Skip to content
← All articles

How to Check Open Ports: Online, Windows, Linux

You can check open ports in three ways: locally with netstat -ano on Windows or ss -tlnp on Linux, from the outside with nc or telnet run on another host, or with an online port scanner. Local checks show which services are listening; external checks show which ports are actually reachable from the internet. A complete answer requires both.

This guide walks through every method step by step: the built-in Windows and Linux commands, checking a specific port on a website or server, the usual reasons a port is open locally but unreachable from outside (NAT, host firewalls, ISP blocking), and a table of common ports explaining what their visibility from the internet means.

What an Open Port Is: LISTEN vs Reachable from Outside

A port is a number from 0 to 65535 that the operating system uses to route an incoming connection to a specific program. When a service — a web server, a database, an SSH daemon — starts, it binds to a port and enters the LISTEN state, ready to accept connections. How this works at the protocol level, and how TCP ports differ from UDP, is covered in our article on the difference between TCP and UDP.

The key distinction that causes most confusion: "a port is in LISTEN" and "a port is open from outside" are two different statements. The first means a process on the machine is ready to accept connections. The second means an external client can actually reach that process: no firewall drops the traffic, NAT forwards it, and the ISP does not block it. A port can be listening locally while remaining completely invisible from the internet. That is why a proper check always has two parts: from the inside and from the outside.

How to Check Open Ports on Windows

netstat -ano: the classic way

Open Command Prompt as administrator and run:

netstat -ano | findstr LISTEN

The output lists the protocol, local address with port, state, and the PID of the owning process. To find out which program stands behind a PID, run tasklist | findstr 4712, substituting your number. Pay attention to the local address column: 0.0.0.0:3306 means the service listens on all interfaces, while 127.0.0.1:3306 means loopback only — such a port can never be reached from outside.

Get-NetTCPConnection: the PowerShell way

Modern Windows versions offer a more convenient alternative to netstat — a PowerShell cmdlet that returns objects instead of text and is easy to filter:

Get-NetTCPConnection -State Listen | Sort-Object LocalPort | Format-Table LocalAddress, LocalPort, OwningProcess

You can resolve the process name behind a specific port in one line: Get-Process -Id (Get-NetTCPConnection -LocalPort 443 -State Listen).OwningProcess. This approach shines in scripts: pipe the result onward, export it to CSV, or diff it against an approved baseline of allowed ports.

How to Check Open Ports on Linux

ss -tlnp: the primary tool

sudo ss -tlnp

The flags mean: -t — TCP, -l — listening sockets only, -n — numeric ports instead of service names, -p — show the owning process. The ss utility from the iproute2 package long ago replaced the deprecated netstat and is noticeably faster on systems with thousands of connections. For UDP sockets use ss -ulnp.

lsof -i: the process-centric view

sudo lsof -i -P -n | grep LISTEN

lsof lists open sockets grouped by process and is especially handy when the question is "who took this port": running sudo lsof -i :8080 immediately prints the process holding port 8080 along with its PID, user, and full command name.

How to Check a Port from Outside

Every command above only answers "what is listening on this machine". The bigger question — is the port visible from the internet — requires a check from a different host.

nc and telnet from another host

nc -vz example.com 443
telnet example.com 22

The netcat -z flag means "just test the connection, send no data", and -v enables verbose output. There are three possible outcomes. "Succeeded" (or an established telnet session) — the port is open and a service answers. "Connection refused" — the host is up, but nothing listens on the port, or a firewall actively rejects the connection (REJECT). A timeout — packets are silently dropped by a DROP rule, or the host is unreachable.

Checking open ports online

If you do not have a second host at hand, use an online open-port check: the scanner connects to your IP address or domain from the internet and reports the state of the most common ports — exactly the way the outside world, including a potential attacker, sees you. Before scanning, it helps to confirm the host itself responds using an online ping test: if the host is down entirely, debugging individual ports is premature.

Why a Port Is Open Locally but Invisible from Outside

This is the single most common situation in practice: ss shows LISTEN, yet an external scanner reports "closed" or "filtered". Several barriers stand between your process and the internet, and any of them can cut the traffic:

  • Binding to 127.0.0.1. The service listens on loopback only. You can see this right in the ss or netstat output — such a port will never open externally until you change the bind address to 0.0.0.0 or a specific external interface.
  • The host firewall. Windows Defender Firewall, iptables, nftables, ufw, or firewalld block inbound connections to non-standard ports by default. Check the rules with sudo ufw status or sudo iptables -L -n.
  • NAT on the router. A home or office router does not forward inbound connections to a LAN machine until you explicitly configure port forwarding.
  • Cloud security groups. On AWS and most other clouds all inbound traffic is denied by default — the port must be allowed in the security group settings; the firewall inside the VM is irrelevant here.
  • ISP blocking. Many internet providers block port 25 (anti-spam) as well as 445 and 139 (SMB exploitation defence). Such a port will not open no matter how correctly the server is configured.

Diagnose along the chain: first confirm LISTEN locally, then test the port from a neighbouring machine on the same network, then from the internet. The hop where the connection disappears is where the block lives.

How to Check a Specific Port on a Website or Server

A typical scenario is verifying that a website has 443 open or that a mail server answers on 25. From any host with netcat it is a single command:

nc -vz mail.example.com 25

For the web it is often faster to make a real request: curl -I https://example.com — if headers come back, port 443 is open and TLS works. Mail ports are a story of their own: 25, 465, and 587 serve different purposes and are blocked differently by ISPs — see the full breakdown in our article on ports 25, 465, and 587.

Comparing the Methods

MethodWhat it showsWhen to use it
netstat -ano (Windows)Listening ports and process PIDsLocal Windows diagnostics without PowerShell
Get-NetTCPConnectionThe same data as PowerShell objectsScripts, automation, exports
ss -tlnp (Linux)Listening sockets, processes, bind addressesLocal diagnostics on any Linux server
lsof -i :portWhich process holds a specific portPort conflicts, finding who took 8080
nc -vz / telnetPort reachability from another hostExternal checks when a second machine is available
Online port scannerPort visibility from the internetNo second host; the attacker's point of view

Common Ports: What Their Visibility Means

PortServiceVisibility from the internet
22SSHNormal for servers; restrict access by IP or move to a non-default port
80 / 443HTTP / HTTPSNormal for any web server
25SMTPJustified only for a mail server
3306MySQL / MariaDBShould not be visible: application access only, or via a tunnel
6379RedisShould not be visible: an unauthenticated Redis exposed to the world is a classic breach vector

What exactly to close, why every unnecessary open port is a risk, and how to shrink your attack surface — see the dedicated article on open ports and security.

Sources

FAQ: Checking Open Ports

What is the difference between LISTEN and an open port?

LISTEN is a socket state on the machine itself: a process is ready to accept connections. "Open port" in everyday usage means that process can be reached from outside. A firewall, NAT, and the ISP all sit in between, so a listening port often stays invisible from the internet — which is perfectly normal for internal services.

How do I find out which program is using a port?

On Linux, run sudo lsof -i :8080 or sudo ss -tlnp | grep 8080 — both print the PID and process name. On Windows, use netstat -ano | findstr :8080, then tasklist | findstr PID. From there, resolve the conflict by stopping the extra service or changing the port in its configuration.

Is it safe to check ports with an online scanner?

Yes, as long as you scan your own server or website: an online check performs the same TCP connections an ordinary client would, exploiting nothing. Regularly scanning your own hosts is basic hygiene — you will spot an accidentally exposed port before the bots that continuously scan the entire internet find it.

Why does nc show a timeout instead of connection refused?

"Connection refused" arrives when the host actively answers with an RST packet: the port is closed, but traffic gets through. A timeout means packets are silently discarded — usually by a firewall DROP rule, or because the host is unreachable. This distinction matters: refused points at the service, a timeout points at a network filter along the path.

Do I need to close every open port?

No — you need to close everything that is not meant to be public. A web server needs 80 and 443; a server with remote access needs 22. Databases, Redis, admin panels, and service ports, however, should be reachable only from the internal network or over a VPN. The rule is simple: the outside world sees only what must be seen.

Check your website right now

Check your site →
More articles: Networking
Networking
How Roskomnadzor Blocks Websites: EAIS, TSPU, DPI
13.07.2026 · 24 views
Networking
Fix ERR_ADDRESS_UNREACHABLE: Causes and Solutions
13.07.2026 · 36 views
Networking
Your Site Is Blocked in Russia: Owner's Guide
13.07.2026 · 33 views
Networking
IPv4 vs IPv6: Differences, Migration, and What It Means for Your Website
16.03.2026 · 148 views