In IT and operations, data doesn’t just exist — it moves.
Every click, request, or alert represents information traveling across layers of technology: networks, protocols, and systems.
To understand modern infrastructure — whether for troubleshooting, monitoring, or security — we need to understand how data moves, who touches it, and what happens at every step.
Let’s break it down with the classic “five Ws” — Who, What, When, Where, and Why — and connect them to the technologies that make it all work: HTTPS, authentication, ports, and logging.
🧠 The Five Ws of Data Transmission
| W | What It Explains | Example |
|---|---|---|
| Who | The sender and receiver of data | A browser (client) connects to a web server |
| What | The data being transferred | A GET /api/orders request with JSON data |
| When | The timing of the communication | Timestamped at 2025-10-08T09:15:32Z |
| Where | The path and systems the data travels through | From the user’s IP to the app server to the database |
| Why | The reason or trigger for transmission | A user checking their order history |
These five questions form the backbone of incident analysis, root cause investigations, and system design.
If you can answer all five during a major incident, you’re already halfway to resolution.
🌐 The Layers of Data Movement
When data travels, it follows the structure of the OSI model — seven layers that explain how information moves from one device to another.
| Layer | Function | Common Protocols |
|---|---|---|
| 7️⃣ Application | Where communication begins | HTTP, HTTPS, SMTP, SSH |
| 6️⃣ Presentation | Handles encryption and translation | TLS/SSL, JSON, XML |
| 5️⃣ Session | Establishes and maintains connections | TLS handshake, sessions, tokens |
| 4️⃣ Transport | Ensures reliable delivery | TCP, UDP |
| 3️⃣ Network | Routes data across systems | IP, ICMP |
| 2️⃣ Data Link | Controls how data moves on the network | Ethernet, Wi-Fi |
| 1️⃣ Physical | The actual wires, fiber, or radio signals | Copper, fiber, 5G, etc. |
Each layer has its own responsibility — and when troubleshooting, knowing where a failure occurs can save hours.
🔒 HTTPS and Authentication: Securing the “Who”
HTTPS (Hypertext Transfer Protocol Secure) uses TLS encryption to protect communication between client and server.
It ensures that the data sent — like login credentials or API responses — can’t be read or modified by anyone else.
Typical HTTPS Flow:
- Client initiates a secure connection on port 443.
- The server presents an SSL/TLS certificate.
- Both sides agree on encryption keys.
- Encrypted communication begins.
Types of Authentication
| Method | Description | Layer |
|---|---|---|
| Basic Auth | Username/password in header | Application |
| Bearer Tokens (JWT/OAuth2) | Tokens used in modern APIs | Application |
| mTLS (Mutual TLS) | Certificates verify both client and server | Transport |
| Kerberos / LDAP / SAML | Common in enterprise SSO systems | Session/Application |
Authentication answers the “who” — proving identity — while HTTPS ensures “what” is protected.
🔌 Ports: The Gateways of Data
Ports act like entry and exit doors for network traffic.
Each service listens on specific ports so that systems know how to communicate.
| Service | Protocol | Port |
|---|---|---|
| Web (HTTP/HTTPS) | TCP | 80 / 443 |
| SSH (Remote Access) | TCP | 22 |
| DNS (Name Resolution) | UDP | 53 |
| SQL Server | TCP | 1433 |
| MySQL | TCP | 3306 |
| RDP (Remote Desktop) | TCP | 3389 |
In troubleshooting, ports often answer the “where” — which service or endpoint data is actually reaching (or failing to reach).
🧾 Logging: The Memory of Data Flow
Every meaningful step of data movement should be logged.
Logs let you see who did what, when, and where — turning invisible traffic into traceable evidence.
| Type | Captures | Example |
|---|---|---|
| Access Logs | Requests and responses | 192.168.1.10 GET /api/user 200 OK |
| Application Logs | App-level actions | User authenticated successfully |
| System Logs | OS-level events | sshd accepted connection on port 22 |
| Network Logs | Traffic and ports | TCP connection established on port 443 |
| Security Logs | Auth and permissions | Failed login attempt for admin |
| Audit Logs | Configuration and admin changes | User updated SSL certificate |
Logging answers the “when” — and helps reconstruct why something happened during an incident.
⚙️ Putting It All Together
Here’s how the full story might look:
A customer opens your website to check their order.
Their browser sends an HTTPS request on port 443, authenticating with a JWT token.
The request travels through the load balancer, reaches the app server, and queries the database.Every action — from authentication to response — is logged.
If latency spikes, your monitoring tool (like Datadog or Dynatrace) correlates the slowdown with a database lock event.
The AIOps layer (like Moogsoft or BigPanda) groups similar alerts and notifies the on-call team.Within minutes, you know who was affected, what failed, when it happened, where it occurred, and why — enabling rapid, data-driven recovery.
🎯 Why It Matters
Understanding data transmission isn’t just for network engineers — it’s vital for:
- Site Reliability Engineers diagnosing root causes
- Support Engineers tracing user issues
- Security Teams validating authentication and compliance
- Developers optimizing API performance
When you can visualize how data flows, you can monitor it, secure it, and fix it faster.
In a connected world, every bit of data tells a story — you just have to know how to read it.
✍️ Final Thought
In operations, the “Five Ws” aren’t just journalistic tools — they’re how you find truth in a sea of logs.
Every port, every request, every timestamp is part of a bigger picture: the movement of data.
The better you understand that movement, the better you can protect, optimize, and explain it.
Mitchell Lyon 