Computer Networking: OSI, TCP/IP, IPv4/IPv6 and Subnetting

Every network conversation begins as a physical signal. Two coding choices govern that signal. Digital signalling represents data as discrete voltage levels (a Manchester-encoded Ethernet frame, NRZ-L on a serial line); analog signalling represents data as a continuously varying waveform (the legacy POTS line that still feeds many Indian rural exchanges, the DOCSIS RF carrier on a cable modem). Modern LANs use digital signalling because it tolerates noise far better and allows the receiver to re-time itself from the bit clock.

The second axis is baseband versus broadband. Baseband dedicates the entire medium to a single signal at a time, as 10BASE-T, 100BASE-TX, 1000BASE-T and 10GBASE-T do ("BASE" is short for baseband). Broadband frequency-divides the same medium so that multiple signals run in parallel on different sub-carriers, as DOCSIS cable, ADSL, and OFDMA-based Wi-Fi 6 do. A broadband medium produces independent per-channel error and timing data that an attacker can use to fingerprint a device.

Latency, the round-trip time between two endpoints, is the second performance metric the examiner reads off a capture. On a healthy domestic Jio Fiber link in Mumbai an ICMP RTT to an AWS Mumbai region endpoint sits at around 4 to 8 ms; on a 4G LTE link in a Bengaluru suburb the same ping is 35 to 60 ms; on a satellite link it climbs to 600 ms or more. Jitter is the standard deviation of those RTTs and is what makes a real-time voice call collapse before bandwidth does. The bps unit is bits per second (lowercase b); Bps is bytes per second (uppercase B). An ISP advertises in bps; a file transfer reports in Bps. The factor of eight between them turns up in court transcripts when a defence expert tries to argue an upload was impossibly fast.

The OSI model partitions network function into seven layers. It is a reference framework, not a deployed protocol; the internet runs on the four-layer TCP/IP stack. The seven-layer breakdown is the labelling scheme used by Wireshark's dissector pane and the standard networking textbook.

Encapsulation is the operation that wraps a payload from layer N inside a layer N minus one header on the way down the stack, and decapsulation strips those wrappers on the way back up. An HTTPS request to nfsu.ac.in on a Wi-Fi 6 laptop in a Gandhinagar reading room becomes, in order: an HTTP method, wrapped in a TLS record, wrapped in a TCP segment with destination port 443, wrapped in an IPv6 packet with the laptop's link-local source and the resolver's destination, wrapped in an 802.11 data frame addressed to the access point's BSSID, wrapped in radio symbols on a 6 GHz channel. The PCAP records every wrapper. The examiner reads them in reverse.

The forensic implication per layer is the heart of network forensics. A MAC address survives only inside the Layer 2 frame; the moment a router forwards the packet, the source and destination MACs are rewritten to those of the next hop. An IP address survives end-to-end only if no NAT sits in between; in any home router or mobile carrier path, the source IP changes at the edge. A port number survives end-to-end through NAT (though the source port is often rewritten under PAT). A Server Name Indication string inside the TLS ClientHello survives end-to-end because TLS is end-to-end. Knowing what survives where is the difference between attributing an attack to a device and attributing it to an autonomous system.

The internet runs TCP/IP, a four-layer stack defined by the IETF before OSI was finalised and the only one that ships in every operating system. The TCP/IP layers map onto OSI for analysis but combine functions that the OSI model separates.

1. Link layer (OSI 1 + 2)
   The physical medium plus framing. Ethernet, 802.11, PPP. Source and destination MAC live here. ARP runs here on IPv4; NDP runs here on IPv6.
2. Internet layer (OSI 3)
   Logical addressing and routing. IPv4 or IPv6 header. ICMP, IGMP and IPsec sit here. Routing protocols (OSPF, BGP, RIP) deliver the routing tables that this layer consults.
3. Transport layer (OSI 4)
   End-to-end delivery. TCP for reliable byte streams with sequence numbers, acknowledgements and a three-way handshake. UDP for connectionless datagrams. QUIC as the modern UDP-based replacement for TCP+TLS, now carrying the majority of HTTPS traffic to Google and Cloudflare.
4. Application layer (OSI 5 + 6 + 7)
   Everything above transport. HTTP, HTTPS, DNS, FTP, SMTP, IMAP, SSH, BGP, MQTT, gRPC. TLS is sometimes placed here, sometimes between transport and application; in TCP/IP it is treated as application-layer.

The three-way handshake is the diagnostic backbone of TCP forensics. The client sends a SYN with an initial sequence number X; the server replies SYN-ACK with its own initial sequence number Y and acknowledgement X+1; the client replies ACK with Y+1, and the connection is open. A capture that shows a SYN with no SYN-ACK back is a port that is closed or filtered. A SYN-ACK with the wrong sequence number is a sign of in-path tampering. A connection that closes with a RST instead of a FIN is either an application crash or an intentional reset.

A CERT-In incident report under the 2022 Direction has to identify the affected IP address, the source port and the destination port for every observed connection, and the reporting window is six hours from detection. CFSL Hyderabad's cyber lab and the state cyber cells routinely receive PCAPs where the handshake is the only artefact that survives end-to-end NAT, because the IP layer is rewritten at the carrier edge while the port and sequence numbers are not.

The well-known port range 0 to 1023 is reserved by IANA: 22 for SSH, 25 for SMTP, 53 for DNS, 80 for HTTP, 110 for POP3, 143 for IMAP, 443 for HTTPS, 465 for SMTPS, 587 for submission, 993 for IMAPS. The registered range 1024 to 49151 is where most application servers run. The dynamic range 49152 to 65535 is where clients pick their ephemeral source ports. A forensic capture that shows a connection on port 443 with traffic that does not begin with a TLS ClientHello is one of the strongest indicators of protocol smuggling, including a Cobalt Strike beacon or an SSH-over-port-443 tunnel.

IPv4 is a 32-bit address written as four dotted-decimal octets, providing a theoretical 4.29 billion addresses. The original 1981 design partitioned that space into classes by the high-order bits. Class A (0.0.0.0 to 127.255.255.255) allocated a /8 to organisations such as the US Department of Defense, Apple and MIT; Class B (128.0.0.0 to 191.255.255.255) allocated a /16; Class C (192.0.0.0 to 223.255.255.255) allocated a /24; Class D (224.0.0.0 to 239.255.255.255) is multicast; Class E (240.0.0.0 to 255.255.255.255) is reserved. The classful scheme allocated far more addresses than most organisations required, wasting large portions of the available space.

CIDR replaced classes in 1993. The CIDR notation 203.0.113.0/24 means the first 24 bits are the network prefix and the remaining 8 bits are the host portion, yielding 256 addresses of which 254 are usable (the first is the network address, the last is the broadcast). The mask 255.255.255.0 is the dotted-decimal equivalent of /24. CIDR allowed prefix lengths between the old class boundaries, so a /22 (1022 hosts) or a /28 (14 hosts) became routine, and address allocation tightened to actual need.

RFC 1918 reserves three ranges for private use: 10.0.0.0/8 (one /8, the largest), 172.16.0.0/12 (sixteen /16s), 192.168.0.0/16 (256 /24s). These are not routed on the public internet; a router that sees a packet with a 10.0.0.5 destination on its WAN interface drops it. APIPA (169.254.0.0/16) is the link-local block a Windows host self-assigns when DHCP fails. The loopback range 127.0.0.0/8 traditionally carries 127.0.0.1, though the whole /8 is reserved. Indian residential ISPs run carrier-grade NAT on the public IPv4 side and a private /24 inside the home; a subpoena under BNSS Section 94 for "the IP" without the source port and timestamp typically returns thousands of subscribers because they all share the same public address through CGNAT.

VLSM, Variable-Length Subnet Masking, lets a single organisation use different prefix lengths in different parts of its network: a /24 for the office LAN, /30s for the WAN links between routers, a /22 for the campus Wi-Fi. FLSM, Fixed-Length Subnet Masking, uses the same prefix length everywhere and wastes address space. Supernetting, the inverse of subnetting, aggregates contiguous prefixes into a single shorter prefix: two /24s in 203.0.113.0/24 and 203.0.114.0/24 advertised together become 203.0.113.0/23. CIDR's primary operational purpose was route aggregation through supernetting, so that BGP routers carry hundreds of thousands of routes rather than tens of millions.

IPv6 is 128 bits wide, written as eight groups of four hex digits separated by colons. A double colon :: once per address compresses consecutive zero groups. The address 2001:0db8:0000:0000:0000:0000:0000:0001 becomes 2001:db8::1. The address space is 3.4 times 10 to the 38th, enough that exhaustion is no longer the operational concern.

SLAAC, Stateless Address Autoconfiguration (RFC 4862), is how an IPv6 host gets an address without a DHCP server. The router multicasts a Router Advertisement carrying a /64 prefix. The host appends a 64-bit interface identifier and forms its global address. The interface identifier was historically EUI-64, derived from the 48-bit MAC by inserting fffe in the middle and flipping the universal/local bit; the EUI-64 form leaked the device's MAC into every packet, which is a privacy disaster. RFC 7217 specified stable opaque interface identifiers derived from a hash of the prefix, an interface name and a secret, and RFC 8981 specified temporary privacy addresses that rotate every 24 hours. Modern Windows, macOS, iOS and Android all use one of these privacy schemes by default.

The forensic consequence is sharp. An older IPv6 capture (pre-2014) typically shows an EUI-64 interface identifier from which the examiner reads off the device MAC by stripping the inserted fffe and flipping the U/L bit. A modern capture shows an opaque RFC 7217 identifier that reveals nothing about the hardware. To attribute a modern IPv6 host the examiner needs DHCPv6, NDP cache snapshots from the local router or the carrier's IPAM logs.

A MAC address is 48 bits, usually written as six pairs of hex digits separated by colons or hyphens (a4:83:e7:1c:9d:42). The first three octets (24 bits) are the OUI, the Organisationally Unique Identifier the IEEE assigns to a vendor: 00:1a:11 is Google, a4:83:e7 is Apple, f0:18:98 is Lenovo. Wireshark's OUI lookup, drawn from the IEEE OUI registry, resolves the prefix to a vendor in the packet pane. The second three octets are the vendor's serial. Two bits in the first octet matter: the I/G bit distinguishes unicast (0) from multicast (1); the U/L bit distinguishes universally administered (0, IEEE-assigned) from locally administered (1, software-set). Privacy MAC randomisation in modern phones flips the U/L bit and generates a fresh random MAC per SSID, which is why a captured probe request from a 2023+ iPhone usually shows a locally administered MAC rather than the device's burned-in OUI.

Network hardware splits along OSI layers:

• Hub (Layer 1): a multi-port repeater that broadcasts every signal to every port. Deprecated since 2000; effectively dead in 2026. Forensic relevance: a true hub creates a passive sniffing surface, which is why packet captures in surveillance setups used to be done at hubs.
• Bridge (Layer 2): a two-port device that learns MAC addresses and forwards selectively. Replaced functionally by switches.
• Switch (Layer 2): a multi-port bridge. Maintains a MAC address table, forwards frames only to the port hosting the destination MAC. A managed switch supports VLAN tagging (802.1Q, a 4-byte tag inserted after the source MAC), port mirroring (SPAN/RSPAN, used by SOCs to feed packet brokers), and STP (Spanning Tree, 802.1D, breaks loops by electing a root bridge).
• Router (Layer 3): inspects the destination IP, consults its routing table, forwards on the egress interface. Rewrites the source and destination MAC at every hop; the IP is preserved.
• Firewall (multi-layer): operates from Layer 3 up to Layer 7. A stateful firewall tracks TCP connection state; a next-generation firewall does deep packet inspection at Layer 7. See network security: firewalls, IDS, IPsec, SSL/TLS, VPN, PKI, SIEM for how these sit in defence architecture.
• Access point (Layer 2): the wired-to-wireless bridge. The BSSID is its MAC address. Forensic captures from an enterprise WLC carry per-AP, per-radio metadata.
• Load balancer (Layer 4 or 7): distributes connections across backend servers. At Layer 4 it sees TCP/UDP ports; at Layer 7 it terminates TLS and reads HTTP headers.

Switching methods differ in how soon a switch starts forwarding a frame. Store-and-forward reads the full frame, validates the FCS, then forwards; high latency, no bad-frame propagation. Cut-through forwards as soon as the destination MAC is read at byte 14; low latency, propagates errored frames. Fragment-free reads the first 64 bytes (one Ethernet collision window) before forwarding; a middle ground used in some Cisco Catalyst products. Most enterprise switches in 2026 run store-and-forward by default.

Routing protocols split by algorithm. RIP (distance-vector, hop count, 15-hop max, RFC 2453) is legacy. EIGRP (Cisco proprietary distance-vector, announced as open in 2013 and documented as RFC 7868 in May 2016) is still in use in mid-size enterprises. OSPF (link-state, Dijkstra, RFC 2328 for v2 / RFC 5340 for v3) is the dominant interior gateway protocol. IS-IS (link-state, ISO 10589) runs the cores of large service providers including Reliance Jio. BGP (path-vector, RFC 4271) is the only exterior gateway protocol; every internet route is carried by BGP. A default route, written as 0.0.0.0/0 on IPv4 or ::/0 on IPv6, is the catch-all the router uses when no more specific match exists; in a home network the default route points at the ISP's edge.

Networks are classified by geographic scope: PAN (personal area, Bluetooth, a few metres), LAN (local, a building or campus), CAN (campus, multiple buildings), MAN (metropolitan, city-scale, often fibre rings), WAN (wide area, MPLS, SD-WAN, the internet), SAN (storage area, Fibre Channel or iSCSI, a data centre fabric). The Indian National Knowledge Network is a MAN-to-WAN academic backbone connecting every IIT, IIIT, IISc and central university.

Topologies describe physical or logical arrangement. Bus (a single shared cable, the old 10BASE2 thinnet) is dead. Ring (Token Ring, FDDI) is largely dead though some industrial Modbus over fibre rings persist. Star (every host to a central switch) is the LAN default. Mesh (every node connects to multiple peers) appears in Wi-Fi mesh systems (Google Nest Wifi, TP-Link Deco), industrial 802.15.4 ZigBee networks, and at the SD-WAN layer where every site has tunnels to multiple peers. Tree or hierarchical is the classic three-tier enterprise design (access, distribution, core).

Architecture choices divide into client-server (a central host serves many clients, the model underlying HTTP, SMTP and IMAP) and peer-to-peer (every node both serves and consumes, the model underlying BitTorrent and the libp2p layer in IPFS). Peer-to-peer traffic is harder to attribute because there is no central server log to subpoena.

Wi-Fi 6E opens 1200 MHz of new spectrum in the 6 GHz band, approved for unlicensed use in India by the DoT in January 2026; that band hosts twice as many non-overlapping 80 MHz channels as the entire 5 GHz band did. Wi-Fi 7 adds Multi-Link Operation (MLO), where a single client maintains simultaneous associations on two bands and load-balances frames between them, and 320 MHz channels in 6 GHz. The forensic relevance is that a packet capture from a Wi-Fi 7 client requires the capture tool to follow MLO across radios, which only Wireshark 4.4+ with a recent libpcap and capable radio hardware can do.

The CERT-In Direction dated 28 April 2022 mandates that data centres, virtual private server providers, VPN providers and cloud service providers operating in India maintain ICT system logs for 180 rolling days, register subscriber identification details, and synchronise all systems to the NPL or NIC NTP servers. Those logs are exactly the layer-by-layer artefacts above: DHCP leases mapping MAC to IP, NAT translation tables mapping internal port to external port, DNS query logs, and Layer 4 connection records. Every Indian network-forensic case after May 2022 starts with a CERT-In log request, and the examiner who does not know which header field lives at which layer cannot frame that request properly.