CyberCode Academy

Course 13 - Network Forensics | Episode 5: TCP/IP Layers, Data Flow, and Network Tools

Listen Later
In this lesson, you’ll learn about:
  • The fundamentals of protocol analysis and how data flows through network layers
  • The TCP/IP and OSI networking models
  • Encapsulation and decapsulation processes
  • Key Layer 3 and Layer 4 protocols
  • Essential tools for analyzing network traffic, including Wireshark and Nmap
1. Introduction to Protocol Analysis This lesson provides foundational knowledge of how network communications work, focusing on:
  • The structure and behavior of networking models
  • How data moves across a network
  • How to use analysis tools to understand packet content
The lesson contrasts:
  • The TCP/IP Model (4 layers): Application, Transport, Internet, Network Access
  • The OSI Model (7 layers), widely used in academic settings for conceptual understanding
2. Data Encapsulation and Flow Encapsulation Explained (“Onion” Model) As data travels down the network stack:
  • It starts as the original message (the “core” of the onion)
  • Each layer adds its own headers and sometimes trailers
  • These layers wrap the message to form a complete network frame
Layer-by-Layer Wrapping
  • Transport Layer (Layer 4)
    Adds source/destination ports and TCP flags
  • Internet Layer (Layer 3)
    Adds source/destination IP addresses
  • Network Access Layer
    Adds MAC addresses and prepares data for physical transmission
At the receiving end, layers are removed one by one (decapsulation) until the message reaches the Application Layer. 3. Key Network Layers and Protocols A. Layer 3 – Internet Layer / IP Layer 3 is responsible for addressing and routing. Core Functions
  • Identifying devices using unique IP addresses
  • Adding source/destination IPs to each packet
  • Determining routing paths across networks
IP Addressing Concepts
  • IP addresses use 4 octets (8 bits each → 0–255)
  • Five IP address classes are defined historically
  • Private IP ranges include:
    • 10.x.x.x
    • 172.16.x.x – 172.31.x.x
    • 192.168.x.x
Subnetting and CIDR
  • Subnet Mask: Similar to a zip code that defines network boundaries
  • CIDR / Slash Notation (e.g., /24, /12) provides flexible subnetting
  • Helps efficiently allocate IP space
Types of IP Transmission
  • Unicast – one-to-one
  • Broadcast – one-to-everyone on the network
  • Multicast – one-to-a specific group
B. Layer 4 – Transport Layer / TCP & UDP Layer 4 provides end-to-end communication. TCP (Transmission Control Protocol)
  • Reliable, connection-oriented
  • Ensures order delivery and handles retransmissions
  • Uses the three-way handshake: SYN → SYN-ACK → ACK
  • Session shutdown uses the FIN–ACK process
UDP (User Datagram Protocol)
  • Lightweight, connectionless
  • Suitable for quick bursts of data (e.g., streaming, gaming)
Ports and Sockets
  • Ports = “lanes on a highway” for different services (e.g., port 80 for HTTP)
  • Sockets combine IP + Port to identify unique connections
    • Works with both TCP and UDP
4. Protocol Analysis Tools A. Wireshark A powerful packet analysis tool used to inspect and dissect network traffic. Key Features
  • Captures packets (“network sniffing”)
  • Allows deep packet inspection
  • Supports protocol tree view (mapped to OSI layers)
  • Provides a hex dump showing raw data
Wireshark can even reconstruct data streams and extract file content from packet captures. B. Nmap (Network Mapper) A widely used open-source tool for network discovery and service enumeration. What Nmap Can Identify
  • Port states (open, closed, filtered)
  • Operating system fingerprints
  • Service versions
  • Network topology
Nmap understands both:
  • Traditional subnet masks
  • CIDR notation (e.g., /24, /22)


You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
...more
View all episodesView all episodes
Download on the App Store
CyberCode AcademyBy CyberCode Academy