Road to the CEHv9 Exam — Part 1 — OSI Reference Model and TCP/IP Networking

Certified Ethical Hacker v9 — Part 1 — “Essential Knowledge” study notes — OSI Reference Model and TCP/IP Networking

My goal for this section is to ensure I am proficient in Identifying components of TCP/IP networking

Identifying components of TCP/IP networking

The OSI Reference Model

Looking at the OSI reference model via an overhead view of a communications session between two computers, from a network perspective:

Layer 1 — Physical: How do two computers speak to one another?

Imagine two computers in a room with no way of speaking to one another; How can you connect them? You might use cables, glass tubes, radio signals, or another of many choices. Depending on the choice you make, you need to figure out how to transmit useful information and have the computer on the other side understand the signal of 1s and 0s.

Layer 2 — Data Link: How do you grow a network?

If more than two nodes exist, how do you handle addressing? How do you ensure all nodes get a chance to transmit and no node is messing up another node’s chances of transmission? The Data Link layer uses frames to encapsulate all the data handed down from higher layers. Frames hold addresses which identify each machine inside a network.

Layer 3 — Network: What happens if you want to communicate outside of your network?

You can’t expect every node to know the address of every other node in the entire world, so how do we handle this challenge when faced with the challenge of allowing every node to be capable of communicating with every other node? A packet is used to hold network addresses and routing information. A packet is very similar to a post code on a package or letter; While the “house address” is what we achieve in Layer 2, Layer 3’s network address tells routers which network the message is meant to go to, almost like indicating a neighbourhood or town.

Layer 4 — Transport: How do you manage the delivery of the message?

Sometimes, you might want to know if the message was received or not. Sometimes, it wouldn’t matter to you. Sometimes you’d like to send a huge message and decide that it would be fine to segment the message so it’s sent in separate pieces to make the delivery quicker and more manageable. This is what the Transport layer is handling; The segment handles reliable delivery of the message end-to-end, and corrects errors by retransmitting any missing segments, and also flow control.

Layer 5 — Session: How do you open, maintain and close a communication session?

The Session layer doesn’t manipulate the data, and is more of a theoretical entity. Its job is to open, maintain, and after completion, close a session.

Layer 6 — Presentation: How do you format a message so any system can understand it?

Layer 6 handles any sort of compatibility conundrums which may be created by, for example, creating an email in Outlook and sending it to a Gmail address. You could see it as a translator, converting messages to a certain format to ensure the receiving side can understand. ASCII code is a prime example of a standardised format for information interchange.

Layer 7 — Application: How can users access the transmissions? How can they create their own?

The application layer is what is holding all the protocols which allow users to access the information, or send their own. FTP for file transfer, or SMTP for emails, or HTTP for browsing the internet.

Layer 5 (Session), Layer 6 (Presentation), and Layer 7 (Application) are dubbed the “Data Layers” of the OSI Reference model, and create the Application layer of the TCP/IP stack.


A helpful anagram to remember the order of the OSI Reference Model is:


Looking at that, can you remember the OSI reference model’s order?

Data Link


Some examples of protocols used in each layer:

Application Layer — FTP, HTTP, SMTP
Presentation Layer — AFP, NCP, MIME
Session Layer — x.225, SCP, ZIP
Transport Layer — TCP, UDP
Network Layer — IP
Data Link Layer — ARP, CDP, PPP
Physical Layer — USB, Bluetooth, Ethernet


TCP/IP Is a set of communications protocols which allows hosts on a network to communicate with one another.

The layers of TCP/IP align well with the OSI Reference Model:

OSI — — — — — — — TCP/IP

Application — — — — Application

Presentation — — — — Application

Session — — — — — — Application

Transport — — — — — Transport

Network — — — — — Internet

Data Link — — — —- Network Access

Physical — — — — — Network Access

or in reverse:

TCP/IP — — — — — — — — OSI

Application — — — — — — Application, Presentation, Session

Transport — — — — — — — Transport

Internet — — — — — — — — Network

Network Access — — — — —-Data Link, Physical

Practical Example of the TCP/IP Model:

I want to purchase a Hak5 Rubber Ducky.

I open my browser, and I type in “” at the Application Layer

My computer has a data request and determines it’s not a local request.

It searches the network entity to answer the request, using HTTP, a protocol it knows that this request will return an answer for, and hands the request to the Transport Layer.

A session has begun.

My computer starts building datagrams of bits arranged in a specific order, requesting information from upper layers, such as the HTTP request from the Application layer.

Because the computer understands that the HTTP protocol works a certain way, it determines that this needs to be a connection-oriented session, and uses TCP to achieve that, ensuring reliability and delivery.

TCP starts it’s 3-way handshake, SYN: “Hey, are you there?”

This is sent to the Internet Layer, which determines which network the request will be answered from via the DNS protocol, which returns the IP address belonging to

Once that’s determined, a packet is built which consists of the original data request, the TCP header “SYN”, and the IP packet information, and then sends the packet to the Network Access Layer to deliver.

My computer now needs to understand the local address to deliver the packet to. It knows its own physical address, but doesn’t know what physical address belongs to the system which will be answering. The IP address is known thanks to DNS, but the local, physical address is not. The computer employs the ARP protocol to understand this, and when that answer comes back and says “the local-facing router port”, the frame is built and sent out to the network.

Every time the frame is received by a router along the way, the ARP protocol is requested to confirm the physical location, and the frame header is stripped off and replaced based on the new answers for that network chain.

Once this frame is finally received by the destination, the server will strip off and hand up the bit, frame, packet, segment, and data PDUs, which should result in the return of a SYN/ACK message being sent back to my computer, an ACK message being sent back, and my browser displaying the site.