After this lesson, you will be able to: Explain the OSI and TCP/IP models layer by layer with concrete examples, IP addressing and CIDR, NAT, MAC addresses and ARP, and how a DNS query resolves end to end.
This is the networking foundation the whole subtrack builds on. We walk every OSI layer with a concrete example of what happens there and where attacks live, relate it to the TCP/IP model used in practice, then cover IP addressing, subnets and CIDR, private ranges and NAT, MAC addresses and ARP, and the full DNS resolution path.
Layer 1 Physical: bits as electrical/optical/radio signals on a wire or in the air; attacks include wiretaps and cable cutting. Layer 2 Data Link: frames between devices on the same network segment, addressed by MAC; ARP and switch attacks live here. Layer 3 Network: packets routed between networks by IP; spoofing and routing attacks live here. Layer 4 Transport: TCP/UDP segments, ports, reliability; SYN floods and port scans live here. Layer 5 Session: managing connections/dialogs. Layer 6 Presentation: encoding, encryption, compression; TLS is often placed around here. Layer 7 Application: HTTP, DNS, SMTP, the data the user cares about; most exploits target here. Do not just memorize the names; remember what data unit and what attacks belong to each.
The OSI model is a 7-layer teaching framework. The TCP/IP model (Link, Internet, Transport, Application) is the 4-layer model actually implemented in the stacks running on every device. They map onto each other: TCP/IP's Application layer covers OSI 5-7, and its Link layer covers OSI 1-2. In interviews and docs you will see both; use OSI to reason about where an attack sits, TCP/IP to describe the real stack.
CIDR notation says how many leading bits are the network portion. Private ranges are not routable on the public internet; NAT translates them to a public IP at the gateway.
192.168.1.0/24 -> 256 addresses, network 192.168.1.0, broadcast .25510.0.0.0/8 -> ~16.7 million addresses (large private range)172.16.0.0/12 -> private range 172.16.0.0 - 172.31.255.255# RFC 1918 private ranges (not routable on the public internet):# 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16# NAT: your router maps many private addresses to one public IP,# which is why your laptop's 192.168.x address is invisible from outside.
Every network interface has a MAC address, a hardware identifier used to deliver frames on the local segment. To send to an IP on the same network, a host needs the matching MAC. ARP (Address Resolution Protocol) asks 'who has 192.168.1.10?' and the owner replies with its MAC, which the asker caches in its ARP table. ARP has no authentication, which is exactly the weakness the ARP spoofing lesson exploits.
Trace a lookup for example.com from nothing cached.
1. Your OS checks its hosts file and local cache; miss.
2. It asks the configured recursive resolver (often your ISP or 1.1.1.1).
3. The resolver asks a root server: 'where is .com?' Root replies with the .com TLD servers.
4. The resolver asks a .com TLD server: 'where is example.com?' It replies with example.com's authoritative servers.
5. The resolver asks the authoritative server for example.com's A record; it returns the IP.
6. The resolver caches the answer for its TTL and returns it to you.
Pick one.
Confusing a MAC address (local, Layer 2, does not cross routers) with an IP address (Layer 3, end to end). Thinking private IPs are 'hidden' for security when NAT is about address exhaustion, not a firewall. Miscounting CIDR (a /24 is 256 addresses, 254 usable hosts). Assuming DNS is instant and infallible; TTLs, caching, and resolver choice all change behavior. Forgetting that the same physical network can carry many logical attacks at different layers at once.
Sign in and purchase access to unlock this lesson.