The 4 Layers of the TCP/IP Model
TCP/IP vs OSI Model — Side-by-Side Comparison
| OSI Layer | OSI Name | TCP/IP Layer | Key Protocols |
|---|---|---|---|
| 7 | Application | Application | HTTP, FTP, DNS, SMTP |
| 6 | Presentation | TLS/SSL, JPEG, ASCII | |
| 5 | Session | NetBIOS, RPC, SQL | |
| 4 | Transport | Transport | TCP, UDP |
| 3 | Network | Internet | IP, ICMP, ARP, routing protocols |
| 2 | Data Link | Network Access | Ethernet, Wi-Fi, MAC addressing |
| 1 | Physical | Cables, hubs, radio waves, NIC |
CompTIA tests both models — you need to know them both and understand the mapping between them. The OSI model is used more for theoretical troubleshooting questions ("at which layer does a router operate?"). The TCP/IP model is used when discussing how internet protocols actually work.
Key mapping to memorise: TCP/IP Application = OSI layers 5+6+7. TCP/IP Transport = OSI layer 4. TCP/IP Internet = OSI layer 3. TCP/IP Network Access = OSI layers 1+2.
Encapsulation — How Data Travels Down the Stack
When you send data (say, an HTTP request), each layer wraps it in its own header before passing it down — this is called encapsulation. At the destination, each layer strips its header and passes the payload up — called decapsulation.
Understanding which layer a problem occurs at tells you exactly where to look. If you can ping by IP but not by hostname — the problem is at the Application layer (DNS). If you can ping the loopback but not the gateway — the problem is at the Network Access or Internet layer. CompTIA's troubleshooting methodology follows the layer model.
A useful rule: ping tests the Internet layer (IP). nslookup tests the Application layer (DNS). If ping works but nslookup fails — DNS is broken, not the network.
TCP vs UDP — The Transport Layer Protocols
| Feature | TCP | UDP |
|---|---|---|
| Connection type | Connection-oriented (3-way handshake: SYN, SYN-ACK, ACK) | Connectionless — no handshake |
| Reliability | Guaranteed delivery — retransmits lost packets | Best-effort — no retransmission |
| Order | Guaranteed in-order delivery | No ordering guarantee |
| Speed | Slower — overhead of acknowledgements | Faster — no acknowledgement overhead |
| Use cases | HTTP/HTTPS, SSH, FTP, email — anything where data integrity matters | DNS, DHCP, VoIP, video streaming, gaming — speed over reliability |
| Error checking | Yes — checksum + sequence numbers + ACKs | Checksum only — no retransmission |
Exam Scenarios
Ready to study Network+?
See the best courses, study guides, and practice exams for CompTIA N10-009.
Why the TCP/IP Model Matters More Than OSI in Practice
The OSI model gets more attention in study guides because it's more granular and useful as a troubleshooting framework. But TCP/IP is what actually runs on real networks. Every device on the internet uses TCP/IP — the protocols you deal with daily (HTTP, DNS, DHCP, SSH, TLS) are all TCP/IP protocols. The OSI model is a conceptual framework for understanding networking; the TCP/IP model is the implementation that ships on every operating system.
For the exam: when a question asks which model is used in real-world networking, the answer is TCP/IP. When a question asks you to identify which layer a protocol operates at and the answer options list OSI layers (Physical, Data Link, Network, Transport, Session, Presentation, Application), use the OSI model. The two models coexist — TCP/IP protocols map to OSI layers, and knowing both models and their relationship is expected.
Key Protocols at Each TCP/IP Layer
At the Network Access layer (combining OSI Layers 1 and 2): Ethernet, Wi-Fi (802.11), ARP (Address Resolution Protocol — maps IP addresses to MAC addresses), and PPP. This is where physical transmission and local network delivery happen. ARP is a critical exam topic — it operates at this layer and is the target of ARP poisoning/spoofing attacks where an attacker sends fake ARP replies to associate their MAC address with a legitimate IP.
At the Internet layer (OSI Layer 3): IP (Internet Protocol, both v4 and v6), ICMP (Internet Control Message Protocol — used by ping and traceroute), and routing protocols (OSPF, BGP, RIP). IP is responsible for logical addressing and routing packets between networks. ICMP is a companion protocol to IP, used for error reporting and network diagnostics. When ping sends an echo request and receives an echo reply, that's ICMP.
At the Transport layer (OSI Layer 4): TCP (Transmission Control Protocol — connection-oriented, reliable, ordered delivery with acknowledgements) and UDP (User Datagram Protocol — connectionless, no guaranteed delivery, lower overhead). TCP's three-way handshake (SYN → SYN-ACK → ACK) establishes a connection before data transfer. UDP sends datagrams without establishing a connection first — suitable for DNS queries, VoIP, video streaming, and other applications where speed matters more than guaranteed delivery.
At the Application layer (OSI Layers 5–7): HTTP/HTTPS, DNS, DHCP, FTP/SFTP, SSH, Telnet, SMTP, IMAP, POP3, SNMP, and every other application protocol. This is where user-facing communication happens. The Application layer protocols define how data is structured and exchanged between applications — HTTP defines how browsers request and receive web pages, SMTP defines how email is transmitted between mail servers.
IP Addressing Fundamentals
Every device on a TCP/IP network needs at minimum three configuration items: an IP address (identifies the device on its network), a subnet mask (defines the boundary between network and host portions of the address), and a default gateway (the IP address of the router that handles traffic destined for other networks). Without a correct default gateway, a device can communicate with other devices on its own subnet but cannot reach anything outside it.
DNS servers are also typically configured, providing hostname-to-IP resolution. Without DNS, users would need to type IP addresses to reach websites and services. The command ipconfig /all (Windows) or ifconfig/ip addr (Linux/macOS) displays all four: IP address, subnet mask, default gateway, and DNS server addresses.
TCP Three-Way Handshake — How Connections Are Established
Before any data flows over a TCP connection, the two parties perform a three-way handshake to establish the connection and synchronise sequence numbers. Step 1: the client sends a SYN (synchronise) packet to the server. Step 2: the server responds with a SYN-ACK (synchronise-acknowledge) — acknowledging the client's SYN and sending its own SYN. Step 3: the client sends an ACK (acknowledge) completing the handshake. Data transfer can now begin.
This handshake is the target of SYN flood attacks (a type of DoS attack): the attacker sends large numbers of SYN packets with spoofed source addresses, causing the server to allocate resources waiting for ACKs that never come and eventually exhausting its connection table. SYN cookies and rate limiting are the primary defences. On the exam, recognising a SYN flood from a description of "many half-open connections" is a common Security+ scenario.