Practice with national-level exam (FACT, FACT Plus, NET, CUET, etc.) mocks, learn from structured notes, and get your doubts solved in one place.
Networking from signalling to subnetting for digital forensic examiners in India: OSI vs TCP/IP, IPv4 classes and CIDR, IPv6 SLAAC, MAC addressing, switching, routing, Wi-Fi 7, and which header fields survive each layer of a packet capture under CERT-In's 180-day log retention rule.
A packet capture is only as useful as the examiner's understanding of what each byte in it means. Every PCAP an investigator opens at a state cyber cell carries seven layers of nested headers, and a defence counsel under BSA Section 63 will ask why a destination MAC, a source IP, a TCP sequence number and a TLS Server Name Indication can all be trusted as belonging to the same conversation. The answer lives in the OSI model, the TCP/IP stack that runs the real world, and the addressing rules that govern who can talk to whom. Get those wrong and the rest of network forensics collapses.
This topic is the digital forensics networking foundation, written for an examiner who already knows what a hard disk is and now needs to read traffic. It walks signalling through subnetting through routing, with the Indian operational frame layered on top: CERT-In Direction 2022 mandates 180 days of mandatory log retention for service providers, VPNs and data centres, and those logs are what the digital forensic examiner has to interpret when the case lands. The Wi-Fi standards, MAC address handling, and IPv6 transitions covered here feed directly into the wireless attack topic and the live packet capture topic.
Before the first OSI layer, there are volts on a wire.
Every network conversation begins as a physical signal. Two coding choices govern that signal. Digital signalling represents data as discrete voltage levels (a Manchester-encoded Ethernet frame, a NRZ-L on a serial line); analog signalling represents data as a continuously varying waveform (the legacy POTS line that still feeds many Indian rural exchanges, the DOCSIS RF carrier on a cable modem). Digital is what every modern LAN runs because it tolerates noise far better and lets the receiver re-time itself from the bit clock.
The second axis is baseband vs broadband. Baseband uses the entire medium for a single signal at a time, the way 10BASE-T, 100BASE-TX, 1000BASE-T and 10GBASE-T do; "BASE" in those names is literally short for baseband. Broadband frequency-divides the same medium so multiple signals run in parallel on different sub-carriers, the way DOCSIS cable, ADSL, and OFDMA-based Wi-Fi 6 do. A forensic examiner cares about the distinction because a broadband medium produces independent per-channel error and timing data that an attacker can use to fingerprint a device.
Latency, the round-trip time between two endpoints, is the second performance metric the examiner reads off a capture. On a healthy domestic Jio Fiber link in Mumbai an ICMP RTT to an AWS Mumbai region endpoint sits at around 4 to 8 ms; on a 4G LTE link in a Bengaluru suburb the same ping is 35 to 60 ms; on a satellite link it climbs to 600 ms or more. Jitter is the standard deviation of those RTTs and is what makes a real-time voice call collapse before bandwidth does. The bps unit is bits per second (lowercase b); Bps is bytes per second (uppercase B). An ISP advertises in bps; a file transfer reports in Bps. The factor of eight between them turns up in court transcripts when a defence expert tries to argue an upload was impossibly fast.
Seven layers of headers, seven chances to identify the actor.
The OSI model partitions network function into seven layers. It is a reference, not a protocol; the actual internet runs on the four-layer TCP/IP stack, but the seven-layer breakdown is how every textbook, every wire-shark dissector pane, and every the standard textbook chapter labels what it is looking at.
| # | Layer | Function | Example protocols | Forensic artefact |
|---|---|---|---|---|
| 7 | Application | User-facing protocol logic | HTTP, HTTPS, FTP, SMTP, DNS, SSH | URLs, mail headers, TLS SNI, DNS QNAMEs |
| 6 | Presentation | Encoding, encryption, compression | TLS, ASN.1, JPEG, gzip | Cipher suite, certificate chain, JA3 hash |
| 5 | Session | Dialogue control between hosts | NetBIOS, RPC, SOCKS, QUIC initial | Session IDs, RPC method names |
| 4 |
What the internet actually runs.
The internet does not run OSI; it runs TCP/IP, a four-layer stack defined by the IETF before OSI was finalised and still the only one that ships in every operating system. The TCP/IP layers map cleanly onto OSI for analysis but combine functions the OSI model splits apart.
32 bits ran out in 2011; CIDR is what kept the lights on.
IPv4 is a 32-bit address written as four dotted decimal octets, giving a theoretical 4.29 billion addresses. The original 1981 design split that space into classes by the high-order bits. Class A (0.0.0.0 to 127.255.255.255) gave a /8 to organisations like the US Department of Defense, Apple and MIT; Class B (128.0.0.0 to 191.255.255.255) gave a /16; Class C (192.0.0.0 to 223.255.255.255) gave a /24; Class D (224.0.0.0 to 239.255.255.255) is multicast; Class E (240.0.0.0 to 255.255.255.255) is reserved. The classful scheme wasted enormous swathes of address space because organisations got far more addresses than they needed.
CIDR replaced classes in 1993. The CIDR notation 203.0.113.0/24 means the first 24 bits are the network prefix and the remaining 8 bits are the host portion, yielding 256 addresses of which 254 are usable (the first is the network address, the last is the broadcast). The mask 255.255.255.0 is the dotted-decimal equivalent of /24. CIDR allowed prefix lengths between the old class boundaries, so a /22 (1022 hosts) or a /28 (14 hosts) became routine, and address allocation tightened to actual need.
| Prefix | Mask | Hosts | Typical use |
|---|---|---|---|
| /8 | 255.0.0.0 | 16,777,214 | Legacy Class A (10.0.0.0/8 private) |
| /16 | 255.255.0.0 | 65,534 | Large campus, RFC 1918 172.16/12 chunks |
| /22 |
128 bits, no NAT, and a different forensic story.
IPv6 is 128 bits wide, written as eight groups of four hex digits separated by colons. A double colon :: once per address compresses consecutive zero groups. The address 2001:0db8:0000:0000:0000:0000:0000:0001 becomes 2001:db8::1. The address space is 3.4 times 10 to the 38th, enough that exhaustion is no longer the operational concern.
| Prefix | Scope | Purpose | Forensic note |
|---|---|---|---|
| 2000::/3 | Global unicast | Public, routable internet address | Equivalent to a public IPv4 address; logged at carrier |
| fe80::/10 | Link-local | Auto-configured per interface; not routed | Always present on every IPv6 interface; revealed by NDP |
| fc00::/7 (fd00::/8 in practice) | Unique local | Private organisation use; not routable globally | IPv6 equivalent of RFC 1918 |
| ff00::/8 | Multicast | One-to-many delivery | Replaces IPv4 broadcast; e.g. ff02::1 is all-nodes link-local |
Layer 2 is hardware; Layer 3 is software; the box can be either.
A MAC address is 48 bits, usually written as six pairs of hex digits separated by colons or hyphens (a4:83:e7:1c:9d:42). The first three octets (24 bits) are the OUI, the Organisationally Unique Identifier the IEEE assigns to a vendor: 00:1a:11 is Google, a4:83:e7 is Apple, f0:18:98 is Lenovo. Wireshark's OUI lookup, drawn from the IEEE OUI registry, resolves the prefix to a vendor in the packet pane. The second three octets are the vendor's serial. Two bits in the first octet matter: the I/G bit distinguishes unicast (0) from multicast (1); the U/L bit distinguishes universally administered (0, IEEE-assigned) from locally administered (1, software-set). Privacy MAC randomisation in modern phones flips the U/L bit and generates a fresh random MAC per SSID, which is why a captured probe request from a 2023+ iPhone usually shows a locally administered MAC rather than the device's burned-in OUI.
Network hardware splits along OSI layers:
Where the network lives and how fast it runs.
Networks classify by geographic scope: PAN (personal area, Bluetooth, a few metres), LAN (local, a building or campus), CAN (campus, multiple buildings), MAN (metropolitan, city-scale, often fibre rings), WAN (wide area, MPLS, SD-WAN, the internet), SAN (storage area, Fibre Channel or iSCSI, a data centre fabric). The Indian National Knowledge Network is a MAN-spanning-to-WAN academic backbone reaching every IIT, IIIT, IISc and central university.
Topologies describe physical or logical arrangement. Bus (a single shared cable, the old 10BASE2 thinnet) is dead. Ring (Token Ring, FDDI) is largely dead though some industrial Modbus over fibre rings persist. Star (every host to a central switch) is the LAN default. Mesh (every node connects to multiple peers) appears in Wi-Fi mesh systems (Google Nest Wifi, TP-Link Deco), industrial 802.15.4 ZigBee networks, and at the SD-WAN layer where every site has tunnels to multiple peers. Tree or hierarchical is the classic three-tier enterprise design (access, distribution, core).
Architecture choices split client-server (a central host serves many clients, the model that runs HTTP, SMTP, IMAP) from peer-to-peer (every node serves and consumes, the model that runs BitTorrent, original Skype, and the libp2p layer in IPFS). The forensic implication is that peer-to-peer traffic is harder to attribute because there is no central server log to subpoena.
| Standard | Marketing name | Year | Band | Max link rate |
|---|---|---|---|---|
| 802.11a | (no name) | 1999 | 5 GHz | 54 Mbps |
A packet leaves an Indian ISP's NAT gateway and reaches a server in Frankfurt. Which header field is rewritten on every hop and therefore tells you nothing about the original device?
| Transport |
| End-to-end delivery, ports, flow control |
| TCP, UDP, SCTP, QUIC |
| Source/destination ports, TCP flags, sequence numbers |
| 3 | Network | Logical addressing and routing | IPv4, IPv6, ICMP, IPsec, OSPF, BGP | Source/destination IP, TTL, fragment offset |
| 2 | Data Link | Frame-by-frame delivery on the local segment | Ethernet, 802.11, PPP, ARP, VLAN 802.1Q | Source/destination MAC, VLAN tag, OUI vendor |
| 1 | Physical | Bits on the wire or in the air | 10BASE-T, 1000BASE-T, 802.11ax PHY | Signal strength, channel, modulation |
Encapsulation is the operation that wraps a payload from layer N inside a layer N minus one header on the way down the stack, and decapsulation strips those wrappers on the way back up. An HTTPS request to nfsu.ac.in on a Wi-Fi 6 laptop in a Gandhinagar reading room becomes, in order: an HTTP method, wrapped in a TLS record, wrapped in a TCP segment with destination port 443, wrapped in an IPv6 packet with the laptop's link-local source and the resolver's destination, wrapped in an 802.11 data frame addressed to the access point's BSSID, wrapped in radio symbols on a 6 GHz channel. The PCAP records every wrapper. The examiner reads them in reverse.
The forensic implication per layer is the heart of network forensics. A MAC address survives only inside the Layer 2 frame; the moment a router forwards the packet, the source and destination MACs are rewritten to those of the next hop. An IP address survives end-to-end only if no NAT sits in between; in any home router or mobile carrier path, the source IP changes at the edge. A port number survives end-to-end through NAT (though the source port is often rewritten under PAT). A Server Name Indication string inside the TLS ClientHello survives end-to-end because TLS is end-to-end. Knowing what survives where is the difference between attributing an attack to a device and attributing it to an autonomous system.
The classic three-way handshake is the diagnostic backbone of TCP forensics. The client sends a SYN with an initial sequence number X; the server replies SYN-ACK with its own initial sequence number Y and acknowledgement X+1; the client replies ACK with Y+1, and the connection is open. A capture that shows a SYN with no SYN-ACK back is a port that is closed or filtered. A SYN-ACK with the wrong sequence number is a sign of in-path tampering. A connection that closes with a RST instead of a FIN is either an application crash or an intentional reset.
The well-known port range 0 to 1023 is reserved by IANA: 22 for SSH, 25 for SMTP, 53 for DNS, 80 for HTTP, 110 for POP3, 143 for IMAP, 443 for HTTPS, 465 for SMTPS, 587 for submission, 993 for IMAPS. The registered range 1024 to 49151 is where most application servers run. The dynamic range 49152 to 65535 is where clients pick their ephemeral source ports. A forensic capture that shows a connection on port 443 with traffic that does not begin with a TLS ClientHello is one of the strongest indicators of protocol smuggling, including a Cobalt Strike beacon or an SSH-over-port-443 tunnel.
| 255.255.252.0 |
| 1,022 |
| ISP downstream block |
| /24 | 255.255.255.0 | 254 | Small office LAN, RFC 1918 192.168.x.0/24 |
| /29 | 255.255.255.248 | 6 | Point-to-point with spare addresses |
| /30 | 255.255.255.252 | 2 | Point-to-point link |
| /31 | 255.255.255.254 | 2 | RFC 3021 point-to-point (no broadcast) |
| /32 | 255.255.255.255 | 1 | Single host route, loopback advertisement |
RFC 1918 reserves three ranges for private use: 10.0.0.0/8 (one /8, the largest), 172.16.0.0/12 (sixteen /16s), 192.168.0.0/16 (256 /24s). These are not routed on the public internet; a router that sees a packet with a 10.0.0.5 destination on its WAN interface drops it. APIPA (169.254.0.0/16) is the link-local block a Windows host self-assigns when DHCP fails. The loopback range 127.0.0.0/8 traditionally carries 127.0.0.1, though the whole /8 is reserved.
VLSM, Variable-Length Subnet Masking, lets a single organisation use different prefix lengths in different parts of its network: a /24 for the office LAN, /30s for the WAN links between routers, a /22 for the campus Wi-Fi. FLSM, Fixed-Length Subnet Masking, uses the same prefix length everywhere and wastes address space. Supernetting, the inverse of subnetting, aggregates contiguous prefixes into a single shorter prefix: two /24s in 203.0.113.0/24 and 203.0.114.0/24 advertised together become 203.0.113.0/23. CIDR's primary operational purpose was route aggregation through supernetting, so that BGP routers carry hundreds of thousands of routes rather than tens of millions.
| ::1/128 | Loopback | The single host | Replaces 127.0.0.1 |
| 64:ff9b::/96 | IPv4-translated | NAT64 prefix per RFC 6052 | Visible in dual-stack carrier networks |
SLAAC, Stateless Address Autoconfiguration (RFC 4862), is how an IPv6 host gets an address without a DHCP server. The router multicasts a Router Advertisement carrying a /64 prefix. The host appends a 64-bit interface identifier and forms its global address. The interface identifier was historically EUI-64, derived from the 48-bit MAC by inserting fffe in the middle and flipping the universal/local bit; the EUI-64 form leaked the device's MAC into every packet, which is a privacy disaster. RFC 7217 specified stable opaque interface identifiers derived from a hash of the prefix, an interface name and a secret, and RFC 8981 specified temporary privacy addresses that rotate every 24 hours. Modern Windows, macOS, iOS and Android all use one of these privacy schemes by default.
The forensic consequence is sharp. An older IPv6 capture (pre-2014) typically shows an EUI-64 interface identifier from which the examiner reads off the device MAC by stripping the inserted fffe and flipping the U/L bit. A modern capture shows an opaque RFC 7217 identifier that reveals nothing about the hardware. To attribute a modern IPv6 host the examiner needs DHCPv6, NDP cache snapshots from the local router or the carrier's IPAM logs.
Switching methods differ in how soon a switch starts forwarding a frame. Store-and-forward reads the full frame, validates the FCS, then forwards; high latency, no bad-frame propagation. Cut-through forwards as soon as the destination MAC is read at byte 14; low latency, propagates errored frames. Fragment-free reads the first 64 bytes (one Ethernet collision window) before forwarding; a middle ground used in some Cisco Catalyst products. Most enterprise switches in 2026 run store-and-forward by default.
Routing protocols split by algorithm. RIP (distance-vector, hop count, 15-hop max, RFC 2453) is legacy. EIGRP (Cisco proprietary distance-vector, opened in 2013 as RFC 7868) is still in use in mid-size enterprises. OSPF (link-state, Dijkstra, RFC 2328 for v2 / RFC 5340 for v3) is the dominant interior gateway protocol. IS-IS (link-state, ISO 10589) runs the cores of large service providers including Reliance Jio. BGP (path-vector, RFC 4271) is the only exterior gateway protocol; every internet route is carried by BGP. A default route, written as 0.0.0.0/0 on IPv4 or ::/0 on IPv6, is the catch-all the router uses when no more specific match exists; in a home network the default route points at the ISP's edge.
| 802.11b | (no name) | 1999 | 2.4 GHz | 11 Mbps |
| 802.11g | (no name) | 2003 | 2.4 GHz | 54 Mbps |
| 802.11n | Wi-Fi 4 | 2009 | 2.4 / 5 GHz | 600 Mbps (4x4 MIMO) |
| 802.11ac | Wi-Fi 5 | 2013 | 5 GHz | 6.9 Gbps (8x8, 160 MHz) |
| 802.11ax | Wi-Fi 6 | 2019 | 2.4 / 5 GHz | 9.6 Gbps (OFDMA) |
| 802.11ax + 6 GHz | Wi-Fi 6E | 2020 | 6 GHz added | 9.6 Gbps |
| 802.11be | Wi-Fi 7 | 2024 | 2.4 / 5 / 6 GHz | 46 Gbps (MLO, 320 MHz) |
Wi-Fi 6E opens 1200 MHz of new spectrum in the 6 GHz band, approved for unlicensed use in India by the DoT in 2022; that band hosts twice as many non-overlapping 80 MHz channels as the entire 5 GHz band did. Wi-Fi 7 adds Multi-Link Operation (MLO), where a single client maintains simultaneous associations on two bands and load-balances frames between them, and 320 MHz channels in 6 GHz. The forensic relevance is that a packet capture from a Wi-Fi 7 client requires the capture tool to follow MLO across radios, which only Wireshark 4.4+ with a recent libpcap and capable radio hardware can do.
The CERT-In Direction dated 28 April 2022 mandates that data centres, virtual private server providers, VPN providers and cloud service providers operating in India maintain ICT system logs for 180 rolling days, register subscriber identification details, and synchronise all systems to the NPL or NIC NTP servers. Those logs are exactly the layer-by-layer artefacts above: DHCP leases mapping MAC to IP, NAT translation tables mapping internal port to external port, DNS query logs, and Layer 4 connection records. Every Indian network-forensic case after May 2022 starts with a CERT-In log request, and the examiner who does not know which header field lives at which layer cannot frame that request properly.