Port scanning explained
A port scan asks a host “which doors are open?” Here is what a port actually is, how scans work, how to read open vs closed vs filtered, and how to stay on the right side of the law.
What a port is
An IP address identifies a machine; a port identifies a service on it. Ports are 16-bit numbers (0–65535) that let one host run many services at once, a web server on 443, SSH on 22, a database on 5432. When a packet arrives, the operating system uses the destination port to decide which program receives it. A port scan simply checks which ports have something listening.
How a TCP scan works
TCP connections begin with a three-way handshake: the client sends SYN, an open port replies
SYN-ACK, and the client completes with ACK. A scanner exploits this: send a probe and
read what comes back.
Scan types
| Scan | What it does | Privilege | Trade-off |
|---|---|---|---|
| TCP connect | Completes the full handshake | None | Reliable, but easy to log |
| SYN (half-open) | Sends SYN, reads reply, sends RST | Root (raw sockets) | Faster and quieter |
| UDP | Sends a UDP probe; infers from silence/ICMP | Root | Slow and ambiguous |
Open vs closed vs filtered
These three states are the whole point of a scan:
| State | What it means | The response |
|---|---|---|
| Open | A service is listening | SYN-ACK |
| Closed | Host is up, nothing on that port | RST |
| Filtered | A firewall silently dropped the probe | No response |
Common ports worth knowing
| Port | Service | Port | Service |
|---|---|---|---|
| 22 | SSH | 443 | HTTPS |
| 25 | SMTP (email) | 3306 | MySQL |
| 53 | DNS | 5432 | PostgreSQL |
| 80 | HTTP (web) | 3389 | RDP |
In practice: Nmap
Nmap is the standard tool. These run against scanme.nmap.org, a host the Nmap
project provides expressly for practice, so they are safe and authorized to try:
# TCP connect scan, completes the handshake, no privileges needed
nmap -sT scanme.nmap.org
# SYN / half-open scan, faster and quieter, needs root
sudo nmap -sS scanme.nmap.org
# scan specific ports only
nmap -p 22,80,443 scanme.nmap.org
# UDP scan (slow, ambiguous)
sudo nmap -sU -p 53,123 scanme.nmap.org
# identify the service + version behind each open port
nmap -sV scanme.nmap.org The legal line
Port scanning is a core, legitimate tool for inventorying your own infrastructure, verifying firewall rules, and authorized security testing. Scanning networks you do not own or have permission to test can be unlawful and is treated as hostile reconnaissance. Keep it to your own systems, lab environments, or engagements you are explicitly authorized for.
FAQ
Is port scanning legal?
Scanning systems you own or are explicitly authorized to test (a penetration-testing engagement, a bug-bounty scope, your own infrastructure) is a normal, legitimate activity. Scanning networks you do not own or have permission to test can be unlawful and is treated as hostile reconnaissance. Keep it to your own systems or authorized engagements.
What is the difference between closed and filtered?
Closed means the host actively refused, it sent an RST, so it is reachable but nothing is listening on that port. Filtered means no answer at all, because a firewall silently dropped the probe, so you cannot tell whether a service is there. Filtered is itself information about the network's defenses.
SYN scan vs connect scan, what is the difference?
A TCP connect scan completes the full three-way handshake (SYN, SYN-ACK, ACK): reliable and needs no special privileges, but easy to log. A SYN (half-open) scan sends SYN, reads the reply, then sends RST instead of finishing: faster and quieter, but it needs raw-socket (root) privileges.
Why is UDP scanning unreliable?
UDP has no handshake, so an open port often just stays silent, and silence can mean open or filtered. Scanners infer state from ICMP port-unreachable errors and timeouts, which is slow and easily blocked or rate-limited.
Does an open port mean I am vulnerable?
No, it means a service is reachable. Risk depends on what that service is, whether it is patched, how it is configured, and whether it should be exposed to that network at all. An open port is an inventory finding, not a verdict.
What tool do people use to port scan?
Nmap is the de facto standard, it supports connect, SYN, and UDP scans, service and version detection, and OS fingerprinting. The examples on this page are Nmap commands run against scanme.nmap.org, a host the project provides expressly for practice.
Related concepts
How ping works (ICMP, reachability) · HTTP explained · How SMTP works · POP3 vs IMAP · all references.
KB Cafe’s port-scanning how-to was a long-cited networking reference, from the era of hand-built C# socket code and the first widely shared Nmap recipes. This is its modern restoration: the same protocol mechanics, updated tooling, and an explicit note on the line between legitimate testing and trespass.