4 Ways to Find Out What Ports Are Listening in Linux

Linux is a popular operating system widely used by system administrators, developers, and security professionals. One of the most important tasks in managing a Linux system is to identify which ports are listening and which processes are using them. This knowledge is crucial for system security, troubleshooting network issues, and service management. In this article, we will discuss several effective methods to find out what ports are listening in Linux.

Using netstat Command

The netstat command is a traditional network utility that provides detailed information about network connections, routing tables, and interface statistics. To check which ports are listening, use the following command:

$ netstat -ltn

The options used are:

• -l Shows only listening sockets

• -t Displays TCP connections only

• -n Shows port numbers instead of resolving service names

Here is an example output:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     

The output shows that the SSH daemon is listening on port 22 and the CUPS printing service is listening on port 631.

Using lsof Command

The lsof command (list open files) is a powerful diagnostic tool that lists all open files and network connections. To find listening ports, use:

$ sudo lsof -i -P -n | grep LISTEN

The options explained:

• -i Lists network connections

• -P Shows port numbers instead of service names

• -n Disables hostname resolution for faster output

Example output:

sshd      2269     root    3u  IPv4  11758      0t0  TCP *:22 (LISTEN)
cupsd     2889     root    7u  IPv4  16314      0t0  TCP 127.0.0.1:631 (LISTEN)

This output provides additional details like process ID (PID) and the user running the service.

Using ss Command

The ss command is the modern replacement for netstat and is generally faster and more feature-rich. To check listening TCP ports:

$ ss -ltn

For more detailed information including process names:

$ sudo ss -ltnp

Example output:

State      Recv-Q Send-Q          Local Address:Port            Peer Address:Port
LISTEN     0      128                       *:22                     *:*
LISTEN     0      5                     127.0.0.1:631                    *:*

Using nmap Command

The nmap command is primarily used for network discovery and security auditing. It can scan both local and remote systems for open ports:

For scanning localhost:

$ nmap -sT localhost

For scanning a remote system:

$ sudo nmap -sS -p- <remote_ip>

Example output:

Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-15 10:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00050s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https

Comparison of Methods

Common Use Cases

Security Auditing: Use nmap to scan for unexpected open ports that might indicate security vulnerabilities or unauthorized services.

Troubleshooting: Use lsof or ss -p to identify which process is using a specific port when you encounter "port already in use" errors.

System Monitoring: Use ss for regular monitoring due to its speed and comprehensive output format.

Conclusion

Monitoring listening ports is essential for Linux system security and troubleshooting. The ss command is recommended for modern systems due to its speed and rich feature set, while lsof provides the most detailed process information. Choose the method that best fits your specific monitoring and diagnostic needs.