You are on page 1of 15

Layers of the Network: How do

they work?
A DETAILED GUIDE TO UNDERSTANDING THE LAYERS OF THE
NETWORK AND THEIR VARIOUS FUNCTIONS

Ryan Csuha | Networking Fundamentals | 3/18/2018


Intro to the layers
There are five different layers in the five-layer network model, unlike the seven
that are present in the OSI model. The five-layer model includes the:

Application Layer

Transport Layer

Network Layer

Data Link Layer

Physical Layer

Each layer has a specific responsibility in ensuring that data is delivered quickly, intact,
and with no errors. In this guide, all the layers will be thoroughly explained and shown
how they all connect to each other.

PAGE 1
The Physical Layer
The Physical Layer is the lowest layer in the stack, or, the progressing order of which
the 5 layers are stacked. The physical layer is the means of how bits are sent across networks,
such as twisted pair cabling, RJ-45 Ports, routers, and various other devices. Bits, or, binary
1’s and 0’s make up the headers and payloads of frames and data packets at higher levels in
the stack. These are sent across a network through cables by modulating electric signals.
The most common type of cable for connecting network-enabled devices is twisted pair
network cabling. This type of cable is often shielded and prevents crosstalk issues during
data transmission. These cables allow for full duplex communication which means that they
can communicate in two directions between devices. A pair or two is normally reserved for
communication in one direction, while the other pairs are reserved for communication in
the other direction. This is what allows for full duplex communication. Without this
capability, networking would be very different than its current state. These cables end in
plugs, that are RJ-45, or Registered Jack 45 plugs. These are the most common types of cables
used for connecting devices together. You can direct connect an RJ-45 plug into a modem,
but you can connect a device to another device that has many RJ-45 ports, such as a router
or switch which can connect many devices. These ports have lights that represent link and
activity. Link is active when 2 devices are connected and powered, and activity flashes when
data is being sent. This layer is the base upon which all other layers depend upon. Without
the physical layer, the functions of other layers are useless because devices wouldn’t be
connected.

A shielded twisted pair cable that has been


exposed to show the pairs and shielding

A RJ-45 port on a laptop with a RJ-45


twisted pair cable connected to it

PAGE 2
The Data Link Layer
This layer is where Ethernet and MAC addresses come into the fold. The most common
protocol to send data packets is Ethernet. This layer and protocol helps layers higher in
the stack send data easier. This layer is especially important because it handles the
elements of the physical layer so anything from the network layer up can worry about its
own functions and responsibilities. Since the other layers won’t have to worry about how
the physical layer works now, they can communicate identically so network
communication is a singular, painless process. Another important job of this layer is to
detect when wires are clear, and data can be sent. Early Ethernet had to share a single
collision domain, where only one device could talk at a time. This increased demand for
network access, and would lead to physical bits, or, electric signals colliding when one
device thought a line was clear, when it really wasn’t. This conflict would leave
undecodable data. A solution was invented for this as Ethernet technology progress, called
carrier sense multiple access with collision detection. Also called CSMA/CD, this is used to
detect when a line is clear and tells the data link layer when data can be sent without
collision, and the data link layer in turn informs the other layers. When a collision is
detected, CSMA/CD tells the computer to stop transmitting data since it is all being
destroyed by bit collisions. On this level, MAC addresses are also introduced. MAC
addresses are unique identifiers assigned to network interfaces. They are comprised of 48
bits grouped into 6 groups of 2 hexadecimal number each and separated by colons. For
example, “11:22:33:44:55:66”. There are almost 300 trillion possible MAC addresses for
devices. MAC addresses are very important for casts on this layer, and ARP on the network
layer. There are 3 types of casts on the data link layer: unicast, multicast, and broadcast. A
unicast transmission is only meant for one device on a network. If the least significant bit
of a MAC is 0, a unicast transmission is sent to all devices on a network, but only received
and handled by one device. A multicast’s least significant bit is also one, and they too are
sent to all devices on a network but discarded or accepted based on certain criteria. A
broadcast, is again, sent to all devices on a LAN as well. A destination MAC on a broadcast
that is “FF:FF:FF:FF:FF:FF” means all devices will look at it and respond to the source if it
has the MAC that machine is looking for. This becomes very important in the next layer
with the ARP protocol. The final part of the data link layer, and perhaps the most
important part here, are Ethernet frames. These are the beginning of the encapsulation
process, which holds all the data packets being sent. To start with, a data packet is a
singular set of binary data being sent across a network link. These packets on the data link
and Ethernet level are called Ethernet frames. These packets are highly structured and
presented in a specific order. Most of the sections of an Ethernet frame are required, and
need to be a set, fixed size.

PAGE 3
1. The Preamble

This is the first part of an Ethernet frame. It is 8 bytes long, and the first 7 bytes are
alternating 1’s and 0’s. This is used as a buffer between frames and can be used by
the network to sync internal clocks and data sending speeds. The last bit is used as
a start frame delimiter, which signals the end of the preamble and the start of the
actual headers and content.

2. Destination MAC

This field contains the MAC address of the device that is intended to receive the
data packet

3. Source MAC

This field contains the MAC address of the device that has sent the data packet, so
the receiving end knows what device it’s talking to

4. EtherType

This field is 16 bits long and used to describe the protocol that the contents of the
frame are using. This field can also be used to indicate that it is a VLAN, or, Virtual
LAN frame. A VLAN is a concept that allows multiple LANs to be present on the
same physical network hardware.

5. The Payload

This is anything that is not a header and is where the actual data is. Can be
anywhere from 46 to 1500 bytes long.

6. Frame Check Sequence

This is a 4-byte number that hold a checksum for the entire frame. This is
calculated by performing a CRC, or cyclical redundancy check against the Ethernet
frame. If no frame contents were changes, a CRC will give the same result against a
frame all time. This is attached to the frame and the frame is sent to the receiver.
When it arrives, the receiver runs a CRC on the frame as well, and if they both

PAGE 4
match, the data has been delivered with no errors, correction, or missing frame
headers.

With the Ethernet frames introduced, encapsulation at other layers is possible.

PAGE 5
The Network Layer
The network layer is where many important things are introduced, such as IP
addresses, IP Datagrams, ARP, or, Address Resolution Protocol, subnetting concepts and
CIDR, and how routing works. IP addresses are 32 bits long and have 4 octets in each
address. Each octet is shown in decimal numbers, such as “100.200.128.102”. A single octet
in an address can represent numbers 0 to 255. IP addresses are assigned to networks, not
the devices on the network. There are 2 different ways of assigning IP addresses,
dynamically and statically. IP addresses are assigned dynamically by using DCHP. IP
addresses assigned statically are configured and given manually. On the network layer, a
data packet is called an IP datagram. Like Ethernet Frames, IP datagrams are highly
structured. In an IP Datagram, there are 2 main sections: The header, and the payload.
The maximum size of a IP datagram is 65,535 bytes. An IP datagram is structured like this:

1. Version

This field indicates which version of the IP protocol is being used, IPv4 or IPv6.
The most commonly used IP version is IPv4, which uses addresses such as
“100.200.200.100”.

2. Header Length

This field holds a value that represents the total length of the IP datagram
header.

3. Service Type

This field holds information relating to QoS, or, Quality of Service. QoS is a
feature on many modern networks that lets you prioritize network
connectivity resources to a certain device. This is popular on networks where
online gaming and uploading files are commonly performed

4. Total Length

Unlike the Header Length field which tells the length of the header, this field
tells the length of the entire IP datagram.

PAGE 6
5. Identification

This is a 16-bit number used to string messages together after they are
transmitted

6. Flags

The flag field is used to tell a device if a IP datagram can be divided into many
different datagrams, or if this process has already begun.

7. TTL, or, Time to Live

This field indicates how many hops, or, devices it can travel through before the
datagram is discarded. This field often contains useful info for network
diagnostics. For example, a TTL being too low might make a datagram be
discarded before it arrives at its intended destination on a network.

8. Protocol

This field indicates what protocol on the transport layer is being used. The
most common is TCP.

9. Header Checksum

This checksum is used in the same way an Ethernet frame’s checksum is: it is
calculated, attached to the datagram, and sent. If it matches the receiving end’s
checksum, the header is valid. This does not perform diagnostic checksums on
the payload of the datagram.

10. Source IP Address

This field contains the IP address assigned to the device that sent the
datagram.

11. Destination IP Address

This contains the IP of the device the datagram is intended for.

PAGE 7
12. Options

This field isn’t used very much, and is generally used to set experimental
options for datagrams

13. Padding

This field is a series of 0’s to ensure the header is the correct size. Since this
field is a fixed size, each datagram’s padding field should end at the same point
in each one, ensuring proper proportioning of the header data.

As discussed in the data link layer, this datagram, or, data packet is the payload section of
an Ethernet frame, just as a TCP segment would become the payload section of an IP
datagram. IP addresses have a network and a host ID. IP address classes determine where
IDs begin and end. A class A network has a first octet range of 1 to 126 and has 16,777,214
usable IP addresses. This number excludes 2 because 0 is generally not used, and one
address is reserved for broadcasting. This applies to all networks classes. A class B network
uses 128 to 191 in the first octet and has 65,534 usable addresses. A class C network uses 192
to 223 in the first octet range and has a usable 254 addresses. Class D and E IP ranges are
reserved for special uses. This system, however, has mostly been replaced by CIDR, or,
Classless Inter-Domain Routing. On this layer, ARP, or, Address Resolution Protocol is
also in use. This is used to get the MAC address of a node that is assigned a specific IP
address. A device would need this MAC in order to complete a proper Ethernet frame, but
if it doesn’t have a listing for that node in its ARP table, it can’t do that. An ARP table is
just a list of IPs and the MAC addresses associated with them. This is where there
broadcast and the MAC “FF:FF:FF:FF:FF:FF” is used. It sends a broadcast with that address
and the destination IP so when the destination IP sees its own IP in the packet, it can
respond to the sender with its MAC, which allows the sender to complete the Ethernet
frame. The new device is then appended to the ARP table. Another important concept of
the Network Layer is subnetting. This is the process of taking a large network and dividing
it into smaller subnetworks, or, subnets. A gateway router is the entry and exit point into a
specific network, and it is responsible for making sure packets reach their intended
destination correctly. When a gateway is on a large network, it has to direct packets
towards the gateways of the subnet. On a subnet, a subnet ID is calculated by a subnet
mask. They are 32-bits like IP addresses. The beginning part of a subnet mask is the ID
itself and is just followed by a string of 0’s. Bits that would normally represent the host ID
are used for the subnet ID. The parts of the subnet mask that translate to 1 in binary tell us
what the subnet ID is and what can be ignored when calculating where host ID space is,
the parts that are 0 in binary tell us where the host ID space is. The use of a subnet mask is
to tell us where the subnet ID is.

PAGE 8
This picture best explains how this works. 255 translates to all 1’s in binary, telling us
that is where the subnet ID is and can be ignored when calculating the host ID space. The
host ID space is the very last octet, because it is not 1’s, it translates to 0’s in binary, so that
is the available host ID space. Regular subnetting, however, couldn’t fully keep up with the
ever-growing number of devices on the Internet. A concept called CIDR, or, Classless
Inter-Domain Routing was adopted to fix this. With CIDR, the network and subnet ID
become one, and the idea of IP classes is abandoned. CIDR uses subnet masks to mark
where networks begin and end and is also where slashes with a number next to IP
addresses come from. In the above picture, the number of on bits is 24, which means this
IP address would become “10.0.0.0/24” in CIDR notation. CIDR makes it easier for devices
to handle IP addresses and manage the sizes of networks. The last important thing about
this layer is routing. A router is a device that sends data traffic to different places
depending on its destination. The basic steps in routing are:

1. The router receives a data packet


2. The router examines the destination of the packet
3. The router looks up the destination IP address in its routing table
4. The router sends the packet to the destination if there is a direct connection
between the router and the destination. If not, it sends it to the next network
closest to the destination.

This process is repeated until the packet reaches its destination. During this process,
the TTL of the packet is decremented by 1 between each hop from one device to
another. In these steps, routing tables were also mentioned. Routing tables hold a list
of destination networks a router knows about. It helps routers know where to direct
traffic and which IPs on a destination network might be active. When a packet is
received, the router looks here and sees if it matches any IP address it has on file. If the
table doesn’t have an entry for the destination, it is added to the catchall entry. By
knowing the possible destinations, it helps the router choose the shortest destination
to increase data sending and receiving speed. It is updated to include changes in
networks such as offline networks, missing networks, or changes in the router’s
location.

PAGE 9
The Transport Layer
The transport layer is responsible for the plexing of traffic, and making long term
connections, while ensuring data sent and received is intact. Multiplexing is when nodes
have the capability to direct traffic towards numerous services or programs.
Demultiplexing is the process of taking traffic aimed at a single node and routing it to the
service requesting it. It accomplishes this by using TCP ports. A port is a number made of
16 bits that is used to route traffic to a chosen service.

So you can have traffic intended for the same IP that is directed towards different
ports, where different applications will handle the traffic from there, such as a terminal for
secure shell, a web browser for HTTP/HTTPS, and an email client for SMTP E-Mail
protocol. The process of encapsulation increases on this layer too. TCP segments are data
packets on this layer and are the payload content of an IP datagram from the network
layer. Like other data packets, a TCP segment is made up of a header and a payload
section. A TCP segment is structured like this:

1. Source Port

A source port is selected from a range of ports known as ephemeral ports, that
are a high number. This is required so when the server replies to a computer’s
request, it knows where to send the packet to. This feature ensures packets are
sent to the right program.

PAGE 10
2. Sequence Number

This number is used to keep track of where in a set of TCP segments a specific
segment is. This is used because TCP segments don’t have to be sent in order,
and sometimes other traffic besides one set will be more important than others
and a sequence might get interrupted, such as when the URG flag is used, or
QoS is specified.

3. Acknowledgement Number

This number holds the next number in a sequence of TCP segments. For
example, if this number is equal to 1 in one segment that was sent, the next
should be 2, because the second segment in the sequence should be sent next.

4. Data offset

This field indicates the length of a header for a single TCP segment. This helps
a device expecting/receiving a TCP segment know where the payload begins.

5. Flags

This field is reserved for control flags. There are the following flags available
for use in a TCP segment:

- URG: this flag indicates that this segment is more important than
others
- ACK: this means that a device acknowledged receipt of a TCP segment.
- PSH: this flag means that a device sending a TCP segment wants a
receiving device to send this segment to a device as soon as possible
- RST: this occurs when one side of a TCP connection can’t recover from
segments that are damaged or missing.
- SYN: when a TCP connection is first being formed, this is used to
establish the connection and make sure the end being sent TCP
segments knows to examine the sequence number field
- FIN: when the transmitting end of a TCP connection has no more data
to send, it sends this signal to the receiver, and the receiver responds
with ACK to acknowledge the signal closure.

PAGE 11
6. TCP Windows

This field lists a range of sequence numbers that might be transmitted before
the receiving end needs to send an ACK flag.

7. Urgent Pointer

This field is used to hold an URG flag, which indicates the current segment is
more important than others.

8. Options

This is used to manage more complicated flow protocols

9. Padding

This works the same as padding in other packets. It is used to ensure that the
data payload begins where is expected.

PAGE 12
With TCP segments and flags, there is a 3 way handshake that is used to establish a TCP
connection.

The above pictures demonstrate the 3 way handshake used to create a TCP connection.
One machine sends a segment with SYN to request a connection. Another machine
responds with SYN to accept and sync a connection and also responds with ACK to
acknowledge receipt of the signal. The original computer finally responds with ACK to
acknowledge formation of the connection and the other machine’s ACK signal. The
picture below the first is an actual TCP connection formation between my computer and
my router captured using WireShark, which allows you to view all network activity
coming out of an interface. In a TCP connection, there 6 different socket states. A socket is
a single instance of an exit point on a TCP connection.

1. LISTEN: this designates that a TCP socket is waiting for another device to form
a connection. This is typically only found on a server.
2. SYN_SENT: this state means a SYN request has been sent, but no connection
has been formed, and no ACK flag has been received back.
3. SYN_RECIEVED: a socket that was on the LISTEN state has received a SYN
request. This socket then responded with the SYN and ACK flags as shown in
step 2 of the three way handshake.

PAGE 13
4. ESTABLISHED: this means that the 3 way handshake between 2 devices
completed successfully, and a connection has been established.

5. FIN_WAIT: means that a FIN flag from a transmitting end has been sent, but
the other end has not send the ACK acknowledgement flag yet.

6. CLOSE_WAIT: means that a connection has been closed, but a


program/application using it hasn’t relinquished control of the socket yet, so
that socket can’t be used yet.

7. CLOSED: means that a connection is completely closed, and 2 devices cannot


communicate back and forth as it is now impossible with no link established.

PAGE 14

You might also like