Common Network Ports: What They Are and What They Do

Last updated: May 31, 2026

If an IP address tells the internet which device to reach, a network port goes one level deeper. It tells the internet which service on that device should handle the traffic. Without ports, a single server could only run one networked application at a time. No web server alongside an email server, no SSH alongside a database.

The analogy is simple. Your IP address is the street address of an apartment building, and the port number is the apartment number. Mail carriers (packets) need both pieces of information to deliver to the right place. Port 80 might be the web server’s apartment. Port 22 might be SSH’s apartment, and port 3306 might belong to MySQL. All in the same building, all reachable at the same IP address.

Understanding common port numbers is essential in many situations. It helps with troubleshooting, writing firewall rules, deploying applications, and certification prep for CompTIA Security+, Network+, or CCNA. This guide explains how network ports work. It walks through every port number you need to know by category. Then it shows you how to check which ports are open on your systems.

How Network Ports Work

Network ports operate at Layer 4, the Transport Layer, where end-to-end communication between applications happens. The two main transport protocols, TCP and UDP, both use port numbers to multiplex traffic. TCP guarantees reliable, ordered delivery, while UDP trades those guarantees for speed.

Network ports operate at Layer 4 (the Transport Layer) of the OSI model. That layer is responsible for end-to-end communication between applications. The two primary transport protocols, TCP and UDP, both use port numbers to multiplex traffic. But they handle delivery very differently.

TCP vs UDP

TCP (Transmission Control Protocol) is connection-oriented. Before any data is exchanged, TCP establishes a session through a three-way handshake (SYN, SYN-ACK, ACK). It guarantees that packets arrive in order, retransmits lost segments, and provides flow control. This reliability makes TCP the standard for web traffic, email, file transfers, and remote access. Any scenario where missing or reordered data would be a problem.

UDP (User Datagram Protocol) is connectionless. It sends datagrams without establishing a session and provides no guarantees about delivery, ordering, or duplication. What UDP lacks in reliability it gains in speed and efficiency. DNS lookups, video streaming, VoIP, and online gaming all use UDP. A dropped packet is less damaging than the latency from TCP’s retransmission logic.

Sockets, Source Ports, and Ephemeral Ports

A socket is the combination of an IP address and a port number (for example, 192.168.1.10:443). A network connection is uniquely identified by four values: source IP, source port, destination IP, and destination port. This is how a web server running on port 443 can simultaneously handle thousands of connections. Each client uses a different source port.

When your browser connects to a website, the destination port is a well-known port like 443 for HTTPS. The source port is an ephemeral port. That is a temporary number your operating system assigns from the dynamic range. The default is 49152–65535, though some systems start at 32768. Once the connection closes, that ephemeral port returns to the pool.

Port Number Ranges

The Internet Assigned Numbers Authority (IANA) divides the 65,535 port numbers into three ranges. Well-known ports (0-1023) cover standard system services. Registered ports (1024-49151) are assigned to specific applications. Dynamic ports (49152-65535) are used temporarily for outbound connections.

The Internet Assigned Numbers Authority (IANA) divides the 65,535 available port numbers into three distinct ranges. Each serves a different purpose.

Most of the port numbers you memorize for daily work and certifications fall within the well-known and registered ranges. You can search our port reference database for a complete lookup of any port number and its assigned service.

Essential Ports Every IT Professional Should Know

The most important common port numbers cluster into functional categories. They span web traffic, email, remote access, file transfer, DNS, databases, VPNs, and monitoring. For each port below, you get the number, the protocol, the service name, and what it does.

The following sections organize the most important common port numbers by functional category. For each port, we list the number, protocol, service name, and a practical explanation of what it does.

Web Traffic

• Port 80 — HTTP (TCP) — The default port for unencrypted web traffic. When you type a URL without specifying https://, your browser connects on port 80. While still widely used, most modern sites redirect port 80 traffic to port 443.
• Port 443 — HTTPS (TCP and UDP) — The default port for encrypted web traffic using TLS. HTTPS on port 443 is now the standard for virtually all websites. Historically port 443 meant TCP, but HTTP/3 runs over QUIC on UDP 443, so modern servers often listen on both. To inspect the TLS certificate a site presents on port 443, use our SSL Certificate Checker.
• Port 8080 — HTTP Alternate (TCP) — An alternative HTTP port for proxies, dev servers, and apps like Tomcat. Since it falls outside the well-known range, it doesn’t require root privileges to bind.
• Port 8443 — HTTPS Alternate (TCP) — The encrypted counterpart to 8080. Application servers and management interfaces use it for HTTPS without occupying 443. Examples include VMware vSphere and Unifi controllers.

Email

• Port 25 — SMTP (TCP) — The original Simple Mail Transfer Protocol port, used for server-to-server email relay. Many ISPs and cloud providers block outbound port 25 to prevent spam, so it’s primarily used between mail servers. If your mail is being rejected, run a blacklist check to see whether your sending IP is flagged.
• Port 587 — SMTP Submission (TCP) — The modern standard for email clients submitting outbound mail to a mail server. Port 587 requires authentication and supports STARTTLS encryption, making it the recommended port for sending email.
• Port 465 — SMTPS (TCP) — Originally for SMTP over implicit SSL, deprecated, then re-standardized in RFC 8314. Some providers still use it for encrypted email submission as an alternative to port 587.
• Port 110 — POP3 (TCP) — Post Office Protocol downloads email to a local client, usually deleting the server copy. Unencrypted by default, it’s largely been replaced by its secure variant.
• Port 995 — POP3S (TCP) — POP3 wrapped in TLS encryption. If you still use POP3 for email retrieval, always use port 995 instead of 110.
• Port 143 — IMAP (TCP) — Internet Message Access Protocol keeps email on the server and synchronizes across multiple devices. IMAP is the preferred protocol for most modern email clients.
• Port 993 — IMAPS (TCP) — IMAP over TLS. This is the port to configure in your email client for secure IMAP access. To find which mail servers handle a domain, use our MX record lookup.

Remote Access

• Port 22 — SSH (TCP) — Secure Shell provides encrypted remote command-line access to Linux and Unix systems. SSH also supports secure file transfer (SFTP) and port forwarding (tunneling). What port does SSH use? Always port 22 by default, though many administrators change it to reduce brute-force login attempts.
• Port 23 — Telnet (TCP) — An older remote access protocol that transmits everything in plaintext, including passwords. Telnet should never be used over untrusted networks. It exists primarily on legacy equipment and is a frequent target in security audits.
• Port 3389 — RDP (TCP/UDP) — Remote Desktop Protocol gives graphical access to Windows desktops and servers. RDP exposed to the internet is a major attack vector. Always use a VPN or gateway in front of it.
• Port 5900 — VNC (TCP) — Virtual Network Computing provides cross-platform remote desktop access. VNC has historically lacked strong encryption by default, so tunnel it through SSH or a VPN in production environments.

File Transfer

• Ports 20/21 — FTP (TCP) — File Transfer Protocol uses port 21 for control and port 20 for data transfer. FTP transmits credentials in plaintext and is being phased out in favor of SFTP and FTPS.
• Port 69 — TFTP (UDP) — Trivial File Transfer Protocol is simplified and unauthenticated. It bootstraps devices like switches, routers, and PXE boot images, with no encryption.
• Port 22 — SFTP (TCP) — SSH File Transfer Protocol runs over the SSH connection on port 22. It provides encrypted file transfers with strong authentication. SFTP is the modern replacement for FTP in most environments.
• Port 445 — SMB (TCP) — Server Message Block handles Windows file and printer sharing. SMB has been the target of devastating exploits (EternalBlue/WannaCry), so port 445 should never be exposed to the internet.
• Port 2049 — NFS (TCP/UDP) — Network File System is the standard for file sharing in Unix/Linux environments. NFS allows remote systems to mount directories over the network as if they were local.

DNS and Directory Services

• Port 53 — DNS (TCP/UDP) — Domain Name System resolves domain names to IP addresses. Standard queries use UDP for speed, while zone transfers and responses larger than 512 bytes use TCP. Port 53 is one of the most critical network ports in existence. For a detailed breakdown of record types, see our guide on DNS records explained.
• Port 853 — DoT / DoQ (TCP and UDP) — Encrypted DNS. DNS over TLS (DoT) uses TCP 853, and DNS over QUIC (DoQ) uses UDP 853. Both keep DNS queries private from anyone watching the network, unlike plain port 53.
• Port 389 — LDAP (TCP/UDP) — Lightweight Directory Access Protocol queries and modifies directory services like Microsoft Active Directory. LDAP traffic is unencrypted by default.
• Port 636 — LDAPS (TCP) — LDAP over TLS provides encrypted directory queries. In enterprise environments running Active Directory, port 636 should be used instead of 389 whenever possible.
• Port 88 — Kerberos (TCP/UDP) — The Kerberos authentication protocol is the default mechanism for Windows Active Directory domains. It issues time-limited tickets that prove a user’s identity without transmitting passwords.

Database Ports

• Port 3306 — MySQL / MariaDB (TCP) — The default port for MySQL and its fork MariaDB. Database ports should always be firewalled from public access and restricted to application servers that need connectivity.
• Port 5432 — PostgreSQL (TCP) — The default port for PostgreSQL. Like MySQL, Postgres should never be directly reachable from the internet in production.
• Port 1433 — Microsoft SQL Server (TCP) — The default instance port for MSSQL. SQL Server also uses UDP 1434 for the SQL Server Browser service, which helps clients discover instances.
• Port 27017 — MongoDB (TCP) — The default port for MongoDB. Misconfigured instances exposed to the internet have been the target of massive data theft campaigns. Always require authentication and restrict access.
• Port 6379 — Redis (TCP) — The default port for Redis, an in-memory data store. Redis historically had no authentication enabled by default, making exposed instances an easy target. Always bind to localhost or use authentication.

VPN and Tunneling

• Port 500 — IKE / IPsec (UDP) — Internet Key Exchange sets up IPsec VPN tunnels. IKE negotiates the security association. The encrypted data then flows over ESP (IP protocol 50, which is not a port).
• Port 1194 — OpenVPN (TCP/UDP) — The default port for OpenVPN, one of the most widely deployed open-source VPN solutions. OpenVPN can run over either TCP or UDP, with UDP preferred for performance.
• Port 51820 — WireGuard (UDP) — The default port for WireGuard, a modern VPN protocol. It is known for simplicity, speed, and a minimal codebase versus OpenVPN and IPsec.
• Port 1701 — L2TP (UDP) — Layer 2 Tunneling Protocol is typically combined with IPsec (L2TP/IPsec) for encryption. L2TP alone provides tunneling without encryption.
• Port 1723 — PPTP (TCP) — Point-to-Point Tunneling Protocol is a legacy VPN protocol with known security vulnerabilities. PPTP should be considered deprecated and replaced with WireGuard, OpenVPN, or IPsec.

Monitoring and Logging

• Ports 161/162 — SNMP (UDP) — Simple Network Management Protocol uses port 161 for queries and port 162 for traps. SNMPv3 adds encryption and authentication; earlier versions transmit community strings in plaintext.
• Port 514 — Syslog (UDP) — The standard port for centralized log collection on Unix/Linux systems. Syslog sends log messages from network devices, servers, and applications to a central collector for analysis and retention.
• Port 9090 — Prometheus (TCP) — The default port for Prometheus, a popular open-source monitoring and alerting toolkit. Prometheus scrapes metrics from configured targets at regular intervals.
• Port 9200 — Elasticsearch (TCP) — The default HTTP port for Elasticsearch. It is commonly used with Kibana and Logstash (the ELK stack) for log aggregation, search, and visualization.

Port 443 Isn’t Just TCP Anymore: QUIC and Encrypted DNS

Classic port references list 443 as a TCP port and 53 as the only DNS port. Both are now incomplete. HTTP/3 runs over QUIC, which runs over UDP, so port 443 carries web traffic over UDP as well as TCP. Encrypted DNS added port 853 (DoT and DoQ) on top of the original port 53.

Most port tables you’ll find online were written before two important shifts, and they quietly teach an outdated model. If you are configuring firewalls or reading certification material, these are worth understanding.

HTTP/3 Put HTTPS on UDP 443

For decades, port 443 meant one thing: HTTPS over TCP. HTTP/1.1 and HTTP/2 both run over TCP, with TLS layered on top. HTTP/3 changed that. It runs over QUIC, a transport protocol built on UDP with TLS 1.3 built in. So HTTP/3 traffic uses UDP port 443, not TCP.

This is not a fringe protocol anymore. By 2026, roughly 40 percent of websites support HTTP/3, including Google, YouTube, Facebook, and Cloudflare. A modern web server commonly listens on TCP 443 and UDP 443 at the same time. It serves HTTP/2 to older clients and HTTP/3 to newer ones.

Encrypted DNS Added Port 853

The old rule was “DNS is port 53.” Encrypted DNS made that incomplete. DNS over TLS (DoT) uses TCP port 853, and DNS over QUIC (DoQ) uses UDP port 853. DNS over HTTPS (DoH) takes a different path entirely. It rides on port 443 alongside normal web traffic, so it is hard to block or even distinguish.

The practical takeaway: a port number no longer implies a single transport protocol. When you write firewall rules or read a packet capture, check the transport, not just the port number. Our guide on how DNS works covers the encrypted-DNS shift in more depth.

Ports and Security

Every open network port is a potential attack surface. If a service listens on a port, an attacker can connect, probe for vulnerabilities, and exploit the software behind it. Knowing which ports are open, and why, is fundamental to security and least privilege.

Every open network port is a potential attack surface. If a service is listening on a port, an attacker can attempt to connect to it. They can then probe for vulnerabilities and exploit weaknesses in the software behind it. This is why understanding which ports are open on your systems, and why, is fundamental to network security.

Port Scanning with Nmap

Port scanning is the process of probing a host to discover which ports are open and what services run. Nmap is the industry-standard tool for this task, used by both security professionals and attackers alike.

# Basic TCP SYN scan of the most common 1000 ports
nmap -sS 192.168.1.1

# Scan specific ports
nmap -p 22,80,443,3306,3389 192.168.1.1

# Scan all 65535 ports with service version detection
nmap -sV -p- 192.168.1.1

# UDP scan (requires root/admin)
sudo nmap -sU -p 53,161,500 192.168.1.1

If Nmap finds a port in an open state, a service is actively accepting connections. A filtered state means a firewall is blocking the probe. A closed state means the port is reachable but no service is listening.

Common Attack Vectors by Port

Certain network ports are disproportionately targeted because the services behind them are high-value or historically vulnerable:

• Port 22 (SSH) — Automated brute-force attacks try thousands of username and password combinations. Mitigation: use key-based authentication, disable password login, deploy fail2ban, or move SSH to a non-standard port.
• Port 445 (SMB) — The EternalBlue exploit (CVE-2017-0144) used SMB to spread WannaCry ransomware globally. Mitigation: keep systems patched, block port 445 at the perimeter, and disable SMBv1.
• Port 3389 (RDP) — Exposed RDP is a primary vector for ransomware. Attackers brute-force credentials or exploit flaws like BlueKeep. Mitigation: never expose RDP directly to the internet; use a VPN or RD Gateway.
• Ports 3306, 5432, 27017, 6379 (databases) — Exposed database ports lead to data theft and ransomware. Mitigation: bind to localhost or private interfaces, require authentication, and use firewall rules.

The principle of least privilege applies directly to firewall rules. Open only the network ports that are strictly necessary. Restrict access to the smallest set of source IP addresses possible. Default-deny policies, which block everything and explicitly allow only what’s needed, are the gold standard. For a full introduction to firewall concepts, see our guide on what is a firewall.

How to Check What Ports Are Open

Inspecting which TCP and UDP ports are open on a system is a core skill. On Linux, ss -tulnp lists every listening port and its owning process. On Windows, netstat and Test-NetConnection do the job. Nmap checks what the internet can see from outside your firewall.

Knowing how to inspect which TCP ports and UDP ports are open is a core skill. Every IT professional needs it. Here are the most common methods for Windows and Linux.

Windows

# Show all active connections and listening ports
netstat -an

# Filter for listening ports only
netstat -an | findstr LISTENING

# Test if a specific remote port is reachable
Test-NetConnection -ComputerName example.com -Port 443

# Example output:
# ComputerName     : example.com
# RemoteAddress    : 93.184.216.34
# RemotePort       : 443
# TcpTestSucceeded : True

Linux

# Show all listening TCP and UDP ports with process info
ss -tulnp

# Example output:
# Netid State  Recv-Q Send-Q   Local Address:Port  Peer Address:Port Process
# tcp   LISTEN 0      128      0.0.0.0:22          0.0.0.0:*         users:(("sshd",pid=1234))
# tcp   LISTEN 0      511      0.0.0.0:80          0.0.0.0:*         users:(("nginx",pid=5678))
# tcp   LISTEN 0      128      127.0.0.1:3306      0.0.0.0:*         users:(("mysqld",pid=9012))

# Scan your own machine for open ports
nmap -sT localhost

# Check if a remote port is reachable
nc -zv example.com 443

Notice the MySQL entry in the ss output above. It binds to 127.0.0.1:3306 rather than 0.0.0.0:3306, so MySQL only accepts connections from the local machine. That is exactly the secure configuration you want for a database that only your local application needs to reach. You can check your public IP and then run Nmap against it to see what ports are visible from outside.

Quick Reference Table

This table summarizes the most critical common port numbers every IT professional, security analyst, and certification candidate should have memorized. For any port not listed, use our port reference database to find its assigned service, protocol, and typical use.

This table summarizes the most critical common port numbers. Every IT professional, security analyst, and certification candidate should have them memorized. Use our port reference database to look up any port not listed here.

Frequently Asked Questions

Seven common questions about ports. They cover the TCP-versus-UDP distinction and why port 443 matters more than 80. They also cover HTTP/3’s port, SSH’s port, changing a default port, ephemeral ports, and checking open ports.