This month starts a new series examining how packet sniffers can aid in network troubleshooting. But first, we need a solid understanding of network packets, which make up all the network information and traffic. This kickoff column will help us get synchronized on their definition, how they’re built and disassembled, and how they gain access to the network1 so we can get the most out of a preeminent packet sniffer. It’s called WireShark and we’ll be examining its troubleshooting capabilities.

You may have noticed that people often apply network terms loosely. I am part of that crowd, as I use the term packet for all levels of network communication. However, there are officially defined terms for “packets” at each level of the Open Systems Interconnection (OSI) reference model, as shown in Table 1. If you’re dealing with someone who sticks to the official terminology, it can be beneficial to know these terms.

OSI Model

We’ll start the packet definition with the OSI reference model. The OSI model is best used as a network function viewer. By aligning any network operating system (NOS) with the layers of the OSI model, you can quickly determine the functions of the NOS protocols.

The OSI model is a theoretical model that characterizes and standardizes the internal functions of a network communication system by partitioning it into seven logical layers.2 Each layer serves the layer above it and is served by the layer below it. For example, layer 4 can provide error-free communications across a network and furnish the right path needed by an application above it. Layer 4 calls on the next lowest layer to send and receive packets.

It’s important to know what’s going on at each of the 7 layers and why this information is included in a discussion on packet sniffers. One way to memorize the names of the layers is to use a mnemonic device. For healthcare technology management professionals, a good one is Please Do Not Throw Sausage Pizza Away, where the first letter of each word represents one of the layers. P stands for the physical layer, D for the data link layer, N for the network layer, T for transport, S for session, P for presentation, and A for the application layer. If you ever plan on taking the Network+ CompTia test, you’ll need to know these levels.

Take a look at Table 1. Layer 1 is at the bottom and called the Physical layer—it’s the direct connection to the wire or the airwaves (in the case of wireless networking). The network data packet here looks like a series of voltages representing the 1s and 0s of the bit stream. Layer 2 is the Data Link layer, where Ethernet resides and operates. It’s the only layer divided into two sublayers, which we’ll cover again further down.

Layer 3, the Network layer, is where the Internet Protocol or IP resides. It is also where Routing Information Protocol (RIP) and Open Shortest Path First (OSPF) packets do their routing work. Layer 4—the Transport layer—is where the Transmission Control Protocols (TCPs) and User Datagram Protocols (UDPs) reside and operate. We’ll get more into the difference between TCP and UDP in part 2 of this series.

Layer 5 is the Session layer. It sets up the dialogue and overall connection for the length of the communication session. Networks need to keep the session alive and active while they transfer all the packets required for a complete file transfer. The maximum data payload at layer 2 is limited to ~1,500 bytes. Therefore, almost every file that’s sent needs to be broken down into many pieces. We’ll cover this aspect in more detail in the next installment of Networking.

At layer 6, the Presentation layer, the network nodes need to define the messaging syntax using coding such as ASCII. Encryption may be used here as well. The Presentation layer is a busy place. This layer establishes the data syntax, but its main job is to translate the data format for and from its host. If I’m using a data format that I know my receiving node doesn’t have, I can provide translation here.

The Application layer is at the top of the OSI model. Layer 7 is where the application interface operates. Also known as the app socket, it’s the final connection to the receiving application, like Microsoft Outlook for email or the ultimate destination of transmitted files.

The final piece, Layer 8, is not actually part of the OSI model. It’s what is sometimes unofficially referred to as the “wet layer,” or human end user. Hackers often prey on the wet layer as one way of phishing for login credentials.3

Again, Table 1 shows the seven layers, including each one’s common protocols. BMETs are sometimes located in the basement, so it makes sense to me that they’re going to look at the layers from the bottom up. Remember, Please Do Not Throw Sausage Pizza Away: Physical, Data link, Network, Transport, Session, Presentation, Application. If you’re an IT person, you might look at things from the top down. An acronym you might use is: All People Seem To Need Data Processing.


As mentioned earlier, the Data Link layer has two sublayers—Media Access Control (MAC) and Logical Link Control (LLC). Ethernet resides and operates at the Data Link layer. The MAC sublayer is responsible for getting the data on and off the wire. The LLC is the where the Ethernet network arbitration flowchart—the software portion of media access—functions, showing how to get data packets on and off the wire. This process is often referred to as multiplexing onto a multiaccess media.

Imagine a gray line between the sublayers. This is the dividing line between the network hardware and software. The MAC sublayer connects with the Physical layer to define the network hardware. Everything above the gray line defines LLC and the rest of the network software.


To review, the Physical layer identifies the medium for the transfer of the signal, whether or not the system uses wires. The Data Link layer is the method for getting data on and off the media. The Network layer is mainly used to identify your location on the wide area network, as in IP addresses. It’s also where routers exchange routing information. The Transport layer deals with how we’re transferring the information pieces, either through a connection-oriented protocol like TCP or a connectionless routine like UDP. The Session layer defines the communication and how long we’ll need to keep this connection going. There’s a lot going on within the Presentation layer, but its main job is to define the data format and encoding. Finally, at the top Application layer, connection and access to the application is stipulated.

In the next installments, we’ll cover network packet architecture so we can recognize what the WireShark packet sniffer is telling us. In the final installment, we’ll not only clarify packet building and disassembly but how data moves on the network infrastructure. Stay tuned!

Jeff Kabachinski is a healthcare IT pundit and technical strategist in Davidson, NC. For more information, contact chief editor Jenny Lower at [email protected]


1. Sanders, C. (2011). Practical Packet Analysis. No Starch Press.
2. Wilkins, S. (2011, November 22). OSI and TCP/IP Model Layers. Retrieved from
3. OSI Reference Model Layer Summary . (2016, February 27). Retrieved from The TCP/IP Guide:

Photo credit: © Kheng Ho Toh |