, 2023, 1:39am

Hello,
I’m not sure I understand this part:
"
Session: The session layer takes care of establishing, managing, and terminating sessions between two hosts. When you are browsing a website on the internet, you are probably not the only user of the web server hosting that website. This web server needs to keep track of all the different “sessions.”
"

Specifically, this idea: “you are probably not the only user of the web server hosting that website. This web server needs to keep track of all the different “sessions.””

Doesn’t the web server keep track of all of the different users that connect to it via their (=the users’s) IP addresses? If I connect to this site, and my friend connects to it as well, the site sees both of our IP addresses, and that’s how it knows to send me the contents of this forum page, and the homepage to my friend (assuming I have this forum page open, and my friend clicked on the home page).

Can someone please explain?
Thanks.
Attila