Cybersecurity Essentials

Networking

201: TCP/IP Networking Model

Version 1.0

201: TCP/IP Networking Model is the second in a series of courses that explain how
networks operate and some of the cybersecurity issues they exhibit.

Sophos Cybersecurity Essentials

Networking

October 2019
Version: 1.0

© 2019 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names,
logos and marks mentioned in this document may be the trademarks or registered
trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes
no warranties, conditions or representations (whether express or implied) as to its
completeness or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered

office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Networking 201: TCP/IP Networking Model - Page 1

 About This Course
This course is designed for technical professionals who want to understand
how the layers of a TCP/IP network work together to support
communication.

Course Duration This course will take around 60 minutes to complete

This course is designed for technical professionals who want to understand how the layers of
a TCP/IP network work together to support communication.

Networking 201: TCP/IP Networking Model - Page 2

 Assumed Knowledge
To benefit fully from this course you should already:
• Understand the importance of networks and their uses
• Recognize the methods used to connect to a network
• Know how IP addresses allow communication on private and public
networks
• Understand how names are resolved to their IP addresses
• Know the devices used to provide secure connectivity to the Internet

101 Getting Started with Networking

To benefit fully from this course you should:

✓ Understand the importance of networks and their uses
✓ Recognize the methods used to connect to a network
✓ Know how IP addresses allow communication on private and public networks
✓ Understand how names are resolved to their IP addresses
✓ Know the devices used to provide secure connectivity to the Internet

If you are unsure about any of these topics we recommend Sophos Cybersecurity Essentials
101: Getting Started with Networking.

Networking 201: TCP/IP Networking Model - Page 3

 Activities

Activities are suggested throughout the course that allow you to try the
techniques described

Use the Download Activity button to open instructions for a single activity

Open a PDF with all activities from the RESOURCES menu

Activities later in the course may depend on steps completed earlier

Activities are suggested throughout the course that allow you to try the techniques
described. You can complete these during the course or at a later time.

Each activity slide will include a button that opens a PDF containing instructions for that
activity. Instructions for all activities can be opened by selecting the file from the
RESOURCES menu. Instructions are also included at the back of the Student Handout.

Activities later in the course may rely on the completion of earlier activities.

The instructions are written for Windows computers but the notes will indicate where
alternatives are available for Mac or Linux.

Networking 201: TCP/IP Networking Model - Page 4

 Course Agenda

Network Models Physical Layer

1

2
Data Link Layer 3 Network Layer

5
4
Transport Layer Application Layer

Networks allow us to communicate and share; they are an essential part of our working and
social lives. The benefits they offer are huge but so are the potential security risks.

In this course you will learn how each layer of TCP/IP networking operates and supports
communication between hosts and their applications.

This course consists of 6 topics.

Networking 201: TCP/IP Networking Model - Page 5

Network Models

Network Models

Networking 201: TCP/IP Networking Model - Page 7

 Network Models
Network Models

Internet

Students who completed our 101: Getting Started with Networking course learned that a
network includes many components, ranging from the application which requires network
access to the wired or wireless communication mechanism connecting the devices to it.
Networking models are used to provide a clear explanation of how the various components
work together to support network communication.

Networking 201: TCP/IP Networking Model - Page 8

 Open Systems Interconnect (OSI) Model
Workstation Server
Network Models

Application Application
Presentation Presentation
Network models
Session divide networks into Session
Transport layers based on Transport
Network functions Network
Data Link Data Link
Physical Physical
9

In the early 1970s, the International Organization for Standardization (ISO) began defining a
set of rules which could be used by the manufacturers of networking components, whether
hardware or software, to ensure that the components from different manufacturers would
interoperate successfully. In the 1980s, this standard was published as the Open Systems
Interconnect (OSI) model.

The OSI model is made up of 7 layers. Each of these layers is responsible for a specific set of
tasks within the network communication process.

In the example shown, the workstation is sending a request to the server. Network
communication begins at the application layer of the workstation, where the request
message is passed down through the various layers until arriving at the physical layer. There
it is placed on the communication medium for transfer across the network to the
destination server. On arrival at the server, the message works its way back up the 7 layers
until reaching the application layer of the server where the original request is processed. The
server will send a response back to the workstation using the same procedure in reverse.

Networking 201: TCP/IP Networking Model - Page 9

 Open Systems Interconnect (OSI) Model
Network Models

Layer 7 - Application Network access for applications

Layer 6 - Presentation Data transformation
Layer 5 - Session Inter-host connection
Layer 4 - Transport Ensures data delivery
Layer 3 - Network Network addressing and route Selection
Layer 2 - Data Link Physical addressing and node-to-node connection
Layer 1 - Physical Media, signal and binary transmission
10

Each layer of the OSI model is responsible for handling one or more of the functions which
are required to pass a message across a network or networks. The main functions of each
layer are as follows:

• Layer 7 - Application – this layer handles interactions with any application requiring
network access
• Layer 6 - Presentation – this layer handles any transformation of data which is needed
because of the different requirements of the application and the network
• Layer 5 - Session – this layer initiates, manages and terminates the connections between
the local and remote applications
• Layer 4 - Transport – this layer is responsible for ensuring delivery of data across a
network
• Layer 3 - Network – this layer adds network addressing to the data and decides how to
route it across a network or networks
• Layer 2 - Data Link – this layer handles data transfer between two devices on the same
network
• Layer 1 - Physical – this layer specifies how the digital bits are converted into signals and
placed on the “wire”

Each layer is responsible for communicating with the layer above it and the layer below it.
For example, the network layer will receive information from the transport layer. It adds
network addressing, determines route selection, and then passes it down to the data link
layer.

Networking 201: TCP/IP Networking Model - Page 10

 Additional information
TCP/IP Model Overview in the notes
Workstation Server
Network Models

Application Application

Transport Transport
Network Network
Data Link Data Link
Physical Physical
11

Like the OSI model, the TCP/IP (Transmission Control Protocol/Internet Protocol) model
began development in the early 1970s and was published in the 1980s as a standard called
RFC 1122. It was developed by the Defense Advanced Research Projects Agency (DARPA)
which is the part of the US Department of Defense (DoD) and responsible for developing
technologies for military use.

In the 1990s, network equipment manufacturers moved away from proprietary networking
models and instead began to favour the TCP/IP model. The TCP/IP model has become the
firm favourite for all network communication.

The model originally consisted of only four layers, however it was later updated with the
original bottom “link” layer now commonly divided into data link and physical layers as
shown.

Note: If you’d like to know more about the Request for Comment (RFC) documents that
define how the Internet operates see https://en.wikipedia.org/wiki/Request_for_Comments

Networking 201: TCP/IP Networking Model - Page 11

 TCP/IP Model Process
Workstation Server
Network Models

Application Application

Transport Transport
Network Network
Data Link Data Link
Physical Physical
12

Let’s follow what happens at each layer of the TCP/IP model using an example of browsing
to a web server. Each of these layers will be covered in detail in later sections.

• Application Layer – makes an HTTP request from the browser and prepares it for
transmission to the destination web server. Preparation may include encryption and
compression. It then passes the data to the transport layer.

• Transport Layer – receives the data from the application layer and breaks it into
segments or datagrams of suitable size. This layer ensures delivery by handling error-
checking, error correction and flow control. It then passes the segment or datagram to
the network layer.

• Network Layer – is responsible for delivering the data across one or more networks. It
achieves this by placing the segment or datagram into an IP packet which contains
source and destination IP addresses. The IP packets are then passed the data link layer.

• Data Link Layer – this layer moves data between physically connected hosts on the
same network. It places the IP packet into a frame which has headers for source and
destination hardware addresses. The frame is then passed to the physical layer.

• Physical Layer – this layer converts the frames into bits and then converts the bits into
the appropriate type of signal for transmission over the network media.

Networking 201: TCP/IP Networking Model - Page 12

 OSI and TCP/IP Model Comparison

TCP/IP Model OSI Model

7. Application
Network Models

5. Application 6. Presentation
5. Session
4. Transport 4. Transport
3. Network 3. Network
2. Data Link 2. Data Link
1. Physical 1. Physical

13

The original TCP/IP model combined layers 1 and 2 as the Link layer, with the layer above
this named the Internet layer. Since this was published, there have been significant
developments in the technologies and standards used in these layers. For example, fiber
optics and wireless media are now commonly used at layer 1 and faster more efficient
networking technologies have been developed for layer 2. The current model differentiates
the functions and also more closely aligns to the OSI model. The Internet layer is now
generally referred to as the network layer and this is the description we will use in this
course.

The OSI model provides a useful theoretical analysis of network traffic but it is the TCP/IP
model that has been practically implemented in numerous pieces of network equipment.
We will use this model in the following sections.

Networking 201: TCP/IP Networking Model - Page 13

 Knowledge Check
Match the function to the correct layer of the TCP/IP
model

Handles network addressing

Physical Layer
Network Models

and routing

Moves frames between

Application Layer
physically connected hosts

Provides network access for

Network Layer
applications

Data Link Layer Places signal on the “wire”

Submit
14

As we have described, each layer of the TCP/IP networking model is responsible for a
specific set of tasks within the network communication process. In this question, you can
match the layer of the TCP/IP model to the function it provides.

Networking 201: TCP/IP Networking Model - Page 14

 Why Packet Capture?
Packet capture tools provide a way to view the layers of the TCP/IP
model
These tools are known as sniffers, packet sniffers, packet analyzers,
Network Models

protocol analyzers and network analyzers

They record and analyze network signals

The tools can be used to perform network audits and to detect

network attacks

They can be used on both wired and wireless networks

15

Packet capture tools provide a way to view the layers of the TCP/IP model. These tools are
pieces of hardware or software which are used to capture and analyse the network traffic.
The tools are variously known as “packet sniffers”, “packet analyzer”, “protocol analyzer” or
“network analyzer”.

When looking into network issues, it can be extremely useful to be able to capture and
analyze the network signals. The tools can also be used to perform network audits and to
detect network attacks.

Sniffers work by examining streams of data packets that flow between computers on a
network as well as between networked computers and the Internet. Although packets are
usually addressed to specific machines, using a packet sniffer in "promiscuous mode" allows
it to examine any packet, regardless of destination. It's possible to configure sniffers in two
ways. The first is "unfiltered," meaning they will capture all packets possible for later
examination. The other option is "filtered" mode, meaning analyzers will only capture
packets that contain specific data elements.

Packet sniffers can be used on both wired and wireless networks. On a wired network,
sniffers might have access to the packets of every connected machine or may be limited by
the placement of network switches. On a wireless network, most sniffers can only scan one
channel at a time, but the use of multiple wireless interfaces can expand this capability.

Networking 201: TCP/IP Networking Model - Page 15

 Wireshark Packet Capture
Network Models

This simulation will show how Wireshark can be used to capture

and save network traffic.

Read the information and follow the instructions to advance to the next step.

Start

Wireshark is a widely used packet capture tool. This simulation shows how Wireshark can be
used to capture and save network traffic.

Read the information and follow the instructions to advance to the next step.

Networking 201: TCP/IP Networking Model - Page 16

Wireshark has been installed on a Windows 10 client
UseSimulation
the Desktop icon to open Wireshark

Networking 201: TCP/IP Networking Model - Page 17

The Wireshark Network Analyzer displays a list of network adapters. The adapter named
Simulation
Ethernet shows network traffic. Click on Ethernet

Networking 201: TCP/IP Networking Model - Page 18

You will now prepare to generate some network traffic
ClickSimulation
on the Google Chrome icon in the Taskbar

Networking 201: TCP/IP Networking Model - Page 19

You will start generating traffic later
Minimise Google Chrome for use later
Simulation
Minimize Google Chrome and return to Wireshark

Networking 201: TCP/IP Networking Model - Page 20

You will now start to capture network traffic
ClickSimulation
on the Capture menu

Networking 201: TCP/IP Networking Model - Page 21

You will now start to capture network traffic
ClickSimulation
on the Start menu option

Networking 201: TCP/IP Networking Model - Page 22

You will now generate network traffic by browsing to a website
Simulation
Maximize Google Chrome

Networking 201: TCP/IP Networking Model - Page 23

Type http://sophostest.com into the Google address bar and press Enter
Simulation

Networking 201: TCP/IP Networking Model - Page 24

You will now stop capturing the network traffic
Simulation
Close Google Chrome and return to Wireshark

Networking 201: TCP/IP Networking Model - Page 25

Click the Capture menu
Simulation

Networking 201: TCP/IP Networking Model - Page 26

Click the Stop menu option
Simulation

Networking 201: TCP/IP Networking Model - Page 27

Web requests can be made using a protocol named HTTP (Hypertext Transfer Protocol) which
youSimulation
will learn about in later sections. In the Apply a display filter bar type http and press Enter

Networking 201: TCP/IP Networking Model - Page 28

Select the first item in the upper pane with the Info column showing GET /
Simulation

Networking 201: TCP/IP Networking Model - Page 29

In the lower pane, click the arrow head to expand the Hypertext Transfer Protocol section
Simulation

Networking 201: TCP/IP Networking Model - Page 30

This shows more detail about the HTTP web request
In aSimulation
troubleshooting scenario you may wish to save the capture. Click the File menu

Networking 201: TCP/IP Networking Model - Page 31

Click Save As…
Simulation

Networking 201: TCP/IP Networking Model - Page 32

Type the file name web traffic capture
Simulation

Networking 201: TCP/IP Networking Model - Page 33

Click the Save button. Wireshark files (*.pcapng) are often used to troubleshoot network issues
FilesSimulation
of this type will automatically open using Wireshark if it is installed

Networking 201: TCP/IP Networking Model - Page 34

You have seen how packet capture tools such as Wireshark can be used to capture and save
Simulation
network traffic. Click Continue

Continue
35

Networking 201: TCP/IP Networking Model - Page 35

 TCP/IP Model Layer Data Names

Layer Data Type Name

5. Application Application data
Network Models

4. Transport Segments or Datagrams

3. Network Packets
2. Data Link Frames
1. Physical Signals or Bits

36

As you saw in the packet capture simulation, network communication operates in layers.

Each layer has a name for the type of data it transfers; for example, at the network layer the
data structure is known as a Packet whilst at the data link layer it is called a Frame.

The layers are said to form a Network Stack because of the way they are positioned one
above the other.

Networking 201: TCP/IP Networking Model - Page 36

 TCP/IP Model Capture Example
Network Models

Layer 2 - Frame
Layer 3 - Packet
Layer 4 - Segment
Layer 5 - Application Data

Dst Src Dst Src Dst Src Application

MAC MAC IP IP Port Port Data
Addr Addr Addr Addr

37

Wireshark does not show the physical layer but has captured the main data structures, from
the data link layer upwards. It has the ability to look in detail at the data structures and
analyse their type.

• In layer 2 the frame type is described by Wireshark as Ethernet II.

• In layer 3 the packet is shown as Internet Protocol Version 4 (IPv4). IPv6 packets may also
be found at layer 3.

• In layer 4 the Segment is shown as Transmission Control Protocol (TCP). The User
Datagram Protocol (UDP) datagram structure can also be used at this layer

• In layer 5 the application data is designated as Hypertext Transfer Protocol (HTTP). Other
forms of application data will be covered in the application layer section of this course
including; Domain Name Service (DNS) and Simple Mail Transfer Protocol (SMTP)

The image shows how the original data from the Application layer is ‘wrapped’ with extra
information from the layers below, which allow it to be sent to its destination.

Networking 201: TCP/IP Networking Model - Page 37

 Security Issue: Packet Capture Tools
Network Models

Router

Laptop
Tablet

Attacker

Computer Printer

38

Packet capture tools are not only useful for IT professionals; they can also allow malicious
intruders to capture and examine network traffic. This may contain confidential information
and credentials that can be used to gain further access. Part of the solution is to prevent
unauthorized access to the network by using secure wireless passwords and by disabling un-
used network ports.

Networking 201: TCP/IP Networking Model - Page 38

 Security Issue: Packet Capture Tools
HTTP
Network Models

HTTPS
Cybersecurity Essentials:
Cryptography

39

The best protection against malicious use of packet capture tools is encryption. For example,
using HTTPS, the secure version of HTTP, will prevent packet sniffers from seeing the traffic
on the websites you are visiting. It is also important not to use applications that use insecure
protocols, such as File Transfer Protocol (FTP) which transfers the user name and password
as clear text. Like HTTP, there is a secure version of this protocol.

If you want to learn how cryptography protects data, Sophos offers the Cybersecurity
Essentials: Cryptography program.

Networking 201: TCP/IP Networking Model - Page 39

Physical Layer

Layer 1: Physical Layer

40

Networking 201: TCP/IP Networking Model - Page 40

 Physical Layer Functions
TCP/IP Model

Bits 0101010
Physical Layer

5. Application

4. Transport
Signal
3. Network
2. Data Link
1. Physical

41

We will now look in detail at layer 1 of the TCP/IP model, which is the physical layer.

Layer 1 connects directly to the network media. It converts the digital bits of the frame into
an appropriate signal which is placed on the “wire” for transfer from one host to another. A
process known as modulation is used to convert the digital bit stream to a signal that’s
suitable for the network.

The type of signal depends not only on the specific network technology but also on the
network media, for example, electrical signals are used on copper-based cables, light signals
are used on fibre-optic cables and radio signals are used on wireless networks.

Networking 201: TCP/IP Networking Model - Page 41

 What are the options for connecting to a network?
Physical Layer

Or

42

These days a user may choose either a wired or wireless method for connecting to a
network. The choice will require suitable network infrastructure devices, network interface
cards and network media that transmits signals across the network.

Networking 201: TCP/IP Networking Model - Page 42

 Wired
Physical Layer

Twisted Pair RJ45 Connector

Cable and Port

43

Connecting devices to a network using some form of cabled or wired connection provides
high speed, reliable connectivity. The cables used in networks can be divided into two
separate groups: copper and fiber-optic. Copper cables are typically used with homes and
offices.

The most popular type of copper-based cabling used in networks is known as Twisted Pair. A
twisted pair cable consists of 8 insulated copper wires. As shown in the figure above, each
colour-coded pair of wires are twisted together and then surrounded by a protective plastic
jacket. Over recent times, there have been numerous different variations of twisted-pair
cabling. In order to assist network installers with selecting the correct cable, the cabling
vendor’s have developed various grades which are known as Category (Cat) ratings. The
most common categories today are Cat 5e which supports a throughput of 1 Gigabit per
second (Gbps) and Cat 6a which handles up to 10 Gbps. The twisted pair cable is terminated
using RJ45 connectors also shown in the figure above.

Networking 201: TCP/IP Networking Model - Page 43

 Wireless
Physical Layer

Cybersecurity Essentials:
Wireless

44

These days many devices connect to a network using some form of wireless connection.
Sometimes wireless is used in situations where cabling is difficult or expensive, but generally
wireless is chosen for the convenience of mobility especially with devices such as laptops,
tablets and phones. Most of the wireless connections are provided using some form of radio
signal at the physical layer.

There are number of different wireless networks available to suit the requirements of
various types of devices.

If you want to learn about wireless networks, Sophos offers the Cybersecurity Essentials:
Wireless course.

Networking 201: TCP/IP Networking Model - Page 44

 Wireless Local Area Network (WLAN)
Physical Layer

WLAN

45

Wireless Local Area Network (WLAN) is used to connect two or more devices over a
relatively short range usually through an Access Point (AP).

The IEEE 802.11 standard known as ‘Wi-Fi’ is commonly used to provide network access for
devices in homes and businesses.

Networking 201: TCP/IP Networking Model - Page 45

 Wireless Personal Area Network (WPAN)
Physical Layer

WPAN using Bluetooth

46

Wireless Personal Area Network (WPAN) is a relatively short-range network and is typically
used for connecting peripherals to devices, for example, interconnecting a headset with a
laptop. The most common mechanism used is Bluetooth.

Networking 201: TCP/IP Networking Model - Page 46

 Layer 1 Device: Network Interface Card
Workstation
Physical Layer

5. Application

4. Transport
3. Network NIC Driver
0101010 NIC
2. Data Link
1. Physical
47

A Network Interface Card (NIC), also known as a network adapter or network card, is the
hardware component of a computer or other networking device which attaches the device
to the network. A NIC may be built into the system board of the network device or
alternatively it may be supplied separately in the form of a card or a module. Modules are
commonly used in network infrastructure devices such as switches.

The NIC and its associated driver provide the necessary hardware and software for both the
physical and data link layers for a particular network technology. You will often see them
advertised as Ethernet or Wi-Fi cards.

In the data link layer, the NIC and its driver assist with the addressing of the frames so that
the device can communicate with other devices on the same physical network.

At the physical layer, the NIC and its driver are responsible for converting each frame into
data bits. The NIC then functions as a transceiver to convert the data bits into signals which
are appropriate for transmission across the network media in use. For cabled networks the
signals can be electrical or optical, whilst for wireless networks, the signals will typically be
radio waves.

Since the NIC provides physical access to a networking medium, it must provide a suitable
port for connecting to the media. In the case of Ethernet, the port would typically be an RJ-
45 socket.

Networking 201: TCP/IP Networking Model - Page 47

 Layer 1 Devices: Network Hubs / Multiport Repeaters

Hub
Physical Layer

PCA PCB PCC PCD

48

To connect its workstations, printers and servers a network needs dedicated infrastructure
devices. Examples include hubs, switches and routers.

Early networks used devices known as hubs. Hubs receive the incoming signal on one port
and re-transmit a copy of the signal out on all the other ports. Hubs have now been replaced
by switches in most network installations. When these devices receive a signal, they rebuild
it before it is re-transmitted. This process ensures that any degrading of the signal is
removed. As a result, the use of hubs and switches allows the maximum distance between
network devices to be doubled

Networking 201: TCP/IP Networking Model - Page 48

 Security Issue: Attacker Connects to ‘Live’ Network Point

Attacker
Router
Physical Layer

Laptop
Tablet

Computer Printer

49

An area often overlooked is the physical security of the network. For example, if an attacker
is able to plug a device into a “live” network point then they could have full access to the
network.

This type of attack can be mitigated by taking a few sensible precautions:

• Prevent potential attackers from gaining access to your building by implementing good
physical security measures. For example, you might consider security cameras, access
control using proximity cards and security guards

• Make it difficult for attackers to find a “live” network point by securing wiring closets and
network infrastructure devices with door and cabinet locks. Also, make sure that cabling
isn’t accessible and that any unused network points are disconnected

Another option which can be used to protect access to both wired and wireless networks is
known as 802.11x Authentication. This mechanism requires a successful authentication
using login credentials before the network infrastructure device will forward frames through
the network port.

Networking 201: TCP/IP Networking Model - Page 49

Data Link Layer

Layer 2: Data Link Layer

50

Networking 201: TCP/IP Networking Model - Page 50

 Layer 2: Data Link Layer Functions
Updated TCP/IP Model
Data Link Layer

5. Application
Frames
4. Transport
3. Network
2. Data Link
1. Physical

51

Layer 2 of the TCP/IP model is the data link layer. It is the layer between the physical and
network layers and it is responsible for transferring data between two physically connected
nodes using structures called frames.

Common examples of networking technologies working at the data link layer are Ethernet,
Wi-Fi, Token Ring and Point-to-Point Protocol (PPP).

Networking 201: TCP/IP Networking Model - Page 51

Data Link Layer

What is the name of the unique address burned into the

network card and required to send data directly from one
network card to another?

The data link layer includes physical addressing of devices. What is the name of the unique
address burned into the network card and required to send data directly from one network
card to another?

Networking 201: TCP/IP Networking Model - Page 52

Data Link Layer

What is the name of the unique address burned into the

network card and required to send data directly from one
network card to another?

MAC Address

The name of the unique address burned into the network card and required to send data
directly from one network card to another is the Media Access Control (MAC) Address.

Networking 201: TCP/IP Networking Model - Page 53

 Wireshark: Layer 2 – Data Link Layer
Data Link Layer

54

The slide shows a Wireshark capture of an HTTP web request. The data link layer (layer 2)
has been expanded and highlighted.

The data link layer adds physical addressing to the data. It appends both source and
destination MAC addresses in order to create a structure called a frame which it then passes
to the physical layer. The precise format of the frames depends upon the networking
technology in use.

In this capture you can see that Wireshark has determined that the layer 2 protocol is
Ethernet II. As well as source and destination MAC Addresses the frame also has a type field
which is used to indicate what data the frame contains. In this case, the payload of the
frame is an Internet Protocol (IPv4) packet.

Networking 201: TCP/IP Networking Model - Page 54

 Packet Capture - Layer 2
Data Link Layer

This simulation will use the Wireshark network traffic captured earlier in the
course and analyze the data at layer 2

Read the information and follow the instructions to advance to the next step

Start

This simulation will use the Wireshark network traffic captured earlier in the course and
analyze the data at layer 2

Read the information and follow the instructions to advance to the next step.

Networking 201: TCP/IP Networking Model - Page 55

First let’s open the Wireshark application
UseSimulation
the Desktop icon to open Wireshark

Networking 201: TCP/IP Networking Model - Page 56

We will now open the packet capture file saved in the previous simulation
ClickSimulation
the File menu

Networking 201: TCP/IP Networking Model - Page 57

Click Open
Simulation

Networking 201: TCP/IP Networking Model - Page 58

Select the web traffic capture file
Simulation

Networking 201: TCP/IP Networking Model - Page 59

Click the Open button
Simulation

Networking 201: TCP/IP Networking Model - Page 60

You will now filter the captured packets
Minimise Google Chrome for use later
Simulation
In the Apply a display filter bar, type http and press the Enter key

Networking 201: TCP/IP Networking Model - Page 61

You will now analyse the captured HTTP web request
Simulation
Highlight the line in the upper pane that shows GET / HTTP in the Info column

Networking 201: TCP/IP Networking Model - Page 62

Review the layer 2 data link details
Simulation
Expand the Ethernet II frame section in the lower pane

Networking 201: TCP/IP Networking Model - Page 63

The Source and Destination MAC Addresses are now shown along with the frame type which
Simulation
indicates an IPv4 packet payload. Collapse the Ethernet II section

Networking 201: TCP/IP Networking Model - Page 64

You have now reviewed the data link layer using Wireshark – we’ll revisit this capture to look at
Simulation
other layers later in the course. Click Continue

Continue

Networking 201: TCP/IP Networking Model - Page 65

 Layer 2: Data Link Sub-Layers
Workstation
Data Link Layer

5. Application

0101010
4. Transport
3. Network
2a. Logical Link Control
2. Data Link
2b. Media Access Control
1. Physical
66

The data link layer is often divided into 2 sub-layers called:

• Logical Link Control (LLC) layer – this layer is responsible for creating the frames, physical
addressing, error checking, error correction and flow control functions
• Media Access Control (MAC) layer – this layer is responsible for controlling node access to
the network media

The advantage of this model is that the same LLC sub-layer can be used with a variety of
different networking technologies such as Ethernet and Wi-Fi because these technologies
are implemented at the MAC sub-layer.

Networking 201: TCP/IP Networking Model - Page 66

 Activity 1

In this activity you will determine the MAC address of the network
card installed in your computer using the ipconfig /all command
Data Link Layer

Use the Download Activity button to open the instructions.

When you have finished click Continue

Download Activity Continue

67

As explained, each device must have a network card in order to connect to a network. Each
network card has a unique address burned onto it which is required to send data to another
card. In this activity, we’ll use the ipconfig /all command to show the MAC address of the
network card installed in your computer.

Networking 201: TCP/IP Networking Model - Page 67

 Activity 1 Output Example

Enter the command

The MAC Address of the Network

Data Link Layer

Card is displayed

68

Here is the expected output from Activity 1. The MAC address of the network card
displayed.

Note that the actual MAC address displayed will be different for you.

Networking 201: TCP/IP Networking Model - Page 68

 Media Access Control (MAC) Addresses

84:34:97:00:00:0A

84:34:97 Identifies
Data Link Layer

the manufacturer

00:00:0A – unique within

manufacturer’s output

69

Also known as a hardware or physical address, the Media Access Control (MAC) address is a
unique identifier assigned and burnt into a network card. The Address is 48-bits long which
is normally presented as 6 pairs of hexadecimal digits as shown in the example below:

84:34:97:00:00:0A

The MAC address is assigned to the NIC by the manufacturer. To ensure that they are always
unique, each manufacturer is given a unique block of addresses by the Institute of Electrical
and Electronics Engineers (IEEE). The manufacturer then uses the assigned block for the first
24-bits (3 pairs of hexadecimal digits) and then allocates the remaining 24-bits in a way that
ensures that each NIC has a unique address.

It is possible for a network administrator to override the manufacturer-assigned address and

assign a different one which is known as the Locally Administered Address (LLA). However, it
is then the responsibility of the administrator to ensure the uniqueness of the address on
the local network.

Networking 201: TCP/IP Networking Model - Page 69

 Activity
Match the manufacturer to the MAC address using the website
https://www.macvendorlookup.com

70:56:81:33:12:39 Cisco Systems Inc.

Data Link Layer

FC:FB:FB:01:FA:21 VMware Inc.

00:50:56:67:32:83 Intel Corporation

00:90:27:BB:22:66 Apple Inc.

Submit
70

Use the https://www.macvendorlookup.com/ website to match the manufacturer to the

MAC addresses shown.

To copy the MAC address to your clipboard, click in the button and use your keyboard to
select and copy. Once you have the answer, drag the button to the correct vendor.

Networking 201: TCP/IP Networking Model - Page 70

 Layer 2 Devices: Network Switches

Switch
Data Link Layer

Frame
from PC-A
to PC-C

PC-A PC-B PC-C PC-D

MAC-A = MAC-B = MAC-C = MAC-D =

84:34:97:00:00:0A 84:34:97:00:00:0B 84:34:97:00:00:0C 84:34:97:00:00:0D
71

Network switches, also known as multi-port bridges, are similar in function to hubs but with
more intelligence. They understand the frame format and, in particular, the source and
destination MAC addresses within the frames. Instead of sending the signal out on all ports
like a hub, the switch only sends it out on the port to a device with the destination MAC
address.

The forwarding decisions are made using a lookup table which holds MAC addresses and
their corresponding port number. The switch populates the table by examining the source
MAC address of frames when network devices communicate with each other.

When the network switch receives an incoming signal on port 1, it can determine that the
frame is addressed from A to C. It uses the lookup table to determine that the device with
MAC address C is connected to port 3 and so it re-transmits the signal on port 3 only.

If the switch has no record of the MAC address then it acts like a hub by broadcasting the
signal on all ports to ensure that the destination device receives the signal.

Most modern switches are able to store and forward frames. This means that a switch stores
a complete incoming data frame and checks its integrity before sending it out. Such switches
are important when incoming and outgoing speeds differ and provide the flexibility to
support a mix of Ethernet speeds.

Networking 201: TCP/IP Networking Model - Page 71

 Security Issue: Attacker Connects Unauthorized Hardware

Switch
Data Link Layer

Whitelist
Not on Whitelist

PC-A PC-B PC-C PC-D

MACA = MACB = MACC = MACD =

84:34:97:00:00:0A 84:34:97:00:00:0B 84:34:97:00:00:0C 84:34:97:00:00:0D
72

As described earlier, one of the main security issues on a wired network is how easy it can
be to plug-in a device and start using the network. One mechanism which can be used to
provide network access control and therefore deter attackers is MAC Address Filtering.

In this mechanism, the MAC address of the network device is used to determine whether
the device should have access to the network. Typically, the network administrator will
configure an approved MAC address list known as a whitelist on the switch. Any device
wishing to communicate on the network via the network switch must have its MAC address
on the approved list.

In the example, when PC-A attempts to transmit data across the network, the switch
determines that the incoming frame has a source MAC address which is not on the whitelist,
and so does not allow PC-A access to the network.

Whilst MAC address filtering can be by-passed by a determined attacker, it can be used to
protect against less determined individuals. For example, it could protect against an
employee trying to plug their home laptop without anti-virus software onto the office
network, which could present a serious security risk.

Networking 201: TCP/IP Networking Model - Page 72

Network Layer

Layer 3: Network Layer

73

Networking 201: TCP/IP Networking Model - Page 73

 Layer 3: Network Layer Functions
TCP/IP Model
Network Layer

5. Application
Packets
4. Transport
3. Network
2. Data Link
1. Physical

74

The network layer of the TCP/IP model, sometimes referred to as the Internet layer, is
responsible for delivering the data across one or more networks.

In order to make successful delivery possible, it must add network addressing information.
Therefore, it adds both a Source and a Destination IP address to the data to form a structure
called a Packet. The Destination IP addresses in the packet are used by the source host and
any intermediate hosts, known as routers, to assist in selecting the most appropriate route
to the final destination. The precise format of the packet varies depending on the
networking technology in use.

Common examples of networking technologies working at the network layer are Internet
Protocol Version 4 (IPv4) and Internet Protocol Version 6 (IP v6).

Networking 201: TCP/IP Networking Model - Page 74

 Packet Capture - Layer 3
Network Layer

We’ll now return to the simulation and view the Network Layer for the traffic
captured earlier in the course

Read the information and follow the instructions to advance to the next step.

Start

We’ll now return to the simulation and view the network Layer for the traffic captured
earlier in the course.

Read the information and follow the instructions to advance to the next step.

Networking 201: TCP/IP Networking Model - Page 75

You have now returned to the Wireshark capture. In order to review the Network layer (Layer 3)
Simulation
details, expand the Internet Protocol Version 4 section in the lower pane

Networking 201: TCP/IP Networking Model - Page 76

The Source and Destination IP Addresses are now shown along with the Protocol field indicating
theSimulation
payload is a TCP segment. Collapse the Internet Protocol section

Networking 201: TCP/IP Networking Model - Page 77

You have now reviewed the Network layer using Wireshark – we’ll revisit this capture to look at
Simulation
other layers later in the course. Click Continue

Continue

Networking 201: TCP/IP Networking Model - Page 78

 Wireshark: Layer 3 – Network Layer
Network Layer

79

The slide shows the network layer (Layer 3) of the Wireshark capture expanded and
highlighted so that we can examine it more closely.

This shows Wireshark has determined that the Layer 3 protocol is Internet Protocol Version
4 (IPv4), and it is showing the structure of the IPv4 packet at this layer. You can see that the
IP packet comprises multiple fields including a Source IP Address, a Destination IP
Addresses, and a Protocol field which is used to indicate the data which the packet contains.
In this case, the payload of the packet is a Transmission Control Protocol (TCP) segment.

Networking 201: TCP/IP Networking Model - Page 79

 IP Address vs MAC Address
MAC Address IP Address
Example: 84:34:97:00:00:0A Example: 84:34:97:00:00:0A
Used at layer 2 Used at layer 3
Network Layer

1. Known as a physical address 1. Known as a logical address

because it relates to physical because it relates to a
hardware network location
2. It is unique worldwide 2. It can be used by layer 3
3. Provides no information devices for routing purposes
about the location of the
device on the network

80

It may seem strange that when moving a piece of network data from one host to another,
the network stack requires both a MAC address at layer 2 and an IP address at layer 3. The
reason is as follows:

The MAC Address relates to the physical hardware. It is a unique address assigned by the
manufacturer and does not provide any information regarding the network on which the
associated host is located. This type of address is suitable for moving data from one host to
another within the same network. When moving data to a host on another network it lacks
the necessary information to route the data to the destination network. You can think of it
like a social security number in that it is uniquely tied to an individual person but it contains
no information that would help you find that person.

The IP Address is known as a logical address and it relates to the network. The IP address
allocated to a host contains information about both the network on which the host is
located and the host itself. This type of address can be used by layer 3 devices, such as
routers, to determine the network on which the destination host resides. It allows these
devices to intelligently forward the data towards that specific network. This type of address
is similar to a telephone number with a country code, an area code and an individual
number. The country code and area code assist in routing the call to the correct telephone
exchange and then the individual number is used to establish a successful connection.

Networking 201: TCP/IP Networking Model - Page 80

 Level 3 Device – The Network Router / Gateway
Network 1 Network 2
Network Layer

MAC-R1 MAC-R2
IP-R1 IP-R2
Router
(Default Gateway)

81

Network routers, also known as gateways, are used to connect networks together.

These layer 3 devices are designed to intelligently move data packets from one network to
another.

Routers are both physically and logically connected to at least 2 different networks. The layer
1 physical connection is via network interface cards (NICs), cables and switches, whilst, the
layer 3 logical connection to each of the networks is through the IP addresses allocated to
the NICs.

In the slide, Network 1 is connected to the router with a network interface card with a MAC
address of MAC-R1, and is connected to Network 2 with a different network interface card
with a MAC address of MAC-R2. In Network 1 the router has been assigned a local IP
address of IP-R1, and in Network 2 a local IP address of IP-R2.

Networking 201: TCP/IP Networking Model - Page 81

 Level 3 Device – The Network Router / Gateway
Network 1 Network 2

PC-A MAC-A MAC-B PC-B

IP-A IP-B
Network Layer

Switch 1 Switch 2

MAC-R1 MAC-R2
IP-R1 IP-R2
Router
(Default Gateway)

82

When a router receives a data frame it will extract the packet contained in the payload. It
will use the network addressing it contains to determine exactly how the data should be
forwarded next. The packet will then be placed into a new frame and transmitted for the
next leg of the journey. This may be to either the final destination host or to another router
for further forwarding.

The forwarding decisions are made using a routing table which contains a list of destination
networks and the associated ports which move the packets towards that network. Typically,
the routing table is populated by the router following communication with other routers.

The slide shows a network where the layer 2 functionality takes place on a separate device
from the router. It is possible to combine layer 2 and 3 functionality in one device and this is
common for home networks. These devices are referred to as Layer 3 switches.

Since routers work at layer 3, they are capable of joining together networks which use
different layer 2 networking technologies. For example, a typical home router might connect
an Ethernet network to a the Internet Service Provider (ISP) network using Asymmetric
Digital Subscriber Line (ADSL).

Although more intelligent, a key disadvantage of routers is that they are much slower than
network hubs and switches.

Networking 201: TCP/IP Networking Model - Page 82

 Routing a Packet Across Multiple Networks
Network 1 Network 2

PC-A MAC-A MAC-B PC-B

IP-A IP-B
Packet to IP-B
Network Layer

MAC-R1
Switch 1 MAC-A
IP-B
IP-A
MAC-R1
IP-R1
Router
(Default Gateway)

83

We’ll now look in more detail at how the routing process works.

Step1:
• In the slide, PC-A on Network 1 is sending data to PC-B on Network 2
• Layer 3, the network layer of PC-A generates a packet containing the data which is
addressed from IP-A to IP-B and passes the packet down to the data link layer
• The data link layer can only communicate with devices on the same physical network. It
cannot transmit the data frame directly to PC-B so instead creates a frame addressed to
MAC-R1, which is its local router and default gateway
• This frame is sent via the switch, which uses the MAC address to send it to the router
from which it can be forwarded onwards

Networking 201: TCP/IP Networking Model - Page 83

 Routing a Packet Across Multiple Networks
Network 1 Network 2

PC-A MAC-A MAC-B PC-B

IP-A IP-B
Packet to IP-B
Network Layer

MAC-B
Switch 1 MAC-R2 Switch 2
IP-B
IP-A
MAC-R1 MAC-R2
IP-R1 IP-R2
Router
(Default Gateway)

84

Step 2:
• On receipt of the data frame, the router will extract the packet contained in the payload
of the frame. It will use the network addressing contained in the packet to determine
exactly how the data should be forwarded next
• Because the router has a direct connection with the destination it can determine the
MAC address of PC-B. It is able to place the packet into a new frame addressed to MAC-B
• It then sends the frame to the switch, which uses the MAC address to forward it to the
final destination

Networking 201: TCP/IP Networking Model - Page 84

 Routing a Packet Across Multiple Networks
Network 1 Network 2

PC-A MAC-A MAC-B PC-B

IP-A IP-B
Packet to IP-B Packet to IP-B
Network Layer

MAC-R1 MAC-B
Switch 1 MAC-A MAC-R2 Switch 2
IP-B IP-B
IP-A IP-A
MAC-R1 MAC-R2
IP-R1 IP-R2
Router
(Default Gateway)
Step 1 using Frame 1 Step 2 using Frame 2

Complete Journey of Packet 85

You can see from the figure above that whilst the packet travels the entire length from PC-A
to PC-B, the actual journey the packet takes is divided into 2 steps and each step of the
journey must use a different frame. In real-life, a packet will often have to pass through
many more than 2 steps in order to complete the journey from source to destination host.

Networking 201: TCP/IP Networking Model - Page 85

 Address Resolution Protocol (ARP) Request
MAC
of IP-C?
FF:FF:FF:FF:FF:FF
Broadcast MAC
Switch
MAC-A
IP-C
Network Layer

IP-A

ARP Cache

IP-C ?

PC-A PC-B PC-C PC-D

00:0a:95:9d:68:1a 00:0a:95:9d:6c:2b 00:0a:95:9d:59:3c 00:0a:95:9d:59:4d

MAC-A MAC-B MAC-C MAC-D

IP-A IP-B IP-C IP-D
86

To transfer data within a network, devices must know the MAC address of the destination.
When a networking request comes down the TCP/IP stack to the data link layer, the
destination MAC address for the IP Address may not be known. In order to complete the
outbound frame, the data link layer must therefore discover the MAC address. We’ll now
look at how the Address Resolution Protocol (ARP) is used for this purpose.

In the example, PC-A wishes to transmit a data frame to PC-C. PC-A knows the IP address of
PC-C but not the associated MAC address. In order to resolve the MAC address of PC-C, PC-A
broadcasts an ARP Request to the entire network asking ‘Who has MAC-C?’

ARP is technically a layer 2 protocol, however it is included in this section because of the
support it provides for the network layer.

Networking 201: TCP/IP Networking Model - Page 86

 Address Resolution Protocol (ARP) Response

Switch PC-C’s Reply

IP-C is
at MAC-C
Network Layer

MAC-A
MAC-C
ARP Cache IP-C
IP-A MAC-A IP-A
IP-C 00:0a:95:9d:59:3c

PC-A PC-B PC-C PC-D

00:0a:95:9d:68:1a 00:0a:95:9d:6c:2b 00:0a:95:9d:59:3c 00:0a:95:9d:59:4d

MAC-A MAC-B MAC-C MAC-D

IP-A IP-B IP-C IP-D
87

PC-C sees the ARP Request from IP-A. It determines that it has the IP address of IP-C and
therefore replies directly to PC-A with an ARP Response. It can reply directly because the
original ARP Request contained the MAC address of PC-A. When PC-A receives the ARP
Response, it can address and transmit the data frame.

In order to reduce network traffic and improve performance, each PC has an ARP Cache held
in memory in which it stores any ARP information it has received. In the example above, PC-
C can add an entry for PC-A because of the information sent in the ARP Request and PC-A
can store an entry for PC-C because of the ARP Response.

When a PC needs to resolve the MAC address from an IP address, it will look in the ARP
Cache first before broadcasting an ARP Request. In order to keep the cache up-to-date,
entries only stay in the ARP Cache for a short period which is defined by the operating
system in use.

Networking 201: TCP/IP Networking Model - Page 87

 Activity 2

In this activity you will use arp command to view cached MAC to IP
address entries
Network Layer

Use the Download Activity button to open the instructions

When you have finished click Continue

Download Activity Continue

88

In this activity you will use arp command to view MAC Addresses that have been resolved to
their IP Address and are held in the arp cache.

Networking 201: TCP/IP Networking Model - Page 88

 Activity 2 Output Example
C:\>arp -a
Enter the command
Interface: 192.168.1.205 --- 0x10
Internet Address Physical Address Type
192.168.1.168 fc-a1-83-29-17-28 dynamic
192.168.1.208 28-32-c5-09-00-6f dynamic
Network Layer

192.168.1.222 00-90-a9-44-50-c6 dynamic The example shows the MAC

192.168.1.254 90-4d-4a-16-f4-9d dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
Address for the Default Gateway
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.253 01-00-5e-00-00-fd static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static

89

The figure above shows the expected output from Activity 2. The arp cache on your
computer displayed.

Note that the actual IP addresses and their corresponding MAC addresses will be different
for you.

Networking 201: TCP/IP Networking Model - Page 89

 Security Issue: ARP Cache Poisoning Attack (Part 1)
ARP Attack
Switch Spoof Response
IP-C is
at MAC-D
Network Layer

MAC-A
MAC-C
ARP Cache IP-A
IP-C

PC-A PC-B PC-C PC-D

90

An ARP Cache Poisoning Attack, also known as ARP Spoofing, can be undertaken by an
attacker with access to a network. The attacker sends specially crafted ARP Response
messages to a target PC. The “spoofed” ARP Response messages associate the attacker’s
MAC address with the IP address of second host on the network.

Whilst the first target machine holds the spoofed information in its ARP cache, any attempt
it makes to send a message to the second host will be sent to the attacker’s PC instead. It is
common for attackers to try to spoof the details of the network default gateway as this will
allow them to collect all traffic from the target PC which is destined for another network.

In the slide, the attacker on PC-D sends a spoofed ARP Response to PC-A which links the IP
address of PC-C with the MAC address of PC-D. PC-A will add this entry to it’s ARP Cache.

ARP is a very simple protocol without any authentication. Network hosts will automatically
cache details they receive regardless of whether they have requested them. This
vulnerability in the ARP protocol is exploited by this attack.

Networking 201: TCP/IP Networking Model - Page 90

 Security Issue: ARP Cache Poisoning Attack (Part 2)
ARP Attack
Switch Spoof Response
IP-C is
at MAC-D
Network Layer

MAC-A
MAC-C
ARP Cache IP-A
IP-C
IP-C 00:0a:95:9d:59:4d

PC-A PC-B PC-C PC-D

00:0a:95:9d:68:1a 00:0a:95:9d:6c:2b 00:0a:95:9d:59:3c 00:0a:95:9d:59:4d

91

PC-A now has the spoofed ARP Response information in its cache. When PC-A wishes to
communicate with PC-C, it will generate a data packet addressed to IP-C but place it into a
frame with the destination MAC address of PC-D. If the attacker periodically sends additional
spoofed ARP responses then they can keep the spoofed entries in the ARP cache of PC-A
indefinitely.

Once, the attacker receives the message, they can choose to:
• Inspect the packets before forwarding them onto the intended destination to avoid
discovery
• Modify the data before forwarding it on
• Prevent communication between the two target hosts by not forwarding some or all of
the packets – this is known as a Denial-of-Service (DoS) attack

If the attacker wishes, they can poison the ARP caches of both PC-A and PC-C so that they
can see traffic in both directions.

There are a few mechanisms that can be used to mitigate such an attack:
• Use an ARP monitoring tool which looks for changes in the associations between IP and
MAC addresses
• Use encryption on the network. This does not prevent the attack but means that the
attacker cannot inspect or modify the network data

Networking 201: TCP/IP Networking Model - Page 91

 Network Layer: IP and Routing

There’s much more to say about the practical aspects of

IP and routing and we will cover this in detail in
Network Layer

Cybersecurity Essentials: Networking 202

202 IP and Routing

As you have seen the network Layer includes IP addresses and routing. There’s much more
to say about the practical aspects of IP and routing and we will cover this in detail in our
Cybersecurity Essentials: Networking 202.

Networking 201: TCP/IP Networking Model - Page 92

Transport Layer

Layer 4: Transport Layer

93

Networking 201: TCP/IP Networking Model - Page 93

 Layer 4: Transport Layer Functions
Updated TCP/IP Model
Transport Layer

5. Application
Segment/Datagram
4. Transport
3. Network
2. Data Link
1. Physical

94

Layer 4 of the TCP/IP model is called the transport layer and it sits between the network and
application layers. It divides long messages into smaller segments or datagrams which are a
suitable size for delivery across the network.

This layer also handles error-checking, error-recovery and flow control mechanisms. Flow
control is the process used to monitor and manage the rate of data transmission between
communicating nodes; it prevents a fast sending node from overwhelming a slower recipient
node with data.

The choice between dividing the messages into segments or datagrams will be covered later
in this section.

Once the segment or datagram has been created, it is passed down to the Network layer.

Networking 201: TCP/IP Networking Model - Page 94

 Transmission Control Protocol vs User Datagram Protocol

Main Requirement:
Data Integrity
Layer 4 uses Transmission Control Protocol (TCP)
Transport Layer

Main Requirement:
Fastest Delivery Layer 4 uses User Datagram Protocol (UDP)

95

The many different TCP/IP applications need a wide range of services from the network to
help them work successfully. Most TCP/IP applications, such as email and web, need the
underlying network to guarantee delivery with error checking so that they have the
necessary data integrity. Other applications, such as video and voice, need the underlying
network to provide the fastest possible delivery times with the minimum of delay.

These conflicting requirements are handled in the TCP/IP model by the transport layer
offering two different mechanisms called the Transmission Control Protocol (TCP) and the
User Datagram Protocol (UDP). We will look at the key differences between these protocols
in the next few slides.

Networking 201: TCP/IP Networking Model - Page 95

 Transmission Control Protocol

Layer 4: Transmission Control Protocol (TCP)

Transport Layer

o TCP divides data into structures called segments

o Connection-orientated and reliable
o Guaranteed delivery using acknowledgements and error checking
o Flags are used to influence the flow of data

96

Transmission Control Protocol (TCP) divides long application messages into smaller
structures called segments which are a suitable size for delivery across the network.

TCP provides connection-oriented and reliable communication. It is the most common type
of session provided by the transport layer because it uses acknowledgements and error
checking to ensure that no data is lost, duplicated or received out-of-order. Most
applications require this level of service to provide the necessary data integrity.

The segments have a system of flags that are used to influence the flow of data across a TCP
connection. Each flag is a single bit which can be set or left off. In the simulation you will see
the use of a flag to acknowledge data.

Networking 201: TCP/IP Networking Model - Page 96

 Layer 4: TCP Handshake
Establishing a session using a 3-way handshake
SYN
SYN/ACK
Transport Layer

ACK

The exchange of messages during a session

97

TCP has a special process for the establishment of a session called the TCP three-way
handshake.

This proceeds as follows:

1. The client sends a TCP segment to the server with the Synchronize (SYN) flag set to
indicate that it wishes to initialize a session
2. The server responds with a TCP segment in which both the SYN and Acknowledgement
(ACK) flags are set. The ACK flag is used to acknowledge successful receipt of a
segment
3. Finally, the client responds with a TCP segment with just the ACK flag set to finish
establishing the session

Once established through the handshaking process, the session is used to transfer the
following messages. TCP sequence numbers are used to ensure that the data arrives in
correct order.

Networking 201: TCP/IP Networking Model - Page 97

 Layer 4: TCP Handshake
Establishing a session using a 3-way handshake
SYN
SYN/ACK
Transport Layer

ACK

Terminating the session

FIN
ACK
FIN
ACK

98

Once all the required data has been transferred, TCP has another process for terminating the
session which proceeds as follows:

1. The servers sends a TCP segment with the Finished (FIN) flag set to indicate that it will
send not further data
2. The client responds with an ACK segment
3. The client then sends it’s own FIN segment
4. Finally, the server acknowledges receipt with an ACK segment and the session is
terminated

Networking 201: TCP/IP Networking Model - Page 98

 Packet Capture – Layer 4
Transport Layer

We’ll now return to the simulation and view the transport layer for the network traffic
captured earlier in the course

Read the information and follow the instructions to advance to the next step

Start

We’ll now return to the simulation and view the transport layer for the network traffic
captured earlier in the course.

Read the information and follow the instructions to advance to the next step.

Networking 201: TCP/IP Networking Model - Page 99

You have now returned to the Wireshark capture. In order to review the Transport layer (Layer 4)
Simulation
details, expand the Transmission Control Protocol section in the lower pane

Networking 201: TCP/IP Networking Model - Page 100

The Source and Destination Ports are now shown. The Destination Port of 80 is the well known port for a
web server. The Source Port has been dynamically selected from the range 49152 to 65535. Click at the
Simulation
bottom of the scroll bar to view more of the Transmission Control Protocol Section

Networking 201: TCP/IP Networking Model - Page 101

Expand the Flags section in the lower pane
Simulation

Networking 201: TCP/IP Networking Model - Page 102

Note that the Acknowledgement flag is Set. This acknowledges the received data
ClickSimulation
at the top of the scroll bar

Networking 201: TCP/IP Networking Model - Page 103

Collapse the Transmission Control Protocol section
Simulation

Networking 201: TCP/IP Networking Model - Page 104

You have now reviewed the transport layer using Wireshark – we’ll revisit this capture to look at
the final layer later in the course
ClickSimulation
Continue

Continue

Networking 201: TCP/IP Networking Model - Page 105

 Layer 4: User Datagram Protocol (UDP)

Layer 4: User Datagram Protocol (UDP)

Transport Layer

o UDP divides data into structures called datagrams

o Connectionless communication, with no acknowledgements
o It is a ‘best effort’ approach for applications that want to minimize overhead
o No error control so data may be lost or delivered in the wrong order

106

The User Datagram Protocol (UDP) divides data into structures called datagrams and
provides connectionless communication in TCP/IP networks. It is a “best effort” type of
session provided by the Transport layer for applications which don’t need or want the
overhead of TCP acknowledgements and session control. UDP lacks any kind of error control
and may lose data or deliver it in the wrong order.

Networking 201: TCP/IP Networking Model - Page 106

 Layer 4: User Datagram Protocol (UDP)

Request
Response
Transport Layer

Response
Response

107

When using UDP the sender will not wait to make sure the recipient has received a
datagram - it will continue sending the following datagrams. There is no guarantee the
recipient will receive all the datagrams and no way to ask for any to be sent again.

The benefit of the absence of acknowledgements and error checking is that the computers
can communicate more quickly.

Networking 201: TCP/IP Networking Model - Page 107

 Layer 4: User Datagram Protocol (UDP)

Layer 4: Domain Name Service (DNS) uses UDP

Transport Layer

Reasons:
o Reduced server load compared to TCP
o It’s faster than TCP
o DNS queries generally fit into a single datagram

108

Compared to TCP, there are far fewer applications which use UDP, however, they still provide
important services as shown in the following examples:

Domain Name Service (DNS) generally uses UDP for name resolution queries. The reasons
for using UDP are as follows:
• The load on DNS servers can be reduced substantially because the servers don’t have to
keep track of each connection
• The reduced overhead makes the request/response faster
• DNS queries are generally small and easily fit inside a single UDP datagram. If DNS
needs to perform larger data transfers it may used TCP instead

Networking 201: TCP/IP Networking Model - Page 108

 Layer 4: User Datagram Protocol (UDP)

Layer 4: Session Initiation Protocol (SIP) uses UDP

Transport Layer

Reasons:
o Timely receipt of information is the priority
o Data loss has a more minor impact on voice or video output than service delays

109

Session Initiation Protocol (SIP) uses UDP for voice and video data. For real-time services
such as voice and video, it is far more important to keep the stream of information coming
in a timely fashion than making sure every packet is received in the correct order. Data loss
usually only has a minor impact on the voice or video output and it is far better to have a
few milliseconds of silence or image loss than to have seconds of lag which would be
introduced waiting for missing data to be re-sent.

UDP is a protocol optimized for getting data packets to their destination in a timely fashion;
it’s meant for real-time services like VoIP where it’s important to keep the data stream going

Networking 201: TCP/IP Networking Model - Page 109

 Packet Capture – Domain Name Service (DNS)
Transport Layer

We’ll now view the packet capture to see how DNS was used to resolve the name of the
sophostest.com web server

Read the information and follow the instructions to advance to the next step.

Start

We’ll now view the packet capture to see how DNS over UDP was used to resolve the name
of the sophostest.com web server

Read the information and follow the instructions to advance to the next step.

Networking 201: TCP/IP Networking Model - Page 110

In order to see all traffic, remove the http text in the Apply a display filter bar by clicking the
Simulation
cross to the right of the bar

Networking 201: TCP/IP Networking Model - Page 111

You will now filter the captured packets for DNS frames
Simulation
In the Apply a display filter bar, type dns and press the Enter key

Networking 201: TCP/IP Networking Model - Page 112

Select the first DNS frame where the Info column shows Standard query 0xc7cf A
Simulation
sophostest.com

Networking 201: TCP/IP Networking Model - Page 113

Review the DNS request details
Simulation
Expand the User Datagram Protocol section in the lower pane

Networking 201: TCP/IP Networking Model - Page 114

The DNS protocol typically uses UDP datagrams. The Destination Port of 53 is the well known
portSimulation
number for DNS. Collapse the User Datagram Protocol section in the lower pane

Networking 201: TCP/IP Networking Model - Page 115

Expand the Domain Name System section in the lower pane
Simulation

Networking 201: TCP/IP Networking Model - Page 116

Expand the Queries section in the lower pane
Simulation

Networking 201: TCP/IP Networking Model - Page 117

The Queries section of the DNS request shows an A type lookup on sophostest.com
Select the DNS frame where the Info column shows Standard query response 0xc7cf A
Simulation
sophostest.com in the lower pane

Networking 201: TCP/IP Networking Model - Page 118

The Queries section of the DNS response matches the Queries section of the DNS request seen
Simulation
above. Expand the Answers section in the lower pane

Networking 201: TCP/IP Networking Model - Page 119

The Answers section shows multiple IP Addresses for hostname sophostest.com – the browser
willSimulation
choose one of these IPs. Collapse the Domain Name System section in the lower pane

where the Info column shows Standard query

0xc7cf A sophostest.com

Networking 201: TCP/IP Networking Model - Page 120

In order to see all the capture again, remove the dns text in the Apply a display filter bar and
Simulation
press the Enter key

Networking 201: TCP/IP Networking Model - Page 121

You have now reviewed the DNS protocol using Wireshark – we’ll revisit this capture later in the
Simulation
course. Click Continue

Continue

Networking 201: TCP/IP Networking Model - Page 122

 Layer 4: Port Numbers

Switch
Transport Layer

TCP 129.35.99.38:80 LISTENING

MAC-A MAC-B
Request to B
IP-A = 129.35.99.112 IP-B = 129.35.99.38
Port-A = 49152 MAC-B Port-B = 80
MAC-A
IP-B
IP-A
80
49152
Client-A Server-B
123

Every TCP/IP application has a client process and a server process. The most common TCP/IP
server processes have a standard port number. A port number is a 16-bit number between 0
and 65535.

The port numbers from 0 to 1023 are called the “well-known” port numbers and are
reserved for specific TCP/IP applications. For example, HTTP web servers use port 80 and
DNS name resolution servers use port 53.

When the server process is launched, it binds the port number to the IP address to form a
TCP/IP Socket. For example; in the slide Server B is running an HTTP web server process and
the process “listens” for incoming requests on the following socket: TCP
129.35.99.38:80 LISTENING

The example shows the HTTP web client on Client A sending a request to the HTTP web
server on Server B. The TCP segment contains a destination port of 80 and a source port of
49152. The source port number is generated in a variety of ways depending on the operating
system. It is recommended that source ports use the range 49152 to 65535 which are
known as the Dynamic or Private ports.

When Server B receives the request, it is passed up the TCP/IP stack to the transport layer.
The transport layer sees the destination port of 80 and determines that it relates to the
HTTP web server process. It passes the request to the process in the application layer.

Networking 201: TCP/IP Networking Model - Page 123

 netstat Utility

Line 1
Transport Layer

Line 2
Line 3

124

The netstat utility is used to display current TCP/IP network connections and the listening
ports and active connections on a network host.

In the figure above, the user has executed a netstat –an command on Server B referred to in
the previous slide.

The –a switch causes the utility to display the active connections and any listening ports. The
–n switch displays the IP addresses and port numbers in numerical format without any
attempt at name resolution.

The output of the utility shows the following information:

• Line 1 shows that Server B has a running HTTP process listening on TCP port 80. The
0.0.0.0 wildcard address indicates the process is listening on all IP addresses configured
on the server
• Line 2 shows the established connection between the HTTP web client on Client A with
the HTTP web server on Server B
• Line 3 shows that Server B has a running DNS process listening on UDP port 53.

Networking 201: TCP/IP Networking Model - Page 124

 Security Issue: SYN Attack
Spoofed SYN Packet
Spoofed SYN Packet
Spoofed SYN Packet
?!!
Transport Layer

SYN/ACK
SYN/ACK
BOT Target
SYN/ACK
SYN/ACK
SYN/ACK

125

A SYN Attack, also known as a TCP SYN Attack or a SYN Flood, is a type of Denial-of-Service
(DoS) attack. The attacker takes advantage of the TCP 3-way handshake by bombarding a
target system with specially crafted SYN requests with spoofed IP source addresses. The
attacker can automate the process by using scripts running from internet bots.

The target responds with a SYN, ACK and must keep resources allocated to the partially
opened connection until a timeout period defined by the operating system has expired. In
the meantime, many more SYN requests have been received by the target which eventually
becomes overwhelmed. Once the connection queues on the target system become
exhausted, it will become unresponsive to all requests, including legitimate ones, and it is
this that causes the denial-of-service.

Networking 201: TCP/IP Networking Model - Page 125

 Security Issue: SYN Attack
Transport Layer

126

The figure above shows the output from the netstat utility when a SYN attack is underway.

From an attacker’s point-of-view, a SYN attack is attractive because it doesn’t require

particularly powerful systems or huge amounts of bandwidth to launch successfully. As a
consequence, it is important that any potential target systems are well protected. One
common countermeasure is for organizations to use firewalls or cloud-based solutions to
identify and block malicious traffic.

For an example of protection see: Sophos XG Firewall: How to prevent DoS and DDoS attacks
https://sophos.com/kb/123182

Networking 201: TCP/IP Networking Model - Page 126

Application Layer

Application Layer

127

Networking 201: TCP/IP Networking Model - Page 127

 Layer 5: Application Layer Functions
TCP/IP Model
Application Layer

5. Application
Application Data
4. Transport
3. Network
2. Data Link
1. Physical

128

Layer 5 of the TCP/IP model is called the application layer and it sits at the top of the TCP/IP
stack above the transport layer. Remember that the TCP/IP application layer is the
equivalent of the top three OSI model layers called session, presentation and application.
Therefore, it is the responsibility of the TCP/P application layer to perform all the functions
performed by these OSI model layers.

As a reminder, the functions performed by these 3 layers are as follows:

• Application Layer – this layer handles interactions between any application requiring
network access and the network itself

• Presentation Layer – this layer modifies the application data so that it is in an

appropriate format for sending across the network. his layer will also handle any
compression or encryption which may be needed – later in this section we will look at
using Transport Layer Security (TLS) which is an example of handling encryption in this
layer.

• Session Layer – this layer initiates, manages and terminates the connections between
the local and remote applications. It also handles reconnection following an
interruption or timeout. These connections, or sessions, can be considered a persistent
link between the client and server application processes which are used by them to
exchange data over prolonged periods of time. This layer makes use of the sockets
formed in the transport layer discussed in the earlier section of this course.

Once the TCP/IP application layer has completed the above tasks it will pass the data to the
transport layer below it.

Networking 201: TCP/IP Networking Model - Page 128

 Packet Capture – Layer 5
Application Layer

This final simulation will show the application layer HTTP request to the
sophostest.com website

Read the information and follow the instructions to advance to the next step

Start

This final simulation will show the application layer HTTP request to the sophostest.com
website.

Read the information and follow the instructions to advance to the next step.

Networking 201: TCP/IP Networking Model - Page 129

You have now returned to the Wireshark capture of the Hypertext Transfer Protocol (HTTP) web
traffic. In order to review the Application layer (Layer 5) details, expand the Hypertext Transfer
Simulation
Protocol section in the lower pane

Networking 201: TCP/IP Networking Model - Page 130

This shows the detail of the HTTP web request including the Host field showing sophostest.com
ClickSimulation
at the bottom of the scroll bar to view more of the Application Layer request

Networking 201: TCP/IP Networking Model - Page 131

This shows that the response was received in frame number 11142 and the next request used
Simulation
from number 11144. In the upper half of the window click on frame number 11144

Networking 201: TCP/IP Networking Model - Page 132

A web page may contain significant amounts of information. This shows how multiple requests
maySimulation
be used to read the full page. Click at the top of the scroll bar

Networking 201: TCP/IP Networking Model - Page 133

Collapse the Hypertext Transfer Protocol section
Simulation

Networking 201: TCP/IP Networking Model - Page 134

You have now reviewed the application layer using Wireshark
ClickSimulation
Continue

Continue

Networking 201: TCP/IP Networking Model - Page 135

 Layer 5: Application Layer Protocols
The TCP/IP application layer defines communication protocols for any
application requiring network access

The 1989 IETF document RFC 1123 defined the application layer and these
standardised protocols:
Application Layer

• Domain Name System (DNS)

• Remote Host Login (TELNET)
• Simple Mail Transfer Protocol (SMTP)
• File Transfer Protocol (FTP)

Since RFC 1123 further standardized protocols include:

• Hypertext Transfer Protocol (HTTP)
• Post Office Protocol (POP3)
• Session Initialization Protocol (SIP)
136

The TCP/IP application layer defines communication protocols and interface methods for any
application requiring network access.

The original Internet Engineering Task Force (IETF) document which defined the application
layer can be found in Request for Comment (RFC) 1123. The document defines a set of
communication protocols for use on the early Internet and many of these are still in use
today, including the following:

• Domain Name System (DNS)

• Remote Host Login (TELNET)
• Simple Mail Transfer Protocol (SMTP)
• File Transfer Protocol (FTP)

Since RFC 1123, was published in 1989, numerous other communication protocols have
been standardised in RFCs including some of the most popular on the Internet such as
Hypertext Transfer Protocol (HTTP), Post Office Protocol (POP3) and Session Initialization
Protocol (SIP).

Networking 201: TCP/IP Networking Model - Page 136

 Layer 5: Well-Known Port Numbers
Communication Protocol Port Service
HTTP 80 Web
HTTPS 443 Secure Web
SMTP 25 Email Upload/Transfer
Application Layer

SMTP/TLS 587 Secure Email Upload/Transfer

DNS 53 Name Resolution
TELNET 23 Remote Login/Shell
SSH 22 Secure Remote Login/Shell
FTP Control / FTP Data 21 / 20 File Transfer
SIP 5060 Voice & Video
SIP-TLS 5061 Secure Voice & Video
POP3 110 Email Download
POP/TLS 995 Secure Email Download Continue
137

The slide above shows a list of some of the most common communication protocols and it
includes their port numbers and a description of the service they provide.

Note that most of the protocols have a secure alternative which uses a different port
number.

Networking 201: TCP/IP Networking Model - Page 137

 Activity 3

In this activity you will use a telnet web tool to test connectivity to
an IP address and port
Application Layer

Use the Download Activity button to open the instructions

When you have finished click Continue

Continue

138

In this activity you will use a telnet web tool to test connectivity to an IP address and port.

A telnet client is included with Windows but the feature is not turned on by default. Control
Panel, Programs and Features can be used to turn on this feature, which can then be used
from a command prompt, for example:

telnet 4.2.2.2 53

Networking 201: TCP/IP Networking Model - Page 138

 Activity 3 Output Example
Application Layer

139

This shows the expected output from Activity 3. The server with IP address 4.2.2.2 is not
listening on port 80 so the connection failed. The connection using port 53 is successful.

Networking 201: TCP/IP Networking Model - Page 139

 Security Issue: Protocols Need to Protect Data

Personally Identifiable Information (PII)

Application Layer

Financial Information

$ Data has value. It can be lost or stolen and then sold

When the TCP/IP communication protocols such as FTP, SMTP and HTTP were originally
developed there was little or no consideration given to protecting the data while it travelled
across insecure networks such as the Internet. As a consequence, the data could easily be
captured, read and modified.

These days we live in a world where highly sensitive and personal data regularly needs to be
transferred over insecure networks. This information needs protection against loss, theft and
unauthorised modification because in the wrong hands, it could be used for crimes such as
identity theft or extortion.

The original TCP/IP communication protocols are not fit for this purpose so it has been
necessary to find alternatives which offer appropriate levels of data protection.

Networking 201: TCP/IP Networking Model - Page 140

 Security Issue: Protection for Data in Common
Communication Protocols
HTTP
???
Application Layer

HTTPS

Cybersecurity Essentials:
Cryptography
141

In some cases, alternative protocols have been developed to provide encryption to protect
sensitive data travelling over insecure TCP/IP networks. For example, the TELNET protocol
that was used to provide remote logins has been replaced by the Secure Shell (SSH) protocol
which encrypts all the data transmitted between the hosts including usernames and
passwords.

A more popular approach has been to utilise the Transport Layer Security (TLS) protocol and
its predecessor the Secure Sockets Layer (SSL). These protocols can be readily added in the
TCP/IP application layer (more specifically the OSI presentation layer) to bolt-on secure
communication offering data privacy and integrity. This bolt-on approach means that a
highly secure connection can be achieved whilst leaving the underlying communication
protocols such as HTTP, SMTP and SIP completely unchanged, apart from the requirement to
use a different port number as shown in a previous slide.

As shown, the same payment form data has been captured using Wireshark. In the insecure
HTTP example, the credit card details are clearly visible in the form data. In the secure
HTTPS example, the credit card details have been protected in the encrypted application
data of the Secure Sockets Layer. The use of strong encryption makes the reading and
modification of the data by an attacker impossible.

If you are interested in the use of cryptography to protect data then we recommend our
Cybersecurity Essentials: Cryptography courses.

Networking 201: TCP/IP Networking Model - Page 141

 Course Review
Now that you have completed this course, you should:

Identify the function of each layer in the TCP/IP Networking model

Describe the devices and technologies used by each layer

Recognize the data formats used at each layer

Use Windows utilities and packet capture tools to view network activity

Continue

Here are the skills you should be able to take away from this course.

If you feel confident that you have met these objectives, click Continue to complete the quiz.

Networking 201: TCP/IP Networking Model - Page 142

Knowledge Check 1
Match the Layer to the type of data it transfers

Transport Frame

Network Bits

Data Link Segment

Physical Packet
Submit
143

Networking 201: TCP/IP Networking Model - Page 143

Knowledge Check 2
Match the layer to the network devices

Layer 3 NIC

Layer 2 Router

Layer 1 Switch

Submit
144

Networking 201: TCP/IP Networking Model - Page 144

Knowledge Check 3

Which of the following applications uses UDP?

Web (HTTP) Web (HTTPS) Email (SMTP)

Name Resolution (DNS) Address Resolution (ARP)

Submit

145

Networking 201: TCP/IP Networking Model - Page 145

Knowledge Check 4
Match the application protocol to the port number
it uses

HTTPS 25

HTTP 53

DNS 80

SMTP 443
Submit
146

Networking 201: TCP/IP Networking Model - Page 146

Knowledge Check 5

Enter the command that would display cached resolutions of IP addresses and their
corresponding MAC addresses

Submit
147

Networking 201: TCP/IP Networking Model - Page 147

 TRAINING FEEDBACK

Feedback is always welcome

Please email globaltraining@sophos.com

150

Feedback on our courses is always welcome.

Please email us at globaltraining@sophos.com with your comments.

Networking 201: TCP/IP Networking Model - Page 150

 Next Steps
If you want to learn more about networking we recommend:

202 IP and Routing

203 Name Resolution

151

If you want to learn more about networking we recommend:

• 202: IP and Routing looks in detail at IPv4 addresses and the way these are used to route
packets. It also provides an overview of IPv6
• 203: Name Resolution looks at the types of names that are used for network devices and
the methods that can be used to resolve these to their IP address

The courses also highlight cybersecurity issues and ways to mitigate them.

Networking 201: TCP/IP Networking Model - Page 151

 Series Feedback – What Do You Want to See?
Currently Under
Planned
Available Development
Cryptography Networking › Perimeter Security
101: Getting Started with Cryptography 202: IP and Routing › Mobile Devices
201: Cryptography in Depth 203: Name Resolution › Windows Operating Systems
202: Working with Digital Certificates › Microsoft Active Directory
203: Understanding Ciphers › Security Threats
› Public Cloud Platforms
Wireless
101: Getting Started

Networking
101: Getting Started with Networking
201: TCP/IP Network Model

Email globaltraining@sophos.com with your suggestions and feedback

Back to Hub
152

The courses in this series are designed for individuals with no prior knowledge of the topics.

Here is a list of currently available courses in this series.

Additionally, we have a number of courses that are being developed and will be made
available soon.

We also have a list of planned courses we would like to add to this series.

If you would like to suggest a topic for a course for inclusion or to provide any feedback on
this series then please email us at globaltraining@sophos.com

Networking 201: TCP/IP Networking Model - Page 152

Networking 201: TCP/IP Networking Model - Page 153
1 Command
2

ipconfig /all
4
1 Command
2

arp -a

arp -a

arp -d *

arp -a

ping 4.2.2.2

10

arp -a
1 https://www.adminkit.net/telnet.aspx