Frames, Packets, Segments, and Data Flow

Names for Data at Different Layers

When people say a network sends data, they are usually compressing several steps into one phrase. Different layers package data in different ways. The names matter because switches, routers, firewalls, operating systems, and packet analyzers make decisions based on different headers.

At the application layer, the original information may be a web request, a DNS query, an email message, a file transfer command, or management data. The application does not usually care about MAC addresses or cable signals. It asks the lower layers to deliver data to another application or service.

At the transport layer, TCP or UDP identifies which application conversation the data belongs to. TCP uses source and destination port numbers and provides reliability features such as sequencing, acknowledgments, retransmission, and flow control. A TCP unit of data is commonly called a segment. UDP also uses port numbers but does not set up a reliable connection in the same way. UDP units are often called datagrams. DNS, VoIP, streaming, and some gaming traffic commonly use UDP because low overhead and timeliness can be more important than retransmitting every lost piece.

At the network layer, IP wraps transport information inside an IP packet. The packet includes source and destination IP addresses. Routers read the destination IP address, compare it to routing information, and forward the packet toward the next hop. The source and destination IP addresses usually stay the same from the original sender to the final receiver, although technologies such as NAT can intentionally translate addresses at a boundary.

At the data link layer, Ethernet or Wi-Fi wraps the packet in a frame. A frame includes source and destination MAC addresses for the local link. This is a key point: MAC addresses are local-hop information. If a laptop sends traffic to a server on another network, the laptop usually builds a frame addressed to the MAC address of its default gateway, not to the remote server's MAC address. The router receives the frame, removes the data link header, makes a routing decision based on the IP packet, then builds a new frame for the next link. The packet moves end to end, but the frame is rebuilt hop by hop.

At the physical layer, the frame becomes bits transmitted as electrical signals on copper, light pulses on fiber, or radio waves in wireless. A link light, negotiated speed, duplex status, wireless signal level, and physical errors relate to this layer.

A simple web example ties the terms together. A browser wants an HTTPS page. After DNS resolution, the client opens a TCP connection to destination port 443 on the server. The client sends application data inside TCP segments. IP packets carry those segments toward the server. Ethernet or Wi-Fi frames carry each packet across each local link. The physical layer transmits the bits. A switch mainly pays attention to frame information, a router mainly pays attention to packet information, and a host operating system pays attention to transport ports to deliver data to the correct process.

Packet capture tools such as Wireshark display these layers together. A single captured frame may show Ethernet, IP, TCP, and HTTPS-related information. For CCST-level troubleshooting, you do not need to decode every field. You should be able to identify whether you are looking at local MAC addressing, IP addressing, TCP or UDP ports, or application protocol behavior. That skill helps when you save a capture for escalation, explain what you observed, and avoid mixing up local switching problems with routed path or application problems.

Study Checkpoint

• Topic: Frames, Packets, Segments, and Data Flow.
• Verify the official Cisco concept before memorizing a shortcut.
• Practice the technician action: observe, document, test, fix when supported, or escalate.