Port Scanning Basics
Understand what ports are, how scanning works, and why it matters for security.
What Are Network Ports?
A network port is a numbered endpoint that identifies a specific process or service on a computer. When two machines communicate over a network, the IP address identifies the machine, and the port number identifies which application should handle the traffic. Ports range from 0 to 65535, giving over 65,000 possible endpoints per IP address.
Ports use two main transport protocols. TCP (Transmission Control Protocol) is connection-oriented — it establishes a reliable link with handshakes before data flows. Most services like web servers, email, and SSH use TCP. UDP (User Datagram Protocol) is connectionless — it fires packets without setup, making it faster but unreliable. DNS queries, streaming, and gaming often use UDP.
Common Ports You Should Know
Some port numbers are universally recognized. Here are the most important ones:
| Port | Protocol | Service | What It Does |
|---|
21 | TCP | FTP | File transfer (legacy) |
22 | TCP | SSH | Secure remote shell access |
25 | TCP | SMTP | Email sending |
53 | TCP/UDP | DNS | Domain name resolution |
80 | TCP | HTTP | Unencrypted web traffic |
443 | TCP | HTTPS | Encrypted web traffic |
3306 | TCP | MySQL | Database server |
3389 | TCP | RDP | Windows Remote Desktop |
8080 | TCP | Proxy/Dev | Common proxy or dev server port |
Port Ranges
Ports are divided into three categories:
- Well-known ports (0–1023): Reserved for system services. Only privileged processes can bind to these — SSH on 22, HTTP on 80, HTTPS on 443.
- Registered ports (1024–49151): Assigned by IANA for known applications. MySQL uses 3306, PostgreSQL uses 5432, Redis uses 6379.
- Dynamic/ephemeral ports (49152–65535): Temporary ports assigned by the OS for outbound connections. When your browser connects to a website, the return traffic comes back to one of these.
How Port Scanning Works
Port scanning sends carefully crafted packets to a target and analyzes the responses to determine which ports are open, closed, or filtered. The most common scan types are:
- TCP SYN scan (half-open): Sends a SYN packet (connection request). If the target replies with SYN-ACK, the port is open. The scanner then sends RST to tear down before completing the handshake. This is the default and fastest method.
- TCP Connect scan: Completes the full TCP handshake (SYN → SYN-ACK → ACK → RST). Slower but more reliable, and works through systems that don't allow raw packets.
- UDP scan: Sends empty UDP packets. If the target replies with ICMP "port unreachable," the port is closed. No response may mean the port is open or filtered — UDP scanning is inherently less reliable.
Legitimate Uses of Port Scanning
Port scanning isn't inherently malicious. Security professionals and system administrators use it regularly:
- Security auditing: Find open ports that shouldn't be exposed — like a database on 3306 accessible from the internet.
- Asset inventory: Map what services are running across your infrastructure, especially after server changes.
- Troubleshooting: Verify that a firewall rule is blocking the right ports, or check if a service is actually listening.
- Compliance checks: Ensure only required services are running, meeting security standards.
Legal and Ethical Considerations
This is critical. Port scanning without permission is illegal in many jurisdictions and can be treated as unauthorized access. Here are the rules:
- Only scan infrastructure you own or have explicit written authorization to test.
- Never scan production systems without approval from the owner.
- Use scanning tools responsibly — aggressive scans can trigger IDS alerts or crash fragile services.
- Document your authorization before scanning. Written consent protects you legally.
Try Our Port Scanner
Want to check which ports are open on your server? Our free Port Scanner tool lets you scan common ports from your browser — no installation needed.
Scan Ports Now →