Practising traffic analysis in Wireshark

I'll using an practical exercise room in tryhackme to refine my Wireshark skills. I'll only be documenting task 1 of the room, but I'll be completing the room in its entirety.

Starting the room of, I revised nmap scans, specfically the TCP scan and how the threeway handshake works, SYN scans, and UDP scans.

Here are the questions for task 1:

For question 1, 'What is the total number of the "TCP Connect" scans?' , I used the display filter 'tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size >1024' to narrow down the search to only TCP connections since their window sizes are usually larger than 1024 bytes.

For question 2, 'Which scan type is used to scan the TCP port 80?' I used the display filter, 'tcp.port == 80' to show all the TCP port 80 connections. Here are the results:

As we can see in the image above, both TCP and SYN scans were used, but a TCP connection came first, so I inputted that as my answer.

The third question is 'How many "UDP close port" messages are there?' To accomplish this task, I inputted 'icmp.code==3' in the display filter to show all the unreachable destinations that occured, which was 1083 instances.

The last question 'Which UDP port in the 55-70 port range is open?' I had to use the display filter I learned recently to filter port which is 'udp.port in {55..70}' to filter our the port ranges and the answer was clear after seeing the results.

That's it for task 1! Honestly, I'm having a lot of difficulties with Wireshark and cybersec in general, but this is just the beginning of my journey and I know I'll become much better if I'm persistent and continue to learn.