Lab 01: OSI Model Deep Dive

🎯 Objective

Understand the 7 layers of the OSI model by using real network tools to observe each layer in action. By the end of this lab, you will be able to map network activities to specific OSI layers and explain why layering matters for security.

📚 Background

The OSI (Open Systems Interconnection) model is a conceptual framework that standardizes how different network systems communicate. Think of it like the postal system: you write a letter (application layer), put it in an envelope (presentation/session), hand it to a postal worker (transport), who routes it through the postal network (network), puts it on a truck (data link), and drives on a road (physical).

There are 7 layers:

• Layer 7 – Application: What users interact with (HTTP, DNS, FTP)

• Layer 6 – Presentation: Data format, encryption, compression (TLS/SSL)

• Layer 5 – Session: Managing connections between applications

• Layer 4 – Transport: End-to-end delivery, ports (TCP, UDP)

• Layer 3 – Network: IP addressing and routing

• Layer 2 – Data Link: MAC addresses, switches, frames

• Layer 1 – Physical: Cables, Wi-Fi signals, bits

Security professionals use the OSI model to identify where an attack is happening. A DDoS might target Layer 3/4, while phishing targets Layer 7. Understanding layers helps you choose the right defense.

⏱️ Estimated Time

45 minutes

📋 Prerequisites

• Basic familiarity with Linux command line

• Docker installed and innozverse-cybersec image available

🛠️ Tools Used

• curl — Application layer (HTTP requests)

• ip — Network and Data Link layer inspection

• ss / netstat — Transport layer socket info

• cat /proc/net/dev — Physical/Data Link interface stats

🔬 Lab Instructions

Step 1: Observe Layer 7 (Application) — HTTP with curl

The Application layer is what end-users see. HTTP is a Layer 7 protocol. curl lets us see the raw HTTP communication happening at this layer.

📸 Verified Output:

💡 What this means: These are HTTP response headers from the web server. HTTP/1.1 200 OK means the server understood our request and responded successfully. The Content-Type: text/html tells the browser how to render the content. The CF-RAY header reveals this site uses Cloudflare (a CDN). This is purely Layer 7 information — the application-level conversation.

Step 2: Observe Layer 4 (Transport) — TCP Sockets with ss

The Transport layer handles end-to-end communication using ports. TCP provides reliable, ordered delivery. Let's see what transport-layer sockets are active.

📸 Verified Output:

💡 What this means: ss -tuln shows TCP (-t) and UDP (-u) sockets that are listening (-l) with numeric ports (-n). In a fresh container there are no listening services, so the output is empty. On a real server you'd see ports like 22 (SSH), 80 (HTTP), 443 (HTTPS) listed here. The port number is the Layer 4 concept — it tells the OS which application should receive the data.

Step 3: Create a TCP Connection to See Layer 4 in Action

Let's demonstrate a TCP connection using netcat (nc):

📸 Verified Output:

💡 What this means: We created a TCP connection on port 9999. The server listened (nc -l -p 9999), the client connected to 127.0.0.1:9999. TCP performed a 3-way handshake (SYN → SYN-ACK → ACK) invisibly, then data was exchanged. This is Layer 4 (transport) using Layer 3 (IP address 127.0.0.1) to get there.

Step 4: Observe Layer 3 (Network) — IP Routing

The Network layer handles IP addressing and routing — deciding HOW data gets from point A to point B.

📸 Verified Output:

💡 What this means: This is the routing table — the Layer 3 map. default via 172.17.0.1 means "for any IP I don't know how to reach directly, send it to 172.17.0.1 (the gateway/router)." The 172.17.0.0/16 line means "for IPs in this subnet, I can reach them directly via eth0." The /16 is a subnet mask — it means the first 16 bits are the network address, leaving 16 bits for hosts (65,534 possible hosts).

Step 5: Observe Layer 2 (Data Link) — MAC Addresses

The Data Link layer uses MAC addresses to deliver frames within a local network. Every network interface has a unique MAC address.

📸 Verified Output:

💡 What this means: lo is the loopback interface (127.0.0.1) — it routes traffic back to itself. eth0 is the actual network interface with MAC address 62:ef:c5:e9:ab:9a. MAC addresses are 48-bit hardware addresses used at Layer 2. Unlike IP addresses (Layer 3), MAC addresses don't cross routers — they're only used within a single network segment.

Step 6: Observe Layer 1 (Physical) — Interface Statistics

Layer 1 is the physical medium — cables, Wi-Fi signals. We can observe Layer 1 effects by looking at bytes transmitted/received.

📸 Verified Output:

💡 What this means: This shows interface statistics. eth0 has received 1108 bytes across 10 packets and sent 706 bytes. The errs and drop columns show errors — these would be non-zero if there were physical layer problems (bad cable, signal interference). 0 errors means our Layer 1 connection is clean.

Step 7: Understand the Security Implications of Each Layer

Different attacks target different layers:

📸 Verified Output:

💡 What this means: Each layer has its own attack surface. A Web Application Firewall (WAF) defends Layer 7. A firewall defends Layer 3/4. Encryption (TLS) protects Layer 6. Physical security protects Layer 1. Defense-in-depth means protecting every layer.

Step 8: Trace a Complete Request Through All Layers

Let's make an HTTP request and think through each layer it passes through:

📸 Verified Output:

💡 What this means: Watch how the layers stack: DNS resolved example.com to 93.184.216.34 (Layer 3 addressing). TCP connected to port 80 (Layer 4 transport). Then the HTTP GET request was made (Layer 7 application). All 7 layers worked together invisibly!

Step 9: Examine DNS — the Address Book of the Internet

DNS (Domain Name System) works at Layer 7 but interacts with Layer 3 to convert names to IP addresses:

📸 Verified Output:

💡 What this means: DNS returned 142.251.34.142 as the IP for google.com. The A record is IPv4, AAAA is IPv6, MX is the mail server. Without DNS, you'd have to memorize IP addresses instead of domain names. This is why DNS poisoning attacks are so dangerous — an attacker who can corrupt DNS can redirect you to fake websites.

Step 10: OSI Layer Summary Challenge

Let's verify your understanding:

📸 Verified Output:

💡 What this means: Each of these is a real-world security concern. HTTPS (Layer 6) protects data in transit. ARP poisoning (Layer 2) enables man-in-the-middle attacks. Port-based firewalls work at Layer 4. Understanding which layer an attack targets tells you which defense to deploy.

✅ Verification

Run this final check to confirm you understand the OSI model:

📸 Verified Output:

🚨 Common Mistakes

• Confusing Layer 7 with "everything": People often think security is only about web apps (Layer 7). Physical security, network segmentation, and protocol security are equally important.

• Forgetting that layers depend on each other: HTTPS (Layer 6/7) still travels over TCP (Layer 4) and IP (Layer 3). Breaking a lower layer breaks everything above it.

• Assuming encryption makes you safe at all layers: TLS protects Layer 6 data, but an ARP poisoning attack (Layer 2) can still intercept traffic before it's encrypted.

📝 Summary

• The OSI model has 7 layers, each responsible for a specific aspect of network communication

• Each layer has its own security concerns and attack surface — defense-in-depth means protecting every layer

• Tools like curl, ip, ss, and dig let us directly observe different OSI layers in action

• When analyzing a security incident, identifying the OSI layer helps determine the correct response and defense

🔗 Further Reading

• Cloudflare: What is the OSI model?

• OWASP Network Layer Attacks

• RFC 1122 - Requirements for Internet Hosts