CEH

198 Chapter 8 ■ Trojans, Viruses, Worms, and Covert Channels

EXERCISE8.3 (continued)

To use TCPView, follow these steps:

1. In Windows, run the tcpview.exe executable.


2. Observe the results in the GUI (see Figure 8.2, which shows the GUI).


3. With TCPView still running, open a web browser, and go to http://www.wiley.com.


4. In TCPView, notice the results and that new entries have been added.


5. In the browser, go to http://www.youtube.com (or some other site that streams video or audio),
   and play a video or piece of content.


6. In TCPView, watch how the entries change as ports are opened and closed. Observe for
   a minute or two, and note how the display updates.


7. Close the web browser.


8. In TCPView, observe how the display updates as some connections and applications are
   removed.

FIGURE 8.2 TCPView interface

What is really convenient about TCPView is that it color-codes the results: red means a

connection will close shortly, and green means a connection has been opened.

When using TCPView, you can save snapshots of the screen contents to a TXT file.

This feature is extremely helpful for investigation and later analysis of information, and

potentially for incident-management purposes later.