The OSI and TCP/IP Models
The OSI model is a conceptual framework for understanding how network communication works. Seven layers, each with a specific responsibility. Knowing which layer an attack operates at tells you where to look for detection opportunities and where defences are weak. ARP poisoning is Layer 2. IP spoofing is Layer 3. TCP session hijacking is Layer 4. HTTP injection is Layer 7.
The TCP/IP model collapses OSI into four layers and reflects how actual network stacks are implemented. Application (OSI 7/6/5), Transport (OSI 4), Internet (OSI 3), Network Access (OSI 2/1). When you're troubleshooting a connection issue or analysing traffic in a packet capture, thinking in terms of these layers helps you isolate where the problem sits.
Security at Each Layer
L2: ARP spoofing, MAC flooding. L3: IP spoofing, route injection. L4: SYN floods, port scanning, TCP hijacking. L7: Injection attacks, authentication bypass, session fixation. Defence-in-depth means controls at every layer — perimeter firewalls alone aren't enough because they only see L3/4 and miss most L7 attacks.
IP Addressing and Subnetting
Subnetting is the practice of dividing an IP address space into smaller segments. CIDR notation combines the IP address with the prefix length — 192.168.1.0/24 means the first 24 bits are the network portion, giving you 254 usable host addresses. /24 is a Class C network. /16 is a Class B. /32 is a single host.
For security work, reading a subnet correctly tells you which hosts are reachable from where. A machine on 10.10.10.0/24 cannot communicate directly with a host on 10.10.20.0/24 without routing. Understanding this drives your pivot strategy — you need to identify what subnets your pivot host can see on each interface.
ip addr show ip route show arp -a cat /proc/net/fib_trie | grep -E '32 HOST|host' ss -tlnp
ARP and TCP
ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on a local network segment. When your machine wants to send a packet to an IP on the same subnet, it broadcasts "who has this IP?" and the owner responds with its MAC address. The problem: ARP has no authentication. Any machine can claim any IP. ARP poisoning exploits this — send fake ARP responses to both victim machines and route their traffic through you. This is the foundation of on-path attacks inside local networks.
TCP is connection-oriented: it establishes a session with a three-way handshake (SYN, SYN-ACK, ACK) before any data is exchanged. The sequence numbers in TCP packets are how the operating system tracks which data has been received and in what order. TCP scanning exploits the handshake — a SYN scan sends a SYN and reads the response without completing the connection.