ajdevhub
    NETWORKING MASTERY · PHASE 1 · MODULE 01 · WEEK 1
    📡 OSI and TCP/IP Model
    How networks are structured · Layers · Encapsulation · Protocols · PDUs
    Beginner No prior knowledge needed 7 Layers Encapsulation 2 Labs

    THE PROBLEM LAYERS SOLVE

    🤔

    Why Does Networking Need a Layered Model?

    MOTIVATION

    Imagine you want to send a message to a friend in another country. You don't think about the physics of radio waves, the routing protocols in backbone routers, the TCP retransmit timers, or the TLS cipher negotiation. You just type and hit send. That's possible because networking is broken into layers — each layer does one specific job and hides the complexity from the layers above and below it.

    Without layers, every application would need to understand every type of network hardware, every cable standard, every routing algorithm. It would be impossible to maintain. Layers solve this with a principle called separation of concerns:

    • Each layer has a clearly defined job.
    • Each layer communicates only with the layer directly above and below it.
    • A layer can be swapped or upgraded without touching other layers. WiFi replaced Ethernet as the physical layer for laptops — no change to TCP, HTTP, or your app.
    • When something breaks, layers tell you exactly where to look. "Is this a Layer 1 cable problem, or a Layer 3 routing problem?"
    📮 Analogy — Sending a Physical Letter

    Think of layers like the postal system. You (the app) write a letter and seal it in an envelope (Layer 6/5). The envelope gets a delivery address and return address (Layer 3 — IP addressing). It gets placed in a mail bag (Layer 2 — grouped for a specific route). The mail bag travels by truck, plane, boat (Layer 1 — physical transport). At each stage, that layer's workers do their specific job without needing to read your personal letter. The letter arrives, gets opened, and you read it — each layer unwrapped in reverse. This is exactly what happens to network packets.

    📜

    Two Models — OSI and TCP/IP

    OVERVIEW

    There are two main layered models you'll encounter:

    • OSI Model (Open Systems Interconnection) — A theoretical 7-layer model created by the ISO in 1984. It is the reference standard used for understanding, teaching, and troubleshooting. You will use OSI terminology every day as a network engineer ("that's a Layer 3 issue", "this operates at Layer 4").
    • TCP/IP Model — The practical 4-layer model that describes how the actual internet works. This is what your operating system and every network device actually implements. It maps onto the OSI model but collapses some layers together.

    Both models exist for different reasons. OSI gives you precise vocabulary and troubleshooting clarity. TCP/IP tells you how real implementations work. You need to know both — and more importantly, how they map to each other.

    THE 7-LAYER OSI MODEL — VISUAL REFERENCE

    The OSI model has 7 layers numbered 1 (bottom, physical) to 7 (top, application). Each layer adds its own header/trailer to data as it travels down the stack (sender side), and strips it off as it travels up (receiver side). Click any layer to learn more.

    7
    Application
    User-facing protocols. HTTP, DNS, SMTP, FTP, SSH. Your app lives here.
    Data
    6
    Presentation
    Data format translation, encryption (TLS/SSL), compression.
    Data
    5
    Session
    Manages sessions between applications. Setup, maintenance, teardown.
    Data
    4
    Transport
    End-to-end delivery. TCP (reliable) and UDP (fast). Ports live here.
    Segment
    3
    Network
    Logical addressing and routing. IP addresses, routers, FIB/RIB.
    Packet
    2
    Data Link
    Node-to-node delivery on same network. MAC addresses, Ethernet frames, switches.
    Frame
    1
    Physical
    Raw bits over physical medium. Cables, optical fibre, radio waves, voltages.
    Bits

    💡 Memory trick — "Please Do Not Throw Sausage Pizza Away" (Physical, Data Link, Network, Transport, Session, Presentation, Application — bottom to top). Or top-to-bottom: "All People Seem To Need Data Processing". Either works — pick one and stick to it.

    📦

    PDU — Protocol Data Unit

    KEY TERM

    Each layer has a specific name for the chunk of data it works with. These are called PDUs (Protocol Data Units):

    • Layer 7/6/5 — just called Data (your application message)
    • Layer 4Segment (TCP) or Datagram (UDP)
    • Layer 3Packet (IP packet)
    • Layer 2Frame (Ethernet frame)
    • Layer 1Bits (1s and 0s on the wire)

    In network engineering conversations, using the right PDU name matters. A "packet" is specifically an L3 PDU. Calling an Ethernet frame a "packet" is technically wrong and can confuse your team when debugging.

    EACH LAYER — WHAT IT DOES, WHAT PROTOCOLS LIVE HERE

    💻

    Layer 7 — Application Layer

    L7 · DATA

    Job: Provides network services directly to user applications. This is the layer your code interacts with when you call curl, open a browser, or write a socket program.

    What it does:

    • Defines the syntax and semantics of the messages exchanged (e.g., HTTP request format: GET /index.html HTTP/1.1)
    • Handles application-level authentication (HTTP Basic Auth, API keys)
    • No header is added by the OS at this layer — the application itself constructs the message

    Protocols: HTTP/HTTPS, DNS, SMTP, FTP, SSH, Telnet, DHCP, SNMP, LDAP, SIP, RTP

    NGFW relevance: This is where DPI (Deep Packet Inspection) operates. An NGFW inspects L7 content to identify applications, detect malware payloads, and enforce URL/content policies.

    🔐

    Layer 6 — Presentation Layer

    L6 · DATA

    Job: Translates data between the format the network uses and the format the application needs. Acts as a data translator.

    What it does:

    • Encryption / Decryption — TLS/SSL encrypts data at this layer before it goes down to L4/L3
    • Compression — HTTP compression (gzip, brotli) is a Layer 6 function
    • Data format translation — Converting between character encodings (ASCII vs UTF-8), serialisation formats (JSON → binary)

    Real-world note: In practice, the OSI Presentation layer is not implemented as a distinct OS layer. TLS runs as a library your application calls (OpenSSL, mbedTLS). The concept is still useful — when you say "TLS is a Layer 6 function", everyone understands you mean it handles the encryption/format translation concern, not transport or routing.

    NGFW relevance: SSL inspection (decrypting HTTPS traffic for inspection) is a Layer 6 operation.

    🤝

    Layer 5 — Session Layer

    L5 · DATA

    Job: Establishes, manages, and terminates sessions — logical conversations between two applications.

    What it does:

    • Session establishment — setting up a logical connection before data flows
    • Session maintenance — keeping the session alive (keepalives), handling disconnects and reconnects
    • Synchronisation — checkpointing long transfers so they can resume after interruption
    • Dialog control — managing half-duplex vs full-duplex communication

    Real-world note: Like Layer 6, Session is not a distinct OS layer in practice. The functionality is handled by TCP (connection state), TLS (session tickets for resumption), and application-level session management (HTTP cookies, WebSocket sessions). You'll use Layer 5 as a concept more than as a distinct implementation concern.

    Protocols: NetBIOS, PPTP, RPC session management, SQL session management

    🚚

    Layer 4 — Transport Layer

    L4 · SEGMENT

    Job: Reliable (or unreliable) end-to-end delivery of data between two processes on different hosts. This is where ports live — they are how Layer 4 distinguishes which application a packet belongs to.

    What it does:

    • Port numbers — Source port + destination port identify the application. Port 80 = HTTP, 443 = HTTPS, 22 = SSH, 53 = DNS (UDP)
    • Segmentation — Large application messages are broken into segments. Each segment is numbered so the receiver can reassemble them in order
    • Flow control — TCP adjusts the sending rate so the receiver isn't overwhelmed
    • Error detection — Checksum verifies data wasn't corrupted in transit
    • Multiplexing — Multiple applications can use the network simultaneously because they each have unique port numbers

    Two protocols:

    • TCP (Transmission Control Protocol) — Reliable, ordered, connection-oriented. Guarantees delivery. Used by HTTP, SMTP, SSH. Slower but safe.
    • UDP (User Datagram Protocol) — Unreliable, connectionless, no ordering. Fast, no overhead. Used by DNS, video streaming, VoIP, gaming. You handle reliability yourself if you need it.

    NGFW relevance: Stateful firewalls operate at Layer 4. Connection tracking matches packets to established sessions by (src_ip, src_port, dst_ip, dst_port, proto) — the 5-tuple.

    🌐

    Layer 3 — Network Layer

    L3 · PACKET

    Job: Logical addressing and routing of packets across multiple networks. This is the layer that makes the internet possible — the ability to send data from any network to any other network, potentially traversing dozens of routers in between.

    What it does:

    • IP addressing — Assigns logical addresses (IPv4: 192.168.1.1, IPv6: 2001:db8::1) that identify hosts globally, not just on a local network
    • Routing — Determines the best path for a packet to travel. Routers operate at Layer 3, reading the destination IP and consulting their routing table (FIB) to decide the next hop
    • Fragmentation — If a packet is too large for a network link's MTU (Maximum Transmission Unit), Layer 3 fragments it into smaller packets
    • TTL (Time To Live) — Each packet has a TTL counter decremented by each router. When it hits 0 the packet is discarded — prevents loops

    Protocols: IPv4, IPv6, ICMP, OSPF, BGP, EIGRP, ARP (technically L2/L3 boundary)

    Devices at this layer: Routers, Layer 3 switches, firewalls (packet inspection)

    NGFW relevance: Every packet processed by a firewall goes through Layer 3 — source/destination IP ACLs, routing decisions, and IP-based threat intelligence all live here.

    🔌

    Layer 2 — Data Link Layer

    L2 · FRAME

    Job: Node-to-node delivery of data on the same physical network. While Layer 3 handles routing across many networks, Layer 2 handles the hop-by-hop delivery on each individual link.

    What it does:

    • MAC addressing — Uses hardware (MAC) addresses to identify devices on the same network segment. Unlike IP addresses, MAC addresses are burned into the NIC at manufacture (though they can be spoofed)
    • Framing — Wraps Layer 3 packets in a frame with MAC src/dst header and a trailer containing a CRC checksum for error detection
    • Error detection — The CRC (Cyclic Redundancy Check) in the Ethernet trailer detects corrupted frames. Corrupted frames are silently dropped (error recovery is Layer 4's job)
    • Access control — CSMA/CD (old Ethernet) and CSMA/CA (WiFi) decide who can transmit when

    Two sub-layers (important for NGFW):

    • LLC (Logical Link Control) — flow control and error notification to upper layers
    • MAC (Media Access Control) — hardware addressing and media access

    Protocols: Ethernet (802.3), WiFi (802.11), PPP, VLAN (802.1Q), STP (802.1D), ARP

    Devices: Network switches, bridges, NICs, WiFi access points

    Layer 1 — Physical Layer

    L1 · BITS

    Job: Transmit raw bits (1s and 0s) over a physical medium. This layer knows nothing about addresses, protocols, or meaning — it just pushes electrical signals, light pulses, or radio waves.

    What it defines:

    • Physical connectors — RJ45 (Ethernet), SFP (fibre), coaxial
    • Cable types — Cat5e, Cat6, Cat6A (copper), single-mode, multi-mode fibre
    • Signal encoding — How bits 0 and 1 are represented as voltages, light intensity, or radio frequency
    • Bit rate — 100 Mbps, 1 Gbps, 10 Gbps, 100 Gbps
    • Duplex mode — Half-duplex (one direction at a time) vs full-duplex (both directions simultaneously)

    Devices: Hubs, repeaters, cables, optical transceivers, modems, NICs (the physical signalling part)

    Troubleshooting: "Is the cable plugged in? Is the link light on?" — these are Layer 1 questions. In DPDK and VPP, show interface reports link state as "up" or "down" — this is a Layer 1 status.

    THE TCP/IP MODEL — HOW THE REAL INTERNET IS STRUCTURED

    🌐

    Why the TCP/IP Model Exists

    BACKGROUND

    The TCP/IP model (also called the Internet model or DoD model) was developed in the 1970s by DARPA as the actual protocol suite for ARPANET — the precursor to the internet. Unlike OSI, it wasn't a theoretical standard first — it was built pragmatically around the two core protocols: IP and TCP.

    It has 4 layers instead of 7, collapsing the top three OSI layers into one and the bottom two into one. This reflects how implementations actually work — operating systems don't have separate Session and Presentation modules; they're handled by libraries your app calls.

    OSI vs TCP/IP — MAPPING

    TCP/IP Layer OSI Equivalent What It Covers Key Protocols
    Application L7 Application
    L6 Presentation
    L5 Session    		 Everything from the OS socket API upward — your app, its data format, session management HTTP DNS SMTP FTP SSH TLS
    Transport L4 Transport End-to-end data delivery between processes. Ports, reliability, flow control TCP UDP QUIC SCTP
    Internet L3 Network Logical addressing and routing across multiple networks IPv4 IPv6 ICMP OSPF BGP
    Network Access
    (Link Layer)    		 L2 Data Link
    L1 Physical    		 Physical transmission and local network delivery Ethernet WiFi ARP PPP

    💡 Which model do engineers actually use? Both, depending on context. When troubleshooting or talking to vendors, engineers use OSI layer numbers ("is this a L2 or L3 issue?"). When writing code and reading RFCs, you use TCP/IP model terminology. In NGFW development specifically, you'll hear "L3 ACL", "L4 stateful inspection", "L7 DPI" — these are OSI layer numbers applied to firewall feature descriptions.

    🔍

    Where Does Each Protocol Actually Run?

    REAL MAPPING

    Understanding which layer a protocol belongs to is crucial — it tells you which device processes it, what header format to look for, and what tools to use for debugging.

    /* In your OS — the TCP/IP stack as seen by a C program */

Your application code
    ↓ calls socket(), send(), recv()
OS socket API          ← TCP/IP Application layer boundaryTCP or UDP             ← Transport layer (adds src/dst port, seq, ack)IP                     ← Internet layer (adds src/dst IP, TTL, proto)Ethernet driver        ← Network Access (adds MAC src/dst, type, CRC)NIC hardware           ← Physical (converts to electrical/optical signals)wire / fibre / air

    When you call send(sockfd, buf, len, 0) in C, the OS kernel handles everything below the socket API. Your app only touches the Application layer. The kernel builds the TCP segment, IP packet, and Ethernet frame automatically.

    ENCAPSULATION AND DE-ENCAPSULATION

    📦

    What is Encapsulation?

    CORE CONCEPT

    Encapsulation is the process of wrapping data with a header (and sometimes trailer) at each layer as it travels down the stack from the sending application to the physical wire. Each layer adds its own control information (addressing, error detection, sequencing) without modifying the data from the layer above.

    Think of it as nested envelopes — you put a letter in an envelope, then put that envelope in a padded mailer, then put that in a shipping box. Each wrapper adds information the relevant handler needs, without touching the inner contents.

    On the receiving end, the process reverses — each layer strips off its own header and passes the inner data up. This is called de-encapsulation.

    ENCAPSULATION STEP BY STEP — SENDING AN HTTP REQUEST

    L7 App
    HTTP Request: "GET /index.html HTTP/1.1\r\nHost: example.com\r\n"
    ↓ Transport layer wraps with TCP header
    L4 Segment
    TCP Header
    src:52341 dst:80
    seq:1001 ack:0
    flags:PSH|ACK
    HTTP Data
    ↓ Network layer wraps with IP header
    L3 Packet
    IP Header
    src:10.0.0.5
    dst:93.184.216.34
    TTL:64 proto:TCP
    TCP Hdr
    HTTP Data
    ↓ Data Link layer wraps with Ethernet header + trailer
    L2 Frame
    Eth Header
    dst MAC
    src MAC
    Type:0x0800
    IP Hdr
    TCP Hdr
    HTTP Data
    CRC
    4 bytes
    ↓ Physical layer converts to bits on the wire
    L1 Bits
    01001000 01010100 01010100 01010000 ... (everything above as raw bits)

    💡 Important: The highlighted (outlined) blocks show what each layer added. Notice that each layer treats everything from the layer above as opaque data — IP does not look inside the TCP header; Ethernet does not look inside the IP header. This is the fundamental principle that makes the internet extensible — you can run any Layer 4 protocol over IP, and any Layer 3 protocol over Ethernet.

    📖

    Header Fields — What Each Layer Adds

    REFERENCE

    Ethernet Frame Header (14 bytes)

    Ethernet
    Destination MAC
    6 bytes
    Source MAC
    6 bytes
    EtherType
    2 bytes
    Payload (up to 1500B)
    CRC
    4 bytes

    IPv4 Header (20 bytes minimum)

    IPv4
    Ver/IHL
    1B
    DSCP
    1B
    Total Length
    2B
    ID
    2B
    TTL
    1B
    Proto
    1B
    Checksum
    2B
    Source IP
    4 bytes
    Dest IP
    4 bytes

    TCP Header (20 bytes minimum)

    TCP
    Src Port
    2B
    Dst Port
    2B
    Sequence Number
    4 bytes
    Ack Number
    4 bytes
    Flags
    1B
    Window
    2B
    Checksum
    2B

    Each header will be dissected in detail in its own module — M02 for Ethernet, M03 for IPv4, M05 for TCP.

    PROTOCOLS MAPPED TO OSI LAYERS

    This is your reference map — every protocol you'll encounter in networking and NGFW development, mapped to the OSI layer it operates at. Study this until it's second nature.

    Layer 7 — Application
    HTTP · HTTPS · DNS · SMTP · FTP · SFTP · SSH · Telnet · DHCP · SNMP · LDAP · SIP · RTP · RTSP · NTP · POP3 · IMAP
    Layer 6 — Presentation
    TLS · SSL · MIME · ASCII · UTF-8 · JPEG · MPEG · gzip · XDR · ASN.1
    Layer 5 — Session
    NetBIOS · PPTP · SAP · SDP · NFS (session part) · SQL session · RPC
    Layer 4 — Transport
    TCP · UDP · QUIC · SCTP · DCCP · SPX
    Layer 3 — Network
    IPv4 · IPv6 · ICMP · ICMPv6 · OSPF · EIGRP · BGP · IS-IS · RIP · MPLS · IPsec (tunnel mode) · GRE · ARP (boundary)
    Layer 2 — Data Link
    Ethernet (802.3) · WiFi (802.11) · PPP · HDLC · Frame Relay · ATM · VLAN (802.1Q) · STP (802.1D) · LACP (802.3ad) · ARP · NDP
    Layer 1 — Physical
    Ethernet physical (100BASE-T, 1000BASE-T, 10GBASE-SR) · USB · RS-232 · DSL · SONET · OTN · Bluetooth (PHY) · 802.11 (radio PHY)

    ⚠️ Some protocols span multiple layers. ARP bridges L2 and L3 — it uses Ethernet frames (L2) to resolve IP addresses (L3). MPLS is sometimes called "Layer 2.5". IPsec in tunnel mode wraps an entire IP packet (L3) inside a new IP packet (L3) — it straddles L3 and L4. The OSI model is a framework; real protocols don't always fit neatly into one box.

    🔥

    NGFW — Which Layer Does Each Feature Operate At?

    NGFW MAP
    NGFW FeatureOSI LayerWhat It Inspects
    Packet filtering (ACL)L3 / L4IP src/dst, protocol, port numbers
    Stateful inspectionL4TCP/UDP connection state (5-tuple)
    NAT (Network Address Translation)L3 / L4IP address and port rewriting
    Deep Packet Inspection (DPI)L7Application payload, protocol signatures
    URL filteringL7HTTP Host header, TLS SNI
    DNS filtering / sinkholingL7DNS query names, response IPs
    SSL inspectionL6 / L7TLS handshake, certificate, decrypted payload
    IDS / IPSL4 – L7Packet content, protocol anomalies, signatures
    QoS / traffic shapingL3 / L4DSCP markings, port-based prioritisation

    END-TO-END DATA FLOW — HTTP REQUEST ACROSS TWO NETWORKS

    🗺️

    The Full Journey of a Packet

    WALKTHROUGH

    Scenario: Your laptop (10.0.0.5) sends an HTTP GET request to a web server (93.184.216.34) on the internet. There is one router between you and the internet. Let's trace every layer.

    Your Browser — L7 Application
    Browser constructs an HTTP GET request: GET /index.html HTTP/1.1\r\nHost: example.com\r\n\r\n. This is pure application data — no headers from lower layers yet. Passed down to the OS via the socket API.
    send(sockfd, "GET /index.html HTTP/1.1\r\n...", len, 0)
    OS Kernel — L4 Transport (TCP)
    Kernel wraps the HTTP data in a TCP segment. Adds: source port (e.g. 52341, random ephemeral), destination port (80), sequence number (for ordering), flags (PSH+ACK). TCP ensures reliable delivery and handles retransmission if needed.
    [TCP hdr: sport=52341 dport=80 seq=1001 flags=PSH|ACK] + [HTTP data]
    OS Kernel — L3 Network (IP)
    IP layer wraps the TCP segment in an IP packet. Adds: source IP (10.0.0.5), destination IP (93.184.216.34), TTL (64), protocol (6 = TCP). The kernel consults the routing table: destination is not local, so next hop = default gateway (router at 10.0.0.1).
    [IP hdr: src=10.0.0.5 dst=93.184.216.34 TTL=64 proto=6] + [TCP] + [HTTP]
    NIC Driver — L2 Data Link (Ethernet)
    Ethernet layer wraps the IP packet in a frame. ARP resolves the router's MAC address (10.0.0.1 → aa:bb:cc:dd:ee:01). Adds: dst MAC (router's MAC), src MAC (your NIC's MAC), EtherType (0x0800 = IPv4), CRC trailer.
    [Eth: dst=aa:bb:cc:dd:ee:01 src=your_mac type=0x0800] + [IP] + [TCP] + [HTTP] + [CRC]
    NIC Hardware — L1 Physical
    The NIC converts the frame to electrical signals (or light pulses for fibre) and transmits them on the wire. The signals travel to the router's port.
    01001000 01010100 01010100... (raw bits on wire)
    Router — L2 De-encapsulation + L3 Processing
    Router receives bits → reassembles frame → checks CRC (drops if corrupt) → strips Ethernet header → reads IP header. Decrements TTL (64→63). Looks up destination IP (93.184.216.34) in its routing table → routes to ISP next hop. Builds a NEW Ethernet frame with the router's WAN MAC as source and the next-hop router's MAC as destination. The IP packet is unchanged (only TTL decremented).
    New Eth frame: [dst=isp_router_mac src=router_wan_mac] + [IP TTL=63] + [TCP] + [HTTP]
    Web Server — De-encapsulation (all layers)
    Packet arrives at the server. NIC receives bits → Ethernet driver strips frame header/trailer → IP layer strips IP header (checks TTL, checksum, delivers to TCP) → TCP layer strips TCP header (checks sequence, sends ACK, passes data to socket buffer) → Application reads from socket → HTTP server processes GET request → sends response.
    recv(sockfd, buf, len, 0) → buf = "GET /index.html HTTP/1.1\r\nHost: example.com..."

    💡 Key insight — the router only processes L1, L2, and L3. It strips the Ethernet frame, reads the IP destination, decrements TTL, builds a new Ethernet frame for the next hop, and forwards. It never looks at TCP or HTTP content. A firewall doing deep packet inspection is special because it deliberately reaches up to L4–L7 — which is why DPI is computationally expensive compared to simple IP routing.

    LAB 1

    Packet Dissection with Wireshark

    Objective: Capture live traffic and identify every OSI layer in a real packet. See exactly how encapsulation looks on the wire.

    1
    Install Wireshark on Linux: sudo apt install wireshark. On the first run, add your user to the wireshark group: sudo usermod -aG wireshark $USER, then log out and back in.
    2
    Open Wireshark. Select your active network interface (usually eth0 or wlan0). Click the blue shark fin to start capture.
    3
    Open a terminal and run: curl http://example.com. This sends a plain HTTP request (not HTTPS — we want to see the payload).
    4
    In Wireshark, type this filter in the filter bar and press Enter: http and ip.dst == 93.184.216.34. You should see the HTTP GET packet appear.
    5
    Click the packet. In the bottom panel, expand each layer: Frame (L2), Internet Protocol (L3), Transmission Control Protocol (L4), Hypertext Transfer Protocol (L7). For each layer, identify: header fields, their values, and their size in bytes.
    6
    Answer these questions from what you see: What is the source and destination MAC address? What is the TTL in the IP header? What are the source and destination ports? What HTTP method and path is being requested? Is there a TCP sequence number — what is it?
    7
    Bonus: Right-click the packet and select "Follow > TCP Stream". See the full HTTP conversation — request and response — reassembled by Wireshark from multiple packets. Notice that Wireshark stripped all headers for you, showing only the L7 application data.
    LAB 2

    Trace a Packet with tcpdump and Identify Layers

    Objective: Use the command-line tool tcpdump to capture and decode packets. tcpdump is your primary diagnostic tool as a network application developer — learn it well.

    1
    Install tcpdump: sudo apt install tcpdump. Run it with verbose output: sudo tcpdump -i eth0 -v -n 'port 80'. The -v flag shows L3 details, -n disables hostname resolution, 'port 80' filters to HTTP traffic.
    2
    In another terminal, run: curl http://example.com. Watch tcpdump output. You should see the TCP 3-way handshake (SYN → SYN-ACK → ACK) followed by the HTTP request and response.
    3
    Run with the -vv flag for even more detail: sudo tcpdump -i eth0 -vv -n 'port 80'. Now capture to a file: sudo tcpdump -i eth0 -w /tmp/http_capture.pcap 'port 80'. Then curl again and stop tcpdump with Ctrl-C.
    4
    Read the captured file: tcpdump -r /tmp/http_capture.pcap -vv -n. Now try adding the -e flag to also show Layer 2 (Ethernet) MAC addresses: tcpdump -r /tmp/http_capture.pcap -evvn.
    5
    Open the .pcap file in Wireshark for a visual view: wireshark /tmp/http_capture.pcap. Compare the Wireshark layer tree with what tcpdump showed on the command line.
    6
    Bonus challenge: Write a 10-line Python script using the scapy library (pip install scapy) that constructs a raw Ethernet + IP + TCP + HTTP frame from scratch and prints each layer's fields. This directly demonstrates encapsulation in code:
    from scapy.all import *
    pkt = Ether()/IP(dst="93.184.216.34")/TCP(dport=80)/Raw(b"GET / HTTP/1.0\r\n\r\n")
    pkt.show()

    M01 MASTERY CHECKLIST

    When complete: Move to M02 - Ethernet and L2. You've seen the Ethernet header in this module — M02 goes deep on it: MAC addressing, ARP, VLANs, 802.1Q tagging, STP, and Layer 2 switching internals.

    ← Roadmap 🗺️ All Modules Next: M02 - Ethernet and L2 →