Understanding Linux Networking: OSI vs TCP/IP Models and Packet Flow

Network Models

Linux treats networking as a core system function, similar to CPU, memory, and I/O. The OSI seven‑layer model was defined to standardize heterogeneous network devices, but in practice the simpler four‑layer TCP/IP model is used.

Application layer : provides a uniform interface for applications.

Presentation layer : converts data to a format compatible with the receiving system.

Session layer : maintains communication sessions.

Transport layer : adds transport headers to create packets.

Network layer : handles routing and forwarding.

Data link layer : performs MAC addressing, error detection, and correction.

Physical layer : transmits data frames over the physical medium.

Because the OSI model is complex, Linux primarily implements the TCP/IP model, which consists of four layers: Application, Transport, Network, and Network Interface.

Application layer : hosts protocols such as HTTP, FTP, DNS.

Transport layer : provides end‑to‑end communication (TCP, UDP).

Network layer : encapsulates packets with IP headers and performs routing.

Network Interface layer : adds Ethernet frame headers/trailers and interacts with the NIC.

Linux Network Stack

When a packet is sent, it traverses the stack from the application down to the NIC, acquiring a TCP header at the transport layer, an IP header at the network layer, and Ethernet frame headers/trailers at the network‑interface layer. The reverse occurs on reception.

The Maximum Transmission Unit (MTU) limits the largest IP packet; Linux defaults to 1500 bytes for Ethernet. If a packet exceeds the MTU, the network layer fragments it.

[root@dev ~]# ifconfig
cni0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
        inet 10.244.0.1  netmask 255.255.255.0  broadcast 10.244.0.255
        ...
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.129  netmask 255.255.255.0  broadcast 192.168.2.255
        ...

Packet Reception Process

The NIC receives a frame via DMA and places it in the receive queue, triggering a hardware interrupt.

The interrupt handler allocates an sk_buff structure, copies the frame into it, and raises a soft‑interrupt to notify the kernel.

The kernel processes the frame layer by layer: link layer validates the frame and identifies the protocol (IPv4/IPv6), then strips the frame header.

The network layer removes the IP header, determines routing, and passes the payload to the transport layer.

The transport layer extracts the TCP/UDP header, uses the 4‑tuple to locate the corresponding socket, and copies data into the socket’s receive buffer.

The application reads the data via the socket API.

Packet Transmission Process

An application calls a socket API (e.g., sendmsg) to send data.

The data is placed in the socket’s send buffer.

The stack adds a TCP header (transport layer) and an IP header (network layer), performs routing, and fragments if necessary.

The network‑interface layer adds Ethernet frame headers/trailers and queues the frame for transmission.

A soft‑interrupt notifies the NIC driver, which uses DMA to send the frame on the wire.

Common Network Commands

To inspect interfaces and diagnose issues, use ifconfig (net‑tools) or ip (iproute2). Both display flags, MTU, IP address, MAC, and traffic statistics.

[root@dev ~]# ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.129  netmask 255.255.255.0  broadcast 192.168.2.255
        ...
[root@dev ~]# ip -s addr show ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:d9:5e:32 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.129/24 brd 192.168.2.255 scope global noprefixroute ens33
    ...
    RX: bytes  packets  errors  dropped overrun mcast
    24877      279      0       0      0      0
    TX: bytes  packets  errors  dropped carrier collsns
    24616      123      0       0      0      0

Key metrics to watch:

RUNNING / LOWER_UP : indicates the NIC is physically connected.

MTU : default 1500 bytes; may need adjustment for overlays like VXLAN.

IP / MAC : ensure correct addressing.

RX/TX errors, dropped, overruns, carrier, collisions : non‑zero values usually signal network problems.

Socket Information

Use netstat or ss to view socket states, queues, and associated processes. ss is faster and provides concise summaries.

# netstat -nlp | head -n 4
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        State       PID/Program name
tcp        0      0 0.0.0.0:22             0.0.0.0:*              LISTEN      952/sshd
tcp        0      0 127.0.0.1:25           0.0.0.0:*              LISTEN      11/master
# ss -ltnp | head -n 4
LISTEN 0      128    0.0.0.0:22          0.0.0.0:*
LISTEN 0      128    127.0.0.1:25       0.0.0.0:*

For established connections, Recv‑Q shows bytes waiting for the application, and Send‑Q shows bytes awaiting acknowledgment. For listening sockets, they represent the lengths of the full‑connection and half‑connection queues.

Connectivity and Latency

Use ping (ICMP) to test reachability and round‑trip time.

# ping -c3 192.168.2.129
PING 192.168.2.129 (192.168.2.129) 56(84) bytes of data.
64 bytes from 192.168.2.129: icmp_seq=1 ttl=64 time=0.026 ms
64 bytes from 192.168.2.129: icmp_seq=2 ttl=64 time=0.016 ms
64 bytes from 192.168.2.129: icmp_seq=3 ttl=64 time=0.015 ms
--- 192.168.2.129 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.015/0.019/0.026/0.005 ms

The summary shows each ICMP request’s sequence number, TTL, and latency, followed by an aggregate of transmitted packets, loss, and average RTT.