Skip to content
TECHNICAL · SECURITY · 6 min read · Updated 2026-05-27

How to Use a Port Scanner

Understanding open, closed, and filtered ports for security and troubleshooting.

By the Check.Systems team

What are ports and why do they matter?

An IP address gets a packet to the right machine. A port number gets it to the right service on that machine. Your web server, SSH daemon, mail server, and database all run on the same box — ports are how the operating system knows which process should handle each incoming connection.

Ports run from 0 to 65,535. The first 1,024 are "well-known" ports reserved for standard services: 80 for HTTP, 443 for HTTPS, 22 for SSH, 25 for SMTP. Above 1,024 you get registered ports (official service assignments) and ephemeral ports (temporary connections your browser opens when fetching a web page).

The key insight for security: every open port is an exposed attack surface. A port scanner is the fastest way to know what's actually listening on a host — and whether your firewall is doing what you think it is.

What does a port scanner do?

A port scanner probes a host by attempting to connect to each port and observing the response. The most common technique — used by this tool — is a TCP connect scan: it attempts a full three-way handshake (SYN → SYN-ACK → ACK) on each port. If the handshake completes, the port is open. If the target immediately sends a RST packet back, the port is closed. If nothing comes back within the timeout, the port is filtered.

Server-side vs. your-side scanning
Online port scanners like this one scan from their server. That shows you what the public internet sees — useful for checking firewall exposure. To scan your local network (or scan from your own IP), you need a local tool like nmap.

Scanners like nmap have more advanced scan types: SYN scans that never complete the handshake (stealthier), UDP scans, version detection, OS fingerprinting. A TCP connect scan is the baseline that requires no special privileges and works from any machine.

Open, closed, and filtered — explained

There are three possible results for each port:

  • Open — a service is listening and accepted the connection. The port is reachable and something is running there.
  • Closed — the host responded with a TCP RST. No service is listening on this port, but the host itself is reachable and the port is not firewalled. Closed ports respond fast.
  • Filtered — no response within the timeout. A firewall is silently dropping packets (as opposed to actively refusing them). Filtered ports are slower to scan because you have to wait for the timeout on each one.

The distinction between closed and filtered matters for security analysis. Closed means there's no service, but the port is accessible — an attacker could start a service there if they gained access. Filtered means a firewall is in front, which is generally what you want for ports that should never be reachable.

What common open ports tell you

Finding certain ports open on an internet-facing host is immediately informative:

  • 22 open — SSH is exposed to the internet. Normal for servers you manage, a red flag on consumer devices.
  • 80 / 443 open — web server running, as expected for any public site.
  • 3306 open — MySQL/MariaDB directly exposed. This should almost never be internet-facing; database access should go through the application layer.
  • 3389 open — Windows Remote Desktop exposed to the internet. High-value target for brute force attacks.
  • 6379 open — Redis exposed without authentication. Redis was not designed to be internet-facing and has no auth by default in older versions.
  • 27017 open — MongoDB exposed. Same concern as Redis — many historical breaches came from open MongoDB instances.

As a rule: databases, caches, and internal APIs should never be reachable on internet-facing IPs. If you find them open, close them immediately.

Port scanning for troubleshooting

Port scanning is one of the first tools a network engineer reaches for when something isn't working. Common troubleshooting scenarios:

  • Service not reachable: scan the host to confirm whether the port is open, closed, or filtered. If it's filtered, the firewall is blocking you. If it's closed, the service isn't running.
  • Firewall rule verification: after adding a firewall rule, scan from outside to confirm the port is now reachable (or blocked) as intended.
  • New server setup: quick scan to confirm only expected ports are open — catches misconfigured services that started unexpectedly during installation.
  • Email delivery issues: check whether port 25 (SMTP) and 587 (submission) are reachable on a mail server.
Tip: use the "Web only" preset for quick checks
The "Web only" preset scans ports 80, 443, 8080, and 8443 — the four ports a web server typically uses. It's the fastest way to confirm a site is actually listening.

Port scanning for security audits

Regular port scanning of your own infrastructure is a basic security hygiene practice. It tells you what an attacker would see before you do. Things to look for:

  • Unexpected open ports — a port you didn't intentionally expose. Could be a misconfigured service, developer test server, or malware.
  • Services on non-standard ports — attackers sometimes move services to high port numbers hoping scanners won't find them (security through obscurity — it doesn't work, but it happens).
  • Confirmed firewall coverage — ports that should be filtered show as filtered from the internet. If they show as closed instead of filtered, your firewall isn't in front of them.

For a more thorough security audit, use nmap with service version detection (-sV) to identify not just which ports are open, but which software version is running — useful for checking whether outdated versions with known CVEs are exposed.

Try it: scan a host now

Use the check.systems port scanner to scan any public hostname or IP address from this server. The "Common 25" preset covers the ports most likely to be of interest: web, mail, SSH, databases, and remote access.

→ Open the port scanner

For a safe test target that explicitly welcomes scanning, try scanme.nmap.org — maintained by the nmap project specifically for testing scanners.

Scanning your local network with nmap

For local network scanning — finding devices on your home or office network, scanning hosts behind NAT — you need nmap running on your own machine. It's free, open source, and available on Windows, macOS, and Linux.

Basic commands:

  • nmap -sV 192.168.1.1 — scan a single host with service version detection
  • nmap -sV 192.168.1.0/24 — scan your entire local subnet
  • nmap -p 22,80,443 192.168.1.1 — scan specific ports only
  • nmap -sV --top-ports 100 192.168.1.1 — scan the 100 most common ports

Only scan networks and hosts you own or have explicit permission to test. Unauthorized port scanning is illegal in many jurisdictions.

Related: Port Scanner tool · Common ports reference · Network diagnostics guide · Traceroute tool