How to Check Open Ports in Linux with netstat, lsof, and nmap

This article explains how to use the netstat, lsof, and nmap commands to find out which services are listening on which ports.

When troubleshooting network connectivity or application-specific issues, one of the first things to check should be what ports are actually in use on your system and which application is listening on a specific port.

A network port is identified by its number, the associated IP address, and the type of communication protocol, such as TCP or UDP. Above all, an open port is a network port on which an application or process listens, acting as a communication endpoint.

Each listening port can be open or closed (filtered) using a firewall. In general terms, an open port is a network port that accepts incoming packets from remote locations.

Check for Open Ports with netstat

Netstat (network statistics) is a command-line tool for monitoring incoming and outgoing network connections and viewing routing tables, interface statistics, etc. This tool is essential and valuable for Linux network administrators and system administrators to monitor and troubleshoot their network-related problems and determine network traffic performance.

To list all TCP or UDP ports that are being listened on, including the services using the ports and the socket status, use the following command:

$ sudo netstat -tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:10024         0.0.0.0:*               LISTEN      24919/amavisd    
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      967/master   
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      800/tinyproxy       
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      967/master          
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      844/pure-ftpd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      768/sshd            
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      967/master          
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      1001/dovecot  
tcp6       0      0 :::3306                 :::*                    LISTEN      823/mysqld       
tcp6       0      0 ::1:783                 :::*                    LISTEN      24911/spamd.pid -d  
tcp6       0      0 :::80                   :::*                    LISTEN      781/httpd         
tcp6       0      0 :::21                   :::*                    LISTEN      844/pure-ftpd 
tcp6       0      0 :::22                   :::*                    LISTEN      768/sshd            
tcp6       0      0 :::25                   :::*                    LISTEN      967/master        
tcp6       0      0 :::993                  :::*                    LISTEN      1001/dovecot        
tcp6       0      0 :::995                  :::*                    LISTEN      1001/dovecot        
udp        0      0 0.0.0.0:47967           0.0.0.0:*                           460/avahi-daemon: r 
udp        0      0 127.0.0.1:123           0.0.0.0:*                           472/ntpd            
udp        0      0 0.0.0.0:123             0.0.0.0:*                           472/ntpd     
udp6       0      0 :::123                  :::*                                472/ntpd 

The options used in this command have the following meaning:

  • -t: Show TCP ports.
  • -u: Show UDP ports.
  • -l: Show only listening ports.
  • -n: Show numerical addresses instead of resolving hosts.
  • -p: Show the PID and name of the listenerโ€™s process. This information is only shown if you run the command as root or sudo user.

The essential columns in our case are:

  • Proto – The protocol used by the socket.
  • Local Address – The IP Address and port number the process listens to.
  • PID/Program name – The PID and the name of the process.

In addition, if you want to filter the results, use the grep command. For example, to find what process listens on TCP port 22, you would type:

$ sudo netstat -tulnp | grep :22
tcp     0      0 0.0.0.0:22        0.0.0.0:*         LISTEN      768/sshd            
tcp6    0      0 :::22             :::*              LISTEN      768/sshd

If the output is empty, nothing is listening on the port. For more about the netstat command in Linux, consult its manual page.

Check for Open Ports with lsof

Lsof, meaning ‘LiSt Open Files,’ is used to find out which files are open by which process. In Linux, everything is a file. You can think of a socket as a file that writes to the network.

To get a list of all listening TCP ports with lsof type:

$ sudo lsof -nP -iTCP -sTCP:LISTEN
COMMAND     PID      USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
sshd        768      root    3u  IPv4    16112      0t0  TCP *:22 (LISTEN)
sshd        768      root    4u  IPv6    16114      0t0  TCP *:22 (LISTEN)
httpd       781      root    4u  IPv6    16328      0t0  TCP *:80 (LISTEN)
httpd       781      root    6u  IPv6    16336      0t0  TCP *:443 (LISTEN)
tinyproxy   800 tinyproxy    0u  IPv4    16750      0t0  TCP *:8080 (LISTEN)
tinyproxy   805 tinyproxy    0u  IPv4    16750      0t0  TCP *:8080 (LISTEN)
mysqld      823     mysql   20u  IPv6    17479      0t0  TCP *:3306 (LISTEN)
pure-ftpd   844      root    4u  IPv4    16289      0t0  TCP *:21 (LISTEN)
pure-ftpd   844      root    5u  IPv6    16290      0t0  TCP *:21 (LISTEN)
master      967      root   13u  IPv4    17225      0t0  TCP *:25 (LISTEN)
master      967      root  103u  IPv4    17319      0t0  TCP 127.0.0.1:10025 (LISTEN)
dovecot    1001      root   24u  IPv4    18600      0t0  TCP *:995 (LISTEN)
dovecot    1001      root   37u  IPv6    18623      0t0  TCP *:993 (LISTEN)
httpd     24344    apache    4u  IPv6    16328      0t0  TCP *:80 (LISTEN)
httpd     24344    apache    6u  IPv6    16336      0t0  TCP *:443 (LISTEN)
/usr/bin/ 24911      root    5u  IPv4 25208447      0t0  TCP 127.0.0.1:783 (LISTEN)
/usr/bin/ 24911      root    6u  IPv6 25208449      0t0  TCP [::1]:783 (LISTEN)
spamd     24913      root    5u  IPv4 25208447      0t0  TCP 127.0.0.1:783 (LISTEN)
spamd     24913      root    6u  IPv6 25208449      0t0  TCP [::1]:783 (LISTEN)
/usr/sbin 24919    amavis    5u  IPv4 25208583      0t0  TCP 127.0.0.1:10024 (LISTEN)
/usr/sbin 24919    amavis    6u  IPv6 25208584      0t0  TCP [::1]:10024 (LISTEN)
smtpd     28403   postfix    6u  IPv4    17225      0t0  TCP *:25 (LISTEN)
smtpd     28403   postfix    7u  IPv6    17226      0t0  TCP *:25 (LISTEN)

The options used are as follows:

  • -n: Do not convert port numbers to port names.
  • -P: Do not resolve hostnames, show numerical addresses.
  • -iTCP -sTCP:LISTEN: Show only network files with TCP state LISTEN.

To find what process is listening on a particular port, for example, port 3306, you would use:

$ sudo lsof -nP -iTCP:3306 -sTCP:LISTEN
COMMAND PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
mysqld  823 mysql   20u  IPv6  17479      0t0  TCP *:3306 (LISTEN)

The output shows that the MySQL server uses port 3306.

For more about lsof command in Linux, consult its manual page.

Check for Open Ports with nmap

Nmap, or Network Mapper, is an open-source Linux command-line tool for network exploration and security auditing. With nmap, server administrators can quickly reveal hosts and services, search for security issues, and scan open ports.

The nmap command can be used to check a single port or a series of ports are open.

Here’s how to scan port 80 on the target system:

$ sudo nmap -p 80 192.168.0.1
Nmap scan report for 192.168.0.1
Host is up (0.000073s latency).
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

Scan ports 1 through 200 on the target system:

$ sudo nmap -p 1-200 192.168.0.1
Starting Nmap 6.40 ( http://nmap.org ) at 2020-08-21 16:42 EEST
Nmap scan report for 192.168.0.1
Host is up (0.0000080s latency).
Not shown: 196 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
25/tcp open  smtp
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 1.45 secondsCode language: JavaScript (javascript)

Scan (fast) the most common ports:

$ sudo nmap -F 192.168.0.1
Starting Nmap 6.40 ( http://nmap.org ) at 2020-08-21 16:44 EEST
Nmap scan report for 192.168.0.1
Host is up (0.000014s latency).
Not shown: 89 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
443/tcp  open  https
465/tcp  open  smtps
587/tcp  open  submission
993/tcp  open  imaps
995/tcp  open  pop3s
3306/tcp open  mysql
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 1.46 secondsCode language: JavaScript (javascript)

Bottom Line

In conclusion, checking which ports are open and what information can be obtained from the services accepting connections on those ports gives you the information you need to lock down your server.

For example, any extraneous information leaked out of your machine can be used by a malicious user to try to exploit known vulnerabilities or develop new ones. The less they can figure out, the better.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

Think You're an Ubuntu Expert? Let's Find Out!

Put your knowledge to the test in our lightning-fast Ubuntu quiz!
Ten questions to challenge yourself to see if you're a Linux legend or just a penguin in the making.

1 / 10

Ubuntu is an ancient African word that means:

2 / 10

Who is the Ubuntu's founder?

3 / 10

What year was the first official Ubuntu release?

4 / 10

What does the Ubuntu logo symbolize?

5 / 10

What package format does Ubuntu use for installing software?

6 / 10

When are Ubuntu's LTS versions released?

7 / 10

What is Unity?

8 / 10

What are Ubuntu versions named after?

9 / 10

What's Ubuntu Core?

10 / 10

Which Ubuntu version is Snap introduced?

The average score is 69%