The journey of a packet โ taught as a story, not a list of layers to memorise.
Networks are too complicated for one big system, so they're split into layers โ each layer has one job. The OSI model has 7 layers (a teaching tool). The TCP/IP model has 4 layers (what the internet actually uses). Data moves down the layers on the sender, across the wire, and back up the layers on the receiver. At each layer down, a header is added (encapsulation). At each layer up, the header is read and stripped off (decapsulation).
4.1 Why Layers Exist (the actual reason)
Imagine you want to send a letter to someone in Japan. You don't personally drive it there. Instead:
You write the message (you don't worry about transport)
You put it in an envelope and address it (you don't worry about which truck it'll go in)
The post office sorts and routes it (they don't read it)
The plane physically moves it (the pilot doesn't care about the address)
Each step has one job. Each step trusts the others. If you change planes from a 747 to an A380, the postal system doesn't need to be rewritten. That's the whole point of layering. Each layer can be changed independently as long as it does its job.
Networks work the same way. Your browser doesn't care whether you're on Wi-Fi, ethernet, or 5G โ that's a different layer's problem. The Wi-Fi chip doesn't care whether you're loading Instagram or downloading a game โ that's a different layer's problem. Each layer hands its work to the next and trusts it to deliver.
WHY THIS MATTERS FOR EXAMS: Almost every "explain how X works" question can be answered by walking through the layers. If a question asks "explain what happens when a user enters a URL," your answer should walk down the layers on the sender side and back up on the receiver. Examiners love this structure because it shows you understand the system, not just the parts.
4.2 The OSI Model โ 7 Layers
OSI stands for Open Systems Interconnection. It's a teaching/reference model โ a clean, idealised way to think about networking. The actual internet doesn't run on OSI, but every textbook, exam, and IT job uses OSI vocabulary, so you have to know it.
Read top-down when you're SENDING (data wraps in more headers as it descends). Read bottom-up when you're RECEIVING (headers get stripped off as it climbs).
Memory tricks (you'll need them)
From layer 7 down to 1: All People Seem To Need Data Processing.
From layer 1 up to 7: Please Do Not Throw Sausage Pizza Away.
Pick one and drill it. The exam will absolutely ask "what layer does X happen at" and the wrong layer = 0 marks.
Which OSI layer does a router operate at?
Layer 3 (Network). Routers make decisions based on IP addresses, which are a Layer 3 concept. Switches are Layer 2 (MAC addresses). Hubs are Layer 1 (just repeat signals). This is a classic exam question.
Which layer adds the IP address to a packet?
Layer 3 (Network). The IP header โ including source and destination IP addresses โ is added at the Network layer as the packet moves down the stack on the sender's side.
4.3 The TCP/IP Model โ What the Internet Actually Uses
The TCP/IP model is the practical, real-world version. It collapses 7 OSI layers into 4. This is what your computer actually does โ OSI is the textbook ideal, TCP/IP is reality.
The 7 OSI layers map onto the 4 TCP/IP layers. Same work gets done โ just grouped differently.
TCP/IP Layer
What it does
Real protocols you've used
Application
The user-facing software and how it talks to other apps
HTTP/HTTPS (web), DNS (domain lookups), SMTP (email), SSH (remote login)
Transport
End-to-end delivery between two devices, reliability decisions
TCP (reliable, used by web, email, file transfer), UDP (fast, used by video calls, gaming, DNS)
Internet
Routing packets across multiple networks using IP addresses
IP (IPv4 and IPv6), ICMP (used by ping)
Network Access
Putting bits onto the physical wire/wireless medium for the local network
Ethernet, Wi-Fi (802.11), fibre optic
LAYER 3 โ SUBNETTING CONNECTION: IP addresses live at the Internet layer, but they're not just random numbers โ they're structured so routers can make fast decisions. Subnetting is how networks are divided so routers know which traffic is "local" and which needs to be forwarded elsewhere. Chapter 5 covers this in detail, but keep the link in mind: Layer 3 = routing, and subnetting is what makes routing efficient. ATAR questions love combining OSI reasoning with subnetting reasoning.
Ports โ the address WITHIN a device
An IP address gets a packet to the right device. But a device runs dozens of programs at once โ how does it know whether an arriving packet is for the browser, the email client, or the game? That's what port numbers do. Every network connection is identified by IP address + port number โ that combination is called a socket.
Certain port numbers are reserved for specific protocols โ these are called well-known ports (0โ1023). Memorise these, they come up in exams constantly:
Port
Protocol
What it does
20, 21
FTP
File transfer (21 = control, 20 = data)
22
SSH
Secure remote login
25
SMTP
Sending email
53
DNS
Domain name lookups
80
HTTP
Web (unencrypted)
110 / 143
POP3 / IMAP
Receiving email
443
HTTPS
Web (encrypted โ the one you want)
3389
RDP
Remote desktop
WHY THIS MATTERS FOR SECURITY: Firewalls decide what traffic to allow based on ports. "Block port 23 (Telnet) โ it's unencrypted" is a common rule. "Only allow port 443 inbound to the web server" locks down a server to just HTTPS. If a network admin leaves port 22 open to the internet, attackers will find it and start brute-forcing SSH passwords within minutes. Ports are one of the most practical security concepts in the whole course.
TRAP: Ports vs protocols are different things. HTTP is a protocol (the rules). Port 80 is the port number it conventionally uses. You can run HTTP on any port if you configure it that way โ the port is just a label. The combination IP + port = socket, which uniquely identifies one end of a conversation.
TRAP: Students mix up "TCP" the protocol and "TCP/IP" the model. TCP/IP is the whole 4-layer model. TCP is just one protocol that lives at the Transport layer (UDP also lives there). Saying "TCP/IP is at the Transport layer" is wrong.
4.4 The Story: What Actually Happens When You Tap a Link
Let's walk through what really happens when you open instagram.com on your phone. Pay attention to which layer is doing what.
Step 1 โ You tap the link (Application layer kicks in)
Your browser needs the IP address for instagram.com. It asks DNS. DNS is an Application-layer protocol.
DNS replies with something like 157.240.7.174. Now your browser knows where to send the request.
Your browser builds an HTTP request: "GET /home". HTTP is also Application layer.
Step 2 โ Hand off to Transport (TCP)
The HTTP request gets handed down to TCP at the Transport layer.
TCP wraps it with a header containing port numbers: source port (random, e.g., 52341) and destination port 443 (HTTPS).
TCP also sets up a connection first using a "three-way handshake" (SYN โ SYN-ACK โ ACK) so both sides agree to talk reliably.
Step 3 โ Hand off to Internet layer (IP)
The TCP segment gets handed down to IP.
IP wraps it with another header containing source IP (your phone, e.g., 192.168.1.42) and destination IP (157.240.7.174).
Now it's called a "packet."
Step 4 โ Hand off to Network Access (Wi-Fi)
The packet gets wrapped one more time with a frame header containing MAC addresses โ your phone's Wi-Fi MAC and your router's Wi-Fi MAC.
The Wi-Fi radio converts this to radio waves and broadcasts.
Your home router catches it, strips the Wi-Fi frame off, looks at the IP destination, and forwards it toward Instagram via your ISP.
Step 5 โ Through the internet (many hops)
Each router along the way reads the IP header, decides where to forward next, and passes it along. None of them care about the contents.
Eventually it reaches Instagram's data centre.
Step 6 โ Up the layers on Instagram's server
Instagram's server receives the frame, strips off Wi-Fi/Ethernet header (Network Access).
Strips off IP header (Internet) โ checks "yes, this is for me."
Strips off TCP header (Transport) โ reassembles the segment in order.
Hands the HTTP request to its web server software (Application). The server replies, and the whole journey happens again in reverse.
THE BIG INSIGHT: Every piece of data on the internet is wrapped in layers like a Russian doll. Each layer adds its own header on the way out, and each layer removes its own header on the way in. This is called encapsulation and it's how networks scale โ every layer can be swapped out without breaking the others.
4.5 Encapsulation โ How Headers Get Added
The original data only changes in size by getting more headers added. The actual content ("GET /home") never changes during transit.
Names of the data unit at each layer
Examiners love asking what the data is called at each layer. Memorise these terms:
Layer
Data is called a...
Why it matters
Application
Data (or "message")
Just the raw payload, no networking headers yet
Transport
Segment (TCP) or Datagram (UDP)
TCP segment vs UDP datagram โ different terms for different protocols
Internet
Packet
This is the term you'll see most often in general writing
Network Access
Frame
The "frame" is what actually travels on the local wire/Wi-Fi
Physical
Bits
Just 1s and 0s โ electrical, optical, or radio signals
TRAP: Don't say "the packet goes onto the wire." Technically it's the frame that goes on the wire. The packet is wrapped inside the frame. This level of precision earns marks.
4.6 Real-World Tools That Show This in Action
# See your own network journey to a website tracert google.com # Windows traceroute google.com # Mac/Linux
# Each line is one router hop your packet takes through the internet. # Each hop is operating at Layer 3 (Internet/Network). # You'll see your home router first, then your ISP, then several others before reaching Google.
# See DNS in action โ Layer 7 (Application) protocol nslookup instagram.com
# Returns the IP address(es) Instagram is currently hosted on. # This is typically the first thing your browser does when visiting a site # (though cached results or CDN routing can bypass a fresh lookup).
The 2016 Dyn DNS Attack โ Dyn was a major DNS provider that handled lookups for Twitter, Spotify, Reddit, Netflix, GitHub and dozens of others. On 21 October 2016, attackers using the Mirai botnet (made up of hacked IoT devices like security cameras) launched a massive DDoS attack against Dyn. Result: even though all those websites were up and running, users couldn't reach them because DNS โ Layer 7 โ couldn't translate the domain names to IPs. Lesson: a failure at one layer brings down everything that depends on it. Layered design is great for engineering; it's also a chain of single points of failure.
4.7 The Mark-Scoring Template
EXAM TEMPLATE โ "Explain how data is sent from device A to device B":
1. Encapsulation: "On the sender, data starts at the Application layer and moves down. At each layer, a header is added: TCP/UDP at Transport, IP at Internet, MAC at Network Access."
2. Transmission: "The frame is converted to bits and transmitted on the physical medium."
3. Routing: "Routers along the path read the IP header to forward the packet toward the destination network."
4. Decapsulation: "On the receiver, headers are stripped off in reverse order, and the original data is delivered to the application."
Hit those four points and you've got a 4-mark answer locked in.
A user opens a webpage. Name the protocol used at each TCP/IP layer.
Application: HTTP (or HTTPS if secure) Transport: TCP (reliable delivery is important for web pages) Internet: IP (IPv4 or IPv6) Network Access: Ethernet (wired) or Wi-Fi/802.11 (wireless)
Bonus mention: DNS (also Application) was used first to resolve the domain to an IP.
A streaming service uses UDP instead of TCP. Why?
UDP is faster because it doesn't wait for acknowledgements or retransmit lost packets. For live video/audio, a slightly degraded picture is better than the whole stream pausing while it waits for one missing packet to be re-sent. TCP would prioritise perfect delivery over speed โ wrong trade-off for live streaming.
Why is the OSI model still taught if the internet uses TCP/IP?
OSI is a clean reference model โ it gives a shared vocabulary ("Layer 7", "Layer 3 device") that the whole industry uses, even when the actual implementation is TCP/IP. Network engineers, security professionals, and exam markers all communicate in OSI terms. It's the language; TCP/IP is the implementation.