In one line: Going down the stack from the application layer, each layer adds its own header (sometimes a trailer) around the data; the receiver peels them off one by one. This is encapsulation / de-encapsulation.
What it is#
The application writes some bytes — say an HTTP request:
GET /index.html HTTP/1.1
Host: example.com
This doesn't fly on the wire "naked". Going down:
HTTP message ← Application
[TCP header | HTTP message] ← Transport
[IP header | TCP header | HTTP message] ← Network
[Ethernet header | IP header | TCP header | HTTP | Ethernet trailer] ← Link
bit stream ← Physical
Each header tells the next layer how to process the packet.
Analogy#
You write a letter (HTTP), put it in envelope 1 (TCP, with port number); put that in envelope 2 (IP, with final address); the courier wraps a third envelope 3 (Ethernet, with this-hop addresses). Each relay station only opens the outermost to know where the next hop goes — never the inner ones.
Key concepts#
How it works#
Every router rewrites the Ethernet header (next hop changes) but leaves IP and above alone.
Practical notes#
- Mismatched MTU causes pain. IP fragments when needed. VPN/tunnels often shrink MTU, hurting TCP. Use
ping -s 1472 -M doto probe the max no-fragment size. - Packet capture is layer view. Wireshark expands each packet by frame / IP / TCP / HTTP — the manual peel-and-show.
- Each layer has a length limit. Ethernet 1500, IP up to 65535 in theory, TCP segment bounded by MSS.
- Where encryption happens matters. HTTPS sits between app and transport; the link layer sees only ciphertext — but IP headers remain plaintext, so the ISP still sees which IP you contact.
Easy confusions#
e.g. IP, TCP.