Port scanning explained

What a port is

An IP address identifies a machine; a port identifies a service on it. Ports are 16-bit numbers (0–65535) that let one host run many services at once, a web server on 443, SSH on 22, a database on 5432. When a packet arrives, the operating system uses the destination port to decide which program receives it. A port scan simply checks which ports have something listening.

How a TCP scan works

TCP connections begin with a three-way handshake: the client sends SYN, an open port replies SYN-ACK, and the client completes with ACK. A scanner exploits this:

• SYN-ACK back → the port is open (a service is listening).
• RST back → the port is closed (nothing listening, but the host is up).
• no response → filtered (a firewall is silently dropping the probe).

Common scan types

• TCP connect scan: completes the full handshake. Reliable, needs no special privileges, but easy to log.
• SYN (half-open) scan: sends SYN, reads the reply, then sends RST instead of finishing. Faster and quieter; needs raw-socket privileges.
• UDP scan: slower and ambiguous, because UDP is connectionless: silence can mean open or filtered, so scanners infer state from ICMP “port unreachable” replies.

Open vs closed vs filtered

These three states are the whole point. Open means a service answered. Closed means the host is reachable but nothing is on that port. Filtered means a firewall ate the probe, so you can’t tell, which is itself information about the network’s defenses.

Use it on what you’re allowed to

Port scanning is a core, legitimate tool for inventorying your own infrastructure, verifying firewall rules, and authorized security testing. Scanning networks you don’t own or have permission to test can be unlawful and is treated as hostile reconnaissance, keep it to your own systems or engagements you’re authorized for.

FAQ

Related

Reachability and latency is ping & ICMP; the web’s port-443 protocol is HTTP.