Learning Cybersecurity — I watched my own internet traffic, and it changed how I think about security

Narasimha Mallegari — Sat, 04 Apr 2026 19:39:51 +0000

I am documenting every day of my cybersecurity learning journey publicly.

What I did today

Watched Professor Messer's TCP/IP video, installed Wireshark, completed my first TryHackMe room, and spent about two hours actually watching packets move through my own network.

The moment everything clicked

I have read about TCP handshakes probably five times in the last week. SYN, SYN-ACK, ACK. I understood the words. I could repeat them back. But I did not really understand them.

Today I opened Wireshark, started a capture, loaded a website, and watched it happen in real time on my own machine. My computer sent a SYN. The server replied SYN-ACK. My machine confirmed with ACK. Then the data started flowing.

That is the moment the moment theory became real for me. It is three packets. It happens in milliseconds. And it happens every single time any device anywhere connects to any other device on the internet.

The HTTP experiment that honestly surprised me

I set up a Wireshark filter for HTTP traffic and visited a website that does not use HTTPS — neverssl.com, which exists specifically for this kind of testing.

I found one of the captured packets and clicked on it. In the lower panel of Wireshark, I could read my entire web request. Every header. The browser I was using. The page I requested. Everything.

Plain text. Completely readable.

I knew HTTPS was important before today. But seeing HTTP traffic readable in Wireshark made it real in a way that reading about it never did. If I were on public WiFi at a coffee shop using an HTTP website, anyone else on that network could run Wireshark and read exactly what I was sending. Logins. Session tokens. Everything.

This is why security researchers talk about public WiFi being dangerous. It is not theoretical. You can literally watch it happen.

DNS — something I never thought about before

When you type a website address into your browser, your computer does not magically know where to go. It sends a DNS query first — essentially asking "hey, what is the IP address for this domain name?"

In Wireshark, I could see this happen before the page even started loading. The DNS query left my machine. A response came back with the IP address. Then the TCP connection to that IP started.

Every website visit involves this. You just never see it unless you are looking at the raw traffic.

TryHackMe — first room done

Completed the "What is Networking?" room on TryHackMe today. It covered what networks are, IP addresses, MAC addresses, and the basics of ping and ICMP.

One thing I picked up that I did not know before: MAC addresses are hardware-level identifiers that cannot change, while IP addresses are assigned by the network and can change. So when a device connects to a new WiFi network, it gets a new IP — but its MAC address stays the same.

That distinction matters in security because MAC addresses can be used to track devices even when they change IP addresses, and MAC spoofing (faking your MAC address) is a real attack technique.

Questions I left with today

How does a router decide the best path when there are multiple routes to a destination?
What is inside a TLS certificate, and how does it prove a website is legitimate?
If WiFi is encrypted, why is it still possible for attackers to intercept traffic?

These go on my list.

What is on the plan for tomorrow

Professor Messer Common Ports video — memorizing the standard port numbers
First Nmap scan in Kali Linux on a legal test target
TryHackMe OSI Model room
DNS recon commands in terminal — nslookup, dig, host

All my notes are on my GitHub. If you are also learning cybersecurity and want to compare notes, feel free to connect.

Forem: Narasimha Mallegari