Course 13 - Network Forensics | Episode 5: TCP/IP Layers, Data Flow, and Network Tools

In this lesson, you’ll learn about:The fundamentals of protocol analysis and how data flows through network layersThe TCP/IP and OSI networking modelsEncapsulation and decapsulation processesKey Layer 3 and Layer 4 protocolsEssential tools for analyzing network traffic, including Wireshark and Nmap1. Introduction to Protocol Analysis This lesson provides foundational knowledge of how network communications work, focusing on:The structure and behavior of networking modelsHow data moves across a networkHow to use analysis tools to understand packet contentThe lesson contrasts:The TCP/IP Model (4 layers): Application, Transport, Internet, Network AccessThe OSI Model (7 layers), widely used in academic settings for conceptual understanding2. Data Encapsulation and Flow Encapsulation Explained (“Onion” Model) As data travels down the network stack:It starts as the original message (the “core” of the onion)Each layer adds its own headers and sometimes trailersThese layers wrap the message to form a complete network frameLayer-by-Layer WrappingTransport Layer (Layer 4)Adds source/destination ports and TCP flagsInternet Layer (Layer 3)Adds source/destination IP addressesNetwork Access LayerAdds MAC addresses and prepares data for physical transmissionAt the receiving end, layers are removed one by one (decapsulation) until the message reaches the Application Layer. 3. Key Network Layers and Protocols A. Layer 3 – Internet Layer / IP Layer 3 is responsible for addressing and routing. Core FunctionsIdentifying devices using unique IP addressesAdding source/destination IPs to each packetDetermining routing paths across networksIP Addressing ConceptsIP addresses use 4 octets (8 bits each → 0–255)Five IP address classes are defined historicallyPrivate IP ranges include:10.x.x.x172.16.x.x – 172.31.x.x192.168.x.xSubnetting and CIDRSubnet Mask: Similar to a zip code that defines network boundariesCIDR / Slash Notation (e.g., /24, /12) provides flexible subnettingHelps efficiently allocate IP spaceTypes of IP TransmissionUnicast – one-to-oneBroadcast – one-to-everyone on the networkMulticast – one-to-a specific groupB. Layer 4 – Transport Layer / TCP & UDP Layer 4 provides end-to-end communication. TCP (Transmission Control Protocol)Reliable, connection-orientedEnsures order delivery and handles retransmissionsUses the three-way handshake: SYN → SYN-ACK → ACKSession shutdown uses the FIN–ACK processUDP (User Datagram Protocol)Lightweight, connectionlessSuitable for quick bursts of data (e.g., streaming, gaming)Ports and SocketsPorts = “lanes on a highway” for different services (e.g., port 80 for HTTP)Sockets combine IP + Port to identify unique connectionsWorks with both TCP and UDP4. Protocol Analysis Tools A. Wireshark A powerful packet analysis tool used to inspect and dissect network traffic. Key FeaturesCaptures packets (“network sniffing”)Allows deep packet inspectionSupports protocol tree view (mapped to OSI layers)Provides a hex dump showing raw dataWireshark can even reconstruct data streams and extract file content from packet captures. B. Nmap (Network Mapper) A widely used open-source tool for network discovery and service enumeration. What Nmap Can IdentifyPort states (open, closed, filtered)Operating system fingerprintsService versionsNetwork topologyNmap understands both:Traditional subnet masksCIDR notation (e.g., /24, /22)You can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy