Home About Tools Projects Guides & Blog ⚡ Hire Me ✦ Websites Contact →
🌐 Networking

The OSI Model Explained: All 7 Layers with Real-World Examples

Published 1 January 2024 · Updated March 2025
Jack Davies
jackdjd.com
8 min read

The Open Systems Interconnection (OSI) model is a conceptual framework that breaks down how data travels across a network into seven distinct layers. It was developed to standardise how different systems communicate, regardless of the hardware or vendor involved.

If you work in IT, networking or security, the OSI model is the shared language for diagnosing network issues and understanding where in the stack something is going wrong.

💡
Mnemonic, remember all 7 layers
A common way to remember the layers from top (7) to bottom (1): All People Seem To Need Data Processing
A
Application
L7
P
Presentation
L6
S
Session
L5
T
Transport
L4
N
Network
L3
D
Data Link
L2
P
Physical
L1

The 7 Layers, Interactive Reference

📚 Click each layer to expand
7
Application Layer User-facing network services

The Application layer is the topmost layer and the one end users interact with directly. It provides network services to applications, it doesn't refer to the applications themselves, but to the protocols that let applications communicate over a network. This is where web browsing, email, file transfers, and DNS all live.

Common Protocols
HTTP / HTTPS FTP SMTP DNS SSH SNMP IMAP / POP3 LDAP
Security Threats
Phishing SQL Injection XSS DNS Spoofing Malware delivery
6
Presentation Layer Translation, encryption & compression

The Presentation layer is responsible for translating data between the application layer and the network. It handles data format conversion, character encoding (e.g. ASCII), compression, and crucially, encryption and decryption. TLS/SSL encryption operates here, making it central to securing data in transit.

Key Functions
TLS / SSL ASCII / EBCDIC encoding JPEG / PNG / MPEG Data compression Encryption / Decryption
Security Threats
SSL Stripping Malformed data attacks Weak cipher exploitation
5
Session Layer Connection management between devices

The Session layer establishes, maintains, and terminates communication sessions between devices. A session is a persistent connection for the duration of a conversation, for example, when you browse a website, a session is created and kept alive while you interact with it. This layer also handles session checkpointing and recovery if a connection drops mid-transfer.

Common Protocols
RPC PPTP SCP SDP NetBIOS Sockets / WinSock
Security Threats
Session Hijacking Session Fixation Man-in-the-Middle
4
Transport Layer Reliable full data delivery · TCP & UDP

The Transport layer is responsible for reliable full data delivery between devices. It handles segmentation (breaking data into chunks), flow control, error checking, and reassembly. The two key protocols here are TCP (connection-oriented, guaranteed delivery) and UDP (connectionless, fast but no delivery guarantee). Port numbers also live at this layer, they identify which application should receive incoming data.

TCP vs UDP
TCP, Reliable
Connection-oriented · Three-way handshake · Guaranteed delivery · Used for: HTTP, SMTP, SSH
UDP, Fast
Connectionless · No handshake · No delivery guarantee · Used for: DNS, streaming, VoIP, gaming
Security Threats
SYN Flood (TCP) UDP Flood Port Scanning Connection hijacking
3
Network Layer Routing, IP addressing & path selection

The Network layer handles logical addressing and routing, determining the best path for data to travel from source to destination across multiple networks. It assigns IP addresses (IPv4 and IPv6) and uses routers to forward packets. Unlike the Data Link layer which handles communication on a single network segment, the Network layer enables communication between different networks entirely.

Common Protocols & Devices
IPv4 / IPv6 ICMP OSPF BGP Routers Layer 3 Switches
Security Threats
DDoS Attacks IP Spoofing ICMP Flood (Ping flood) Route Hijacking
2
Data Link Layer Node-to-node transfer · MAC addressing · LLC & MAC sublayers

The Data Link layer handles communication between devices on the same network segment. It divides data into frames and assigns each device a MAC (Media Access Control) address for identification within the local network. This layer has two sublayers: LLC (Logical Link Control) which manages flow and error control, and MAC (Media Access Control) which governs access to the transmission medium and manages which device can transmit at any given time.

Common Protocols & Devices
Ethernet (IEEE 802.3) Wi-Fi (IEEE 802.11) PPP ARP Switches Bridges
Security Threats
MAC Spoofing ARP Poisoning VLAN Hopping Switch flooding
1
Physical Layer Raw bit transmission over physical media

The Physical layer is the foundation of the OSI model, it deals with the actual transmission of raw bits (1s and 0s) over a physical medium. This includes the cables, connectors, signal voltages, radio frequencies, and hardware specifications that make communication physically possible. Network topology (bus, star, ring, mesh) and transmission modes (simplex, half-duplex, full-duplex) are also defined at this layer.

Hardware & Media
Ethernet cables (Cat5e/6) Fibre optic Wi-Fi (radio) Hubs / Repeaters NICs Modems
Topologies
⭐ Star , Bus ⭕ Ring ⬡ Mesh
Security Threats
Wiretapping Hardware tampering Signal jamming Physical theft

How Data Actually Travels

📡 Data Flow

When you send data, say, loading a webpage, it travels down the OSI stack on the sending device (being encapsulated at each layer), across the network, and then back up the stack on the receiving device (being de-encapsulated). Each layer adds its own header information on the way down, and strips it on the way up.

Data Encapsulation Flow
Sender
L7 Application
L6 Presentation
L5 Session
L4 Transport
L3 Network
L2 Data Link
L1 Physical
Encapsulates ↓
→→→
Network
Raw bits
010110
101001
L1 Physical
→→→
Receiver
L1 Physical
L2 Data Link
L3 Network
L4 Transport
L5 Session
L6 Presentation
L7 Application
De-encapsulates ↑
Each layer adds a header going down · Each layer removes its header coming up
ℹ️
Encapsulation terminology
The data unit has a different name at each layer: Data (L7-5) → Segment (L4) → Packet (L3) → Frame (L2) → Bits (L1). These terms come up frequently in networking documentation and vendor tools.

Why It Matters for Security

Security threats don't operate at a single layer, they target specific weaknesses at each level of the stack. Understanding which layer an attack operates at helps you choose the right defence:

L7
Web Application Firewalls (WAF) inspect and filter HTTP traffic, operating at the Application layer to block SQL injection, XSS, and other application-layer attacks.
L6
TLS/SSL certificates provide encryption at the Presentation layer, ensuring data in transit is unreadable if intercepted.
L4
Firewalls with port filtering operate at the Transport layer, blocking or allowing traffic based on TCP/UDP port numbers.
L3
DDoS mitigation and IP filtering operate at the Network layer, dropping traffic from spoofed or malicious IP addresses before it consumes processing capacity.
L2
Dynamic ARP Inspection and port security defend against MAC spoofing and ARP poisoning attacks at the Data Link layer.

References: BMC, OSI Model 7 Layers · Link11, Network Layer

Networking OSI Model TCP/IP Protocols Network Security Cybersecurity
J
Jack Davies
IT Engineer · M365 & Intune Specialist

Jack is an IT Technical Engineer based in the UK, working day-to-day with Microsoft 365, Intune, and Entra ID across a range of businesses. He holds the MS-900 certification and is studying for a BSc in Cyber Security through the Open University. Outside of work he builds and documents home lab projects, writes guides on this site, and takes on M365 consulting work for small businesses.

About Jack → LinkedIn →
// monthly tips

Get M365 tips in your inbox

Practical Intune and Microsoft 365 tips, once a month. No spam, no fluff.