• Home
• The Basics

Ports

Intro

Ports in networking are an addressing concept that allows computers to send data received over the network to appropriate applications. They take the form of a number between 0 and 65535, and when combined with an ip address and transport-layer protocol, they allow one host on a network to accurately send data to a specific application on a specific computer elsewhere on the network. The first 1024 ports are considered well known ports and have been officially associated with protocols designed for specific services. Common examples are port 80 for http (web browsers direct their requests to this port on a web server) or 22 for ssh (an ssh client would target this port to establish a connection and send data).

If this is going to work, those servers need to be ready to receive communication on those ports. i.e., the networking part of their operating systems should be waiting for any packets addressed to ports 80 or 443, which it will then forward to the web server application (and the network's router needs to let those packets through). These well known ports are typically used by servers, not clients. If my browser requests a web page, it addresses port 80 on the server, but it takes a random port for its own address. This separation allows us to open multiple tabs in one browser, or multiple browsers with multiple tabs, and ensure that each tab gets the correct data. So at any given time, your computer is probably addressing a handful of well known ports, but unless you're running a server, it's probably listening on a bunch of random, high-numbered ports.

So ports essentially help your computer route data segments to the proper applications, ensuring Spotify app doesn't get your webpage, and your Firefox doesn't get your music stream. That's not particularly dangerous; someone can't just find an open port and treat it like a secret entrance to your computer. However, if a well known port is open on a computer, that generally means an application is ready to communicate with anyone who reaches out. And that means that it's a source of information and possibly exploitation. If you have a version of a web server running with a known vulnerability, someone could get that information and then try to find a way to exploit the vulnerability on that web server.

Most of that probably isn't a concern for the average person. But if you happen to be curious and want to view the connections that your computer is establishing with other computers out there in the world, and see what ports it's communicating on, the commands below should do the trick.

Linux (Bash)

ss

ss is included in Linux as part of iproute2, the default networking tools. It's usage is similar to the familiar netstat (discussed below). Here's the command:

ss -[l]ntup

This command shows established connections. Because of this, the -p provides the process name and id that established the connection. The -l option shows only sockets that are listening, i.e. the port is open to connections, but no connection has been made. -p won't show anything in the latter case because no application has established a connection.

netstat

If you go and google about this for a bit, you'll find plenty of recommendations for a popular but dated command called netstat. And netstat will certainly get the job done, but it - and net-tools, the package it's a part of - has been deprecated in favor of ss and iproute2. Not only is net-tools no longer maintained, it's not even available out-of-the-box in most Linux distributions, while iproute2 is. So we'll take a look at netstat, but there's no reason to use it at this point.

netstat will show you "network connections, routing tables, interface statistics," and more. To view current connections and the open ports associated with them, use the following command:

netstat -plntu

• -p Program name and process id (PID) associated with the socket.
• -l Only listening sockets.
• -n Shows port numbers instead of protocol or host names. Faster.
• -t Shows TCP connections
• -u Shows UDP connections

Windows (Powershell)

Like most things in Powershell, there's a long command that, when you see it, makes perfect sense:

Get-NetTCPConnection -State Listen

Get-NetUDPEndpoint -LocalAddress <your-ip-address>

The first command returns all TCP sockets that are currently listening. Without the -State option, the command will return all current TCP sockets and their states. There doesn't seem to be any easy option to show the names of all processes associated with a socket, but this answer provides a fine solution:

Get-NetTCPConnection | select-Object LocalAddress, LocalPort,RemoteAddress,RemotePort,State , OwningProcess , @{l="Name" ;e= {Get-Process -Id $_.OwningProcess | select -ExpandProperty Name } } | Format-Table

The second command above shows all UDP sockets that are open to information. Since UDP is a connectionless protocol, there are no connection statuses listed as in the TCP listing.

netstat

Windows also supports netstat. I can't tell if it's deprecated. It's clearly quite old, but still gets the job done. It takes a slightly different form in Windows:

netstat -oanb

• -o Shows PID of owning process.
• -a Shows all connections and listening ports.
• -n Speeds things up by printing numbers instead of resolving protocol names
• -b Shows name of executable associated with the port.

The output from the above command can be a little much. Use the Powershell command Select-String (sls) to narrow things down:

netstat -oanb | sls "LISTENING|UDP"

This command returns all UDP ports or TCP ports in the "LISTENING" state.