The –p Switch

The –p Switch
Like the –n switch, the –p switch is a modifier. Typically used with the –s switch (discussed earlier),
it specifies which protocol statistics to list in the output (IP, TCP, UDP, or ICMP). For example, if you want to view only ICMP statistics, you use the –p switch like so:
netstat –s –p ICMP

The netstat utility then displays the ICMP statistics instead of the gamut of TCP/IP statistics that the –s switch normally produces.

Real World Scenario ......
Uses for netstat

You might be saying to yourself, “OK. Fine…I can use lots of cool switches with netstat, but what is it good for, really?” I’m always finding uses for netstat. One time, I found a particularly nasty worm on my PC using netstat. Being the geek that I am, I just happened to run netstat for giggles one day and noticed a very large number of outbound connections to various places on the Internet. It was sending out SYN packets to a large number of hosts (an indication that my computer was involved—unknowingly—in a large-scale denial of service attack). Upon furtherexamination, I noticed that this activity would start shortly after bootup.

I tried running netstat after bootup and noticed that the first outbound connection was to TCP port 6667 to some IRC server I’d never heard of (I didn’t even have an IRC client on my machine at the time). It was particularly nasty to try to get rid of while active, so I turned off port 6667 on my firewall. That prevented the initial connection to the IRC server (and, as I found out later,prevented the worm from getting its instructions from the IRC server) and I was then able to remove it. I would have never found out that this worm was working without netstat. My antivirus program even missed it.