The Nervous System of the Digital World
Attackers live on the network. Whether it involves exfiltrating data, pivoting between servers, or launching a Denial of Service, every action involves packets moving across wires. To secure an infrastructure (or hack it), you must understand the physics of data transmission.
You cannot protect what you cannot see. And to see the network, we must understand the language it speaks: Protocols.
The Map: The OSI Model
The Open Systems Interconnection (OSI) model is not just a textbook concept; it is the mental map every security engineer uses to diagnose problems. It divides network communication into 7 distinct layers.
Why 7 layers? Because debugging “The Internet is broken” is impossible. Debugging “Layer 1 is fine, but Layer 3 is unreachable” is actionable.
The 7 Layers (Top-Down)
- Application (Layer 7): What the user sees. HTTP (Web), SMTP (Email), SSH.
- Attack Vector: SQL Injection, Phishing.
- Presentation (Layer 6): Translation and Encryption. JPG, ASCII, TLS/SSL.
- Attack Vector: Malformed SSL Handshakes.
- Session (Layer 5): Maintaining connections. “Stay logged in”.
- Attack Vector: Session Hijacking.
- Transport (Layer 4): The Delivery Service. TCP and UDP. Ports live here.
- Attack Vector: Flooding attacks (SYN Flood).
- Network (Layer 3): Routing. IP Addresses. Routers live here.
- Attack Vector: IP Spoofing, Route Hijacking.
- Data Link (Layer 2): Local delivery. MAC Addresses. Switches live here.
- Attack Vector: MAC Flooding, ARP Spoofing.
- Physical (Layer 1): The physics. Cables, WiFi waves, Fiber optics.
- Attack Vector: Wiretapping, cutting cables.
Hacker Tip: Most “Network Attacks” happen at Layers 2, 3, and 4. Most “Web Attacks” happen at Layer 7.
TCP/IP: The Real Internet
While OSI is the theory, TCP/IP is the implementation. The most critical concept for a security engineer to grasp is the Three-Way Handshake.
Before any data is sent over TCP (reliable connection), a connection must be established.
- SYN (Synchronize): Client says “Hello, I want to talk.”
- SYN-ACK (Synchronize-Acknowledge): Server says “I hear you, let’s talk.”
- ACK (Acknowledge): Client says “Great, connection established.”
Why does this matter? A SYN Flood Attack (DoS) works by sending thousands of Step 1s (SYN) but never sending Step 3 (ACK). The server waits for the ACKs that never come, holding memory open until it crashes. By understanding the handshake, we understand the attack.
Seeing the Matrix: Wireshark
We don’t take anyone’s word for it; we look at the packets. Wireshark is the microscope for networks. It allows us to capture traffic and dissect it frame by frame.
When you open Wireshark, you aren’t just seeing “data”; you are seeing the raw truth of network behavior. Malware communicating with a C2 server, cleartext passwords moving over HTTP, or a hacker scanning your ports—it all shows up in the packet capture (PCAP).
What’s Next?
In this series, we will move from theory to practice. We will capture live traffic, analyze malicious packets, and learn how to configure firewalls to block them.
Next Part: We will install Wireshark and dissect our first HTTP and DNS packets, then move on to the dreaded world of Subnetting.
Discussion