Today we are going to discuss “Network Packet Forensic”  by covering some important track such as how Data is transferring between two nodes, what is “OSI 7 layer model” and Wireshark stores which layers information when capture the traffic between two networks.

As we know for transferring the data from one system to other we need a network connection which can be wired or wireless connection. But in actually transmission of data is not only depends upon network connection apart from that it involves several phases for transmitting data from one system to another which was explained by OSI model.

 OSI stands for Open Systems Interconnection model which is a conceptual model that defines and standardizes the process of communication between sender’s and receiver’s system. The data is transfer through 7 layers architecture where each layer has a specific function in transmitting data over next layer.  

Now have a look over given below image where we had explained the functionality of each layer in OSI model. So when data is transmitted by sender’s network then it will go in downward direction and data move from application layer to physical layer whereas when receiver will receive the transmitted data it will come in upward direction from physical layer to application layer.

Flow of Data from Sender’s network: Application > Presentation > Session > Transport > Network > Data Link > Physical

Flow of Data from Receiver’s network: Physical > Data Link > Network > Transport > Session > Presentation > Application

Examine Layers captured by Wireshark

Basically when a user opens any application for sending or receiving Data then he directly interacts with application layer for both operations either sending or receiving of data. For example we act as client when use Http protocol for uploading or Downloading a Game; FTP for downloading a File; SSH for accessing the shell of remote system.

While connecting with any application for sharing data between server and client we make use of Wireshark for capturing the flow of network traffic stream to examine the OSI model theory through captured traffic.

From given below image you can observe that wireshark has captured the traffic of four layers in direction of source (sender) to destination (receiver) network.

Here it has successfully captured Layer 2 > Layer 3 > Layer 4 and then Layer 7 information.

Ethernet Header (Data Link)

 Data link layer holds 6 bytes of Mac address of sender’s system and receiver’s system with 2 bytes of Ether type is used to indicate which protocol is encapsulated i.e. IPv4/IPv6 or .

In wireahark Ethernet II layer represent the information transmitted over data link layer. From given below image you can observed that highlighted lower part of wireshark is showing information in Hexadecimal format where the first row holds information of Ethernet headers details.

So here you can get source and destination Mac address which also available in Ethernet Header.

The row is divided into three columns as described below: 

Ethernet header