linux poison RSS
linux poison Email

How To Identify Which Ports (or Services) Are Listening/Open

There are two basic approaches for listing the ports that are listening on the network. The less reliable approach is to query the network stack using commands such as netstat -an or lsof -i. This method is less reliable since these programs do not connect to the machine from the network, but rather check to see what is running on the system. For this reason, these applications are frequent targets for replacement by attackers. Crackers attempt to cover their tracks if they open unauthorized network ports by replacing netstat and lsof with their own, modified versions.

A more reliable way to check which ports are listening on the network is to use a port scanner such as nmap.The following command issued from the console determines which ports are listening for TCP connections from the network:
nmap -sT -O localhost
The output of this command appears as follows:
Starting Nmap 5.00 ( ) at 2009-12-05 01:11 IST
Warning: Hostname localhost resolves to 2 IPs. Using
Interesting ports on localhost (
Not shown: 994 closed ports
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
3128/tcp open  squid-http
3306/tcp open  mysql
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.15 - 2.6.27
Network Distance: 0 hops

OS detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 2.15 seconds
Next, check for information about the port using netstat or lsof. To check for port 3128 using netstat, use the following command:
netstat -anp | grep 3128
The command returns the following output:

tcp        0      0*                        LISTEN      1909/(squid)
tcp        0      0         TIME_WAIT   -
tcp        0      0         TIME_WAIT   -

The lsof command reveals similar information to netstat since it is also capable of linking open ports to services:
lsof -i | grep 3128


Post a Comment

Related Posts with Thumbnails