A port is an addressable network location implemented in an operating system to help differentiate traffic destined for different services or Applications.
The state of a port is either open, filtered, closed, or unfiltered. A port is said to be open if an application on the target machine is listening for connections/packets on that port.
In this blog, I will explain four ways to check open ports and also will show you how to find which application is listening on what port in Linux.
1. Using Netstat Command
Netstat is a widely used tool for querying information about the Linux networking subsystem. You can use it to print all open ports like this:
$ sudo netstat -ltup
The flag -l tells netstat to print all listening sockets, -t shows all TCP connections, -u displays all UDP connections and -p enables printing of application/program name listening on the port.
Please see the example given below.
sudo netstat -ltup Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 localhost:ipp *:* LISTEN 737/cupsd tcp 0 0 *:43615 *:* LISTEN - tcp6 0 0 ip6-localhost:ipp [::]:* LISTEN 737/cupsd tcp6 0 0 [::]:41979 [::]:* LISTEN - udp 0 0 *:42720 *:* 2045/openvpn udp 0 0 *:59161 *:* 735/avahi-daemon: r udp 0 0 *:56671 *:* 4671/openvpn udp 0 0 *:ipp *:* 803/cups-browsed udp 0 0 *:mdns *:* 735/avahi-daemon: r udp6 0 0 [::]:39097 [::]:* 735/avahi-daemon: r udp6 0 0 [::]:mdns [::]:*
To print numeric values rather than service names, add the -n flag.
sudo netstat -lntup
You can also use grep command to find out which application is listening on a particular port, for example.
$ sudo netstat -lntup | grep "tcp"
You can check the sample output as snippet added below.
netstat -lntup | grep "tcp" tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 737/cupsd tcp 0 0 0.0.0.0:43615 0.0.0.0:* LISTEN - tcp6 0 0 ::1:631 :::* LISTEN 737/cupsd tcp6 0 0 :::41979 :::* LISTEN
2. Using ss Command
ss is another useful tool for displaying information about sockets. It’s output looks similar to that of netstat. The following command will show all listening ports for TCP and UDP connections in numeric value.
The flag -l tells ss to print all listening sockets, -t shows all TCP connections and -u displays all UDP connections listening on the port.
Please see the example given below.
$ sudo ss -lntu
Please see the sample outcome added below.
ss -lntu Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 *:42720 *:* udp UNCONN 0 0 *:59161 *:* udp UNCONN 0 0 *:56671 *:* udp UNCONN 0 0 *:631 *:* udp UNCONN 0 0 *:5353 *:* udp UNCONN 0 0 :::39097 :::* udp UNCONN 0 0 :::5353 :::* tcp LISTEN 0 5 127.0.0.1:631 *:* tcp LISTEN 0 64 *:43615 *:* tcp LISTEN 0 5 ::1:631 :::* tcp LISTEN 0 64 :::41979 :::*
3. Using Nmap Command
Nmap is a powerful and popular network exploration tool and port scanner. To install nmap on your system, use your default package manager as shown.
$ sudo apt install nmap [On Debian/Ubuntu] $ sudo yum install nmap [On CentOS/RHEL]
We can run below command to check the outcome by adding requires options.
sudo nmap -n -PN -sT -sU -p- localhost
-PN Scan a host when protected by the firewall
-sP Scan a network and find out which servers and devices are up and running
-sU Scan a host for UDP services (UDP scan)
-p Enables printing of application/program name listening on the port.
To print numeric values rather than service names, add the -n flag.
4. Using lsof Command
The final tool we will cover for querying open ports is lsof command, which is used to list open files in Linux. Since everything is a file in Unix/Linux, an open file may be a stream or a network file.
To list all Internet and network files, use the -i option. Note that this command shows a mix of service names and numeric ports.
$ sudo lsof -i
The outcome of the command is added below.
dbus-daem 748 messagebus 8u IPv4 20706 0t0 TCP 192.168.1.27:57600->192.168.1.252:ldap (ESTABLISHED) NetworkMa 792 root 17u IPv4 25402 0t0 TCP 192.168.1.27:57634->192.168.1.252:ldap (ESTABLISHED) accounts- 795 root 10u IPv4 19123 0t0 TCP 192.168.1.27:57604->192.168.1.252:ldap (ESTABLISHED) cups-brow 803 root 8u IPv4 18158 0t0 UDP *:ipp polkitd 884 root 11u IPv4 26090 0t0 TCP 192.168.1.27:57632->192.168.1.252:ldap (ESTABLISHED) lightdm 1038 root 15u IPv4 25858 0t0 TCP 192.168.1.27:57622->192.168.1.252:ldap (ESTABLISHED) nscd 1047 root 18u IPv4 23726 0t0 TCP 192.168.1.27:57606->192.168.1.252:ldap (ESTABLISHED) lightdm 1377 root 3u IPv4 24167 0t0 TCP 192.168.1.27:57618->192.168.1.252:ldap (ESTABLISHED) (sd-pam 1387 jackson 7u IPv4 24206 0t0 TCP 192.168.1.27:57624->192.168.1.252:ldap (ESTABLISHED) openvpn 2045 root 3u IPv4 29857 0t0 UDP *:42720 firefox 2836 jackson 46u IPv4 304017 0t0 TCP 192.168.1.27:56490->172.217.194.189:https (ESTABLISHED) firefox 2836 jackson 59u IPv4 362263 0t0 TCP 192.168.1.27:47012->192.168.1.253:http (ESTABLISHED)
To find which application is listening on a particular port, run lsof in this form.
$ sudo lsof -i :80
To list all Internet and network files, use the -i option.
-i ignore the case of letters
-c disables the reporting of any path name components from the kernel’s name cache.
-p For selecting process ID
Conclusion
Paying attention to which ports are listening on your network is important as open ports can be evidence of an intrusion on your network. Knowledge of the Linux open ports and the kind of information being sent out helps you to check malicious efforts aimed at your system. Knowing this is an important part of securing your system.
