(TCP/UDP) is an address associated with a particular process on a computer. Ports have a unique number in the header of a data packet that is used to map this data to that process. Port numbers
are divided into three ranges: Well Known Ports, Registered Ports
, and Dynamic/Private Ports
. Default port values for commonly used TCP/IP services have values lower than 255 and Well Known Ports have numbers that range from 0 to 1023. Registered Ports range from 1024 to 49151 and Dynamic/Private Ports range from 49152 to 65535. An "open port" is a TCP/IP port number that is configured to accept packets while a "closed port" is one that is set to deny all packets with that port number.
Hackers use "port scanning
" a popular reconnaissance technique, to search for vulnerable computers with open ports using IP addresses or a group of random IP address ranges so they can break in and install malicious programs. Botnets
and Zombie computers
scour the net, randomly scanning a block of IP addresses, searching for vulnerable ports
- commonly probed ports
and make repeated attempts to access them. If your computer is sending out large amounts of data, that can indicate that your system may have a Trojan. For more information about Port Scanning, please refer to Port Scanning Basic Techniques
If your firewall provides an alert
which indicates it has blocked access to a port that does not necessarily mean your system has been compromised. These alert messages are a response to unrequested traffic from remote computers
(an external host) to access a port on your computer. Alerts are often classified by the network port they arrive on, and they allow the firewall to notify you in various ways about possible penetration and intrusion attempts on your computer. It is not unusual for a firewall to provide numerous alerts regarding probing and intrusion attempts
. However, not all unrequested traffic is malevolent. Even your ISP will send out regular checks to see if your computer is still there, so you may need to investigate an attempted intrusion.
You can use netstat
, a command-line tool that displays incoming and outgoing network connections, from a command prompt
to obtain Local/Foreign Addresses, PID and listening state.
- netstat /? lists all available parameters that can be used.
- netstat -a lists all active TCP connections and the TCP and UDP ports on which the computer is listening.
- netstat -b lists all active TCP connections, Foreign Address, State and process ID (PID) for each connection.
- netstat -n lists active TCP connections. Addresses and port numbers are expressed numerically; no attempt is made to determine names.
- netstat -o lists active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with parameters -a, -n, and -p as shown below:
-- If the port in question is listed as "Listening" there is a possibility that it is in use by a Trojan server but your firewall, if properly configured, should have blocked any attempt to access it. A "listening
" state is when a program on a computer listens and waits on an open port to accept (establish) a connection with a remote computer on another port. See what is the Difference between Established/Listening Ports?
You can use various Network Traffic Monitoring Tools
for troubleshooting and malware investigation.:Online Port Scan
allows you to scan individual TCP ports to determine if the device is listening on that port.Shields Up
is an online port scanning service used to alert the users of any ports that have been opened through firewalls or NAT routers.
There are third party utilities that will allow you to manage, block, and view detailed listings of all TCP and UDP endpoints on your system, including local/remote addresses, state of TCP connections and the process that opened the port:Caution: If you're going to start blocking ports, be careful which ones you block or you may lose Internet connectivity.