Is It Possible to Monitor OSI Model Layer 8?

 Originally published on September 09, 2019 by Sascha Neumeier
Last updated on March 03, 2022 • 9 minute read

You no doubt know the OSI model, and you probably work with it every day. If you're a sysadmin and don't know what I'm talking about, then... no, everyone knows what I am talking about! 😊

The original OSI model consists of seven abstraction layers, starting with the physical layer right up to the application layer. Where was the presentation layer again? And which networking committee defined the layer?

If you want to refresh your knowledge before you read on, let's have a look at the definition and the overview of the layers.

The OSI (Open Systems Interconnection) model was created by the ISO to help standardize communication between computer systems. It divides communications into seven different layers, which each include multiple hardware standards, protocols, or other types of services.


The OSI model consists of the following layers:


So now we all remember how the OSI model is structured and know where layers like the transport layer, the network layer or the session layer are .

In addition to the traditional, seven-layer OSI model, you also hear about the so-called "Layer 8". Admins like to use the term "layer 8 issue" when it comes to errors caused by a user. These are mostly users who do not master the handling of IT technology well enough from the admins' point of view and who make avoidable mistakes.

Ever Heard of the Extended OSI Model?

But there is also another, more serious definition of Layer 8.

Bruce Schneier and the company RSA Security LLC invented the concept of layers above the OSI layer.


iSide note: Layer 0 is often referred to as the cabling infrastructure which is almost everything that the physical layer, Layer 1, needs to exist at all. If you want to delve a little deeper, you can find more information here.


During troubleshooting, the user layer is both the most complex and often the most opaque. Whenever a problem cannot be explained logically, even after several views, you should take a closer look at the user layer! It may well be that it is a code 18!

Should You Monitor Layer 8 Things to Avoid User Issues?

Well, in the first step, and this is very important, we have to distinguish between monitoring and surveillance.

In the context of this article, I will not go into the possibility of physically monitoring employees in any form, neither in the form of video surveillance, nor any other surveillance of the workplace.

I am much more concerned with scenarios in which users interact with systems and in which these actions need to happen within a defined framework.

What Could Be Such Specific Layer 8 Use Cases?

In the end, any kind of social engineering, SPAM, scam, phishing or online fraud is a conceivable use case.

  • Employees who find a prepared USB stick in the company car park and plug it into the USB slot of a company computer.
  • Users who receive a telephone call where the other person pretends to be their boss and advises an urgent bank transfer.
  • The careless handling of classic phishing emails that contain links to malicious websites or even malicious code as attachments.

You can't monitor which links your users click, but you can at least check if the antivirus solution is up-to-date on all devices and if the software firewall is active. Our PRTG WMI Security Center Sensor, for example, can be of assistance here.

In addition to this, you always have to reckon with inconsiderate actions on the part of your users. How easily is a folder in the file system accidentally deleted or the contents of a database file destroyed? To always have an eye on this, take a look at our different PRTG File Sensors like PRTG File Sensor, WMI File Sensor, File Content Sensor, or Folder Sensor.

Impatient users also tend to turn off computers during a logon or logoff process that they feel takes too long. The fact that updates to the system or an application are carried out in the background is not visible at this moment. Often this impatience leads to a computer that does not start anymore or that does not run stably.

To counter this, you can monitor the unexpected shutdowns of the devices of such impatient colleagues. Just use our PRTG Event Log (Windows API) Sensor in this case.

Since the success of the series The IT Crowd, every admin knows the often-quoted sentence, "Have you tried turning it off and on again?". I don't know how many times during my time in IT support users credibly assured me that they had already restarted the computer several times. A look at the system uptime of the computer brought the truth to light! With PRTG you can monitor system uptime based on WMI (PRTG Windows System Uptime Sensor) as well as SNMP (PRTG SNMP System Uptime Sensor).

These examples show that the monitoring of such incidents usually takes place within the seventh layer, the application layer. The user layer is only the trigger - it is very difficult from a technical basis to monitor within layer number 8.

Therefore, in Layer 8, prevention is much more important than reaction. Make your users aware of these dangers regularly and proactively.

While our solution PRTG can't help monitoring all your layer 8 issues in detail, we've got the other layers covered. So if it comes to Network Monitoring, be sure to check out PRTG Network Monitor.