Course 6 - Network Traffic Analysis for Incident Response | Episode 1: Fundamentals of Networking: The OSI Model and Essential Protocols

In this lesson, you’ll learn about:The core networking concepts required before beginning any network traffic analysis.The relationship between the OSI model, low-level protocols, and application-level protocols, and how they shape the behaviour of traffic you’ll examine in a tool like Wireshark.How to recognize common protocol behaviours at a high level so you can later understand patterns, anomalies, and security-related findings during analysis.1. The OSI Model and the Network Stack (high-level foundation)The OSI model divides networking functionality into structured layers.Hardware-oriented layers:Physical → bits on the wireData Link → frames within a local networkSoftware-oriented layers relevant for analysis:Network (Layer 3) → packets, routingTransport (Layer 4) → reliability, portsSession / Presentation / Application (Layers 5–7) → how applications encode, manage, and interpret network dataStudents should understand the distinctions between bits → frames → packets, because these appear in captures.2. Base Network Protocols (the building blocks)IP (Internet Protocol – Layer 3):Core packet-forwarding protocol for IPv4/IPv6.Manages routing across networks.TCP (Transmission Control Protocol):Ensures reliable delivery: sequencing, acknowledgments, error checking, retransmission.Manages connections using ports and a handshake mechanism.UDP (User Datagram Protocol):Connectionless and faster but offers no delivery guarantees.Used when speed and low latency matter more than reliability.ICMP (Internet Control Message Protocol):Sends diagnostic and control messages.Used by tools like ping and traceroute.3. Common Higher-Level Protocols & Security Wrappers (conceptual behaviour)ProtocolPurpose (High-Level)Security-Relevant Behaviours (Conceptual Only)ARPResolves IP → MAC within a LAN.Can be abused conceptually for redirecting traffic.DNSTranslates domain names to IP addresses.Commonly targeted for redirection or misdirection attacks.FTPTransfers files using ports 20/21.Weak configurations may allow unauthorized file movement.HTTP / HTTPSWeb communication.Frequently analysed due to large volume of traffic and vulnerabilities.IRCText-based group chat channels.Historically used in automation and remote coordination systems.SMTPSends email.High-volume traffic channel; relevant for filtering and monitoring.SNMPNetwork device management.Misconfigurations can lead to information disclosure.SSHSecure, encrypted remote terminal access.Important for secure administration.TFTPLightweight file transfer on port 69.Seen in simple or automated device configurations.TLSProvides authentication and encryption for other protocols.Masks traffic contents in both legitimate and illegitimate uses.Key TakeawaysUnderstanding how protocols behave at each OSI layer is essential for interpreting traffic captures.Familiarity with the normal patterns of protocols (IP, TCP/UDP, DNS, TLS, etc.) helps analysts later identify unusual or suspicious activity.This theoretical module prepares students for the practical phase using tools like Wireshark, where they will analyse real traffic captures in a controlled, educational setting.You can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy