You can check open ports in three ways: locally with netstat -ano on Windows or ss -tlnp on Linux, from the outside with nc or telnet run on another host, or with an online port scanner. Local checks show which services are listening; external checks show which ports are actually reachable from the internet. A complete answer requires both.
This guide walks through every method step by step: the built-in Windows and Linux commands, checking a specific port on a website or server, the usual reasons a port is open locally but unreachable from outside (NAT, host firewalls, ISP blocking), and a table of common ports explaining what their visibility from the internet means.
What an Open Port Is: LISTEN vs Reachable from Outside
A port is a number from 0 to 65535 that the operating system uses to route an incoming connection to a specific program. When a service — a web server, a database, an SSH daemon — starts, it binds to a port and enters the LISTEN state, ready to accept connections. How this works at the protocol level, and how TCP ports differ from UDP, is covered in our article on the difference between TCP and UDP.
The key distinction that causes most confusion: "a port is in LISTEN" and "a port is open from outside" are two different statements. The first means a process on the machine is ready to accept connections. The second means an external client can actually reach that process: no firewall drops the traffic, NAT forwards it, and the ISP does not block it. A port can be listening locally while remaining completely invisible from the internet. That is why a proper check always has two parts: from the inside and from the outside.
How to Check Open Ports on Windows
netstat -ano: the classic way
Open Command Prompt as administrator and run:
netstat -ano | findstr LISTENThe output lists the protocol, local address with port, state, and the PID of the owning process. To find out which program stands behind a PID, run tasklist | findstr 4712, substituting your number. Pay attention to the local address column: 0.0.0.0:3306 means the service listens on all interfaces, while 127.0.0.1:3306 means loopback only — such a port can never be reached from outside.
Get-NetTCPConnection: the PowerShell way
Modern Windows versions offer a more convenient alternative to netstat — a PowerShell cmdlet that returns objects instead of text and is easy to filter:
Get-NetTCPConnection -State Listen | Sort-Object LocalPort | Format-Table LocalAddress, LocalPort, OwningProcessYou can resolve the process name behind a specific port in one line: Get-Process -Id (Get-NetTCPConnection -LocalPort 443 -State Listen).OwningProcess. This approach shines in scripts: pipe the result onward, export it to CSV, or diff it against an approved baseline of allowed ports.
How to Check Open Ports on Linux
ss -tlnp: the primary tool
sudo ss -tlnpThe flags mean: -t — TCP, -l — listening sockets only, -n — numeric ports instead of service names, -p — show the owning process. The ss utility from the iproute2 package long ago replaced the deprecated netstat and is noticeably faster on systems with thousands of connections. For UDP sockets use ss -ulnp.
lsof -i: the process-centric view
sudo lsof -i -P -n | grep LISTENlsof lists open sockets grouped by process and is especially handy when the question is "who took this port": running sudo lsof -i :8080 immediately prints the process holding port 8080 along with its PID, user, and full command name.
How to Check a Port from Outside
Every command above only answers "what is listening on this machine". The bigger question — is the port visible from the internet — requires a check from a different host.
nc and telnet from another host
nc -vz example.com 443
telnet example.com 22The netcat -z flag means "just test the connection, send no data", and -v enables verbose output. There are three possible outcomes. "Succeeded" (or an established telnet session) — the port is open and a service answers. "Connection refused" — the host is up, but nothing listens on the port, or a firewall actively rejects the connection (REJECT). A timeout — packets are silently dropped by a DROP rule, or the host is unreachable.
Checking open ports online
If you do not have a second host at hand, use an online open-port check: the scanner connects to your IP address or domain from the internet and reports the state of the most common ports — exactly the way the outside world, including a potential attacker, sees you. Before scanning, it helps to confirm the host itself responds using an online ping test: if the host is down entirely, debugging individual ports is premature.
Why a Port Is Open Locally but Invisible from Outside
This is the single most common situation in practice: ss shows LISTEN, yet an external scanner reports "closed" or "filtered". Several barriers stand between your process and the internet, and any of them can cut the traffic:
- Binding to 127.0.0.1. The service listens on loopback only. You can see this right in the ss or netstat output — such a port will never open externally until you change the bind address to 0.0.0.0 or a specific external interface.
- The host firewall. Windows Defender Firewall, iptables, nftables, ufw, or firewalld block inbound connections to non-standard ports by default. Check the rules with
sudo ufw statusorsudo iptables -L -n. - NAT on the router. A home or office router does not forward inbound connections to a LAN machine until you explicitly configure port forwarding.
- Cloud security groups. On AWS and most other clouds all inbound traffic is denied by default — the port must be allowed in the security group settings; the firewall inside the VM is irrelevant here.
- ISP blocking. Many internet providers block port 25 (anti-spam) as well as 445 and 139 (SMB exploitation defence). Such a port will not open no matter how correctly the server is configured.
Diagnose along the chain: first confirm LISTEN locally, then test the port from a neighbouring machine on the same network, then from the internet. The hop where the connection disappears is where the block lives.
How to Check a Specific Port on a Website or Server
A typical scenario is verifying that a website has 443 open or that a mail server answers on 25. From any host with netcat it is a single command:
nc -vz mail.example.com 25For the web it is often faster to make a real request: curl -I https://example.com — if headers come back, port 443 is open and TLS works. Mail ports are a story of their own: 25, 465, and 587 serve different purposes and are blocked differently by ISPs — see the full breakdown in our article on ports 25, 465, and 587.
Comparing the Methods
| Method | What it shows | When to use it |
|---|---|---|
netstat -ano (Windows) | Listening ports and process PIDs | Local Windows diagnostics without PowerShell |
Get-NetTCPConnection | The same data as PowerShell objects | Scripts, automation, exports |
ss -tlnp (Linux) | Listening sockets, processes, bind addresses | Local diagnostics on any Linux server |
lsof -i :port | Which process holds a specific port | Port conflicts, finding who took 8080 |
nc -vz / telnet | Port reachability from another host | External checks when a second machine is available |
| Online port scanner | Port visibility from the internet | No second host; the attacker's point of view |
Common Ports: What Their Visibility Means
| Port | Service | Visibility from the internet |
|---|---|---|
| 22 | SSH | Normal for servers; restrict access by IP or move to a non-default port |
| 80 / 443 | HTTP / HTTPS | Normal for any web server |
| 25 | SMTP | Justified only for a mail server |
| 3306 | MySQL / MariaDB | Should not be visible: application access only, or via a tunnel |
| 6379 | Redis | Should not be visible: an unauthenticated Redis exposed to the world is a classic breach vector |
What exactly to close, why every unnecessary open port is a risk, and how to shrink your attack surface — see the dedicated article on open ports and security.
Sources
- man ss(8) — official documentation for the ss utility
- Get-NetTCPConnection — Microsoft Learn, NetTCPIP module
- man nc(1) — netcat documentation
FAQ: Checking Open Ports
What is the difference between LISTEN and an open port?
LISTEN is a socket state on the machine itself: a process is ready to accept connections. "Open port" in everyday usage means that process can be reached from outside. A firewall, NAT, and the ISP all sit in between, so a listening port often stays invisible from the internet — which is perfectly normal for internal services.
How do I find out which program is using a port?
On Linux, run sudo lsof -i :8080 or sudo ss -tlnp | grep 8080 — both print the PID and process name. On Windows, use netstat -ano | findstr :8080, then tasklist | findstr PID. From there, resolve the conflict by stopping the extra service or changing the port in its configuration.
Is it safe to check ports with an online scanner?
Yes, as long as you scan your own server or website: an online check performs the same TCP connections an ordinary client would, exploiting nothing. Regularly scanning your own hosts is basic hygiene — you will spot an accidentally exposed port before the bots that continuously scan the entire internet find it.
Why does nc show a timeout instead of connection refused?
"Connection refused" arrives when the host actively answers with an RST packet: the port is closed, but traffic gets through. A timeout means packets are silently discarded — usually by a firewall DROP rule, or because the host is unreachable. This distinction matters: refused points at the service, a timeout points at a network filter along the path.
Do I need to close every open port?
No — you need to close everything that is not meant to be public. A web server needs 80 and 443; a server with remote access needs 22. Databases, Redis, admin panels, and service ports, however, should be reachable only from the internal network or over a VPN. The rule is simple: the outside world sees only what must be seen.