What's the difference between a listening port and an open port?

A listening port has a local service bound to it and ready to accept connections. From the outside, that port is 'open' only if a firewall or NAT lets traffic reach it. Checking locally with netstat or ss shows what is listening; scanning from another machine shows what is actually reachable.

How do I find which process is using a port?

Get the PID that owns the port (netstat -ano on Windows, ss -tulpn or lsof -i on Linux/macOS), then resolve that PID to a program name with tasklist (Windows) or ps (Linux/macOS). The PID is the link between a port number and the program holding it open.

How to check which ports are open (Windows, Linux, macOS)

When something can't connect, a port is already taken, or you suspect an unexpected service is exposed, the first step is to see which ports are open. This guide shows how to list listening ports on your own machine across Windows, Linux, and macOS, how to map a port back to the process that owns it, and how to scan a remote host. Throughout, replace <target> with a host you are authorized to test.

Listening ports vs reachable ports

There are two questions worth separating. What is listening on this machine? is answered locally with built-in tools. What can the outside world actually reach? depends on firewalls and NAT, and is answered by scanning from another machine. A service bound to port 3306 (MySQL) may be listening yet firewalled off from the internet. Check both views.

Windows

Open an elevated Command Prompt or PowerShell to see process owners.

# All listening TCP/UDP ports with the owning PID
netstat -ano | findstr LISTENING

# Filter to one port, e.g. RDP on 3389
netstat -ano | findstr :3389

The last column is the PID. Resolve it to a program:

tasklist /FI "PID eq 1234"

PowerShell offers a cleaner, object-based view:

# Listening TCP sockets, newest API
Get-NetTCPConnection -State Listen | Sort-Object LocalPort

# Join the port to a process name
Get-NetTCPConnection -State Listen |
  Select-Object LocalPort, OwningProcess,
  @{Name='Process';Expression={(Get-Process -Id $_.OwningProcess).ProcessName}}

On Windows you'll commonly see port 135 (RPC), port 139 and port 445 (SMB), port 3389 (RDP), and port 5985 (WinRM) listening.

Linux

ss is the modern replacement for netstat and is preinstalled on most distributions.

# TCP + UDP, listening only, numeric, with process (needs sudo for names)
sudo ss -tulpn

The flags read as tcp, udp, listening, numeric, process. If ss isn't available, the classic command is equivalent:

sudo netstat -tulpn

To find exactly what holds a single port open, use lsof:

# Who is listening on port 22?
sudo lsof -i :22

# Everything a given PID has open
sudo lsof -p 1234

A typical Linux server shows port 22 (SSH), port 80 (HTTP), port 443 (HTTPS), and perhaps port 5432 (PostgreSQL) or port 6379 (Redis).

macOS

macOS ships with lsof, which is the most reliable way to list listening sockets. The netstat on macOS does not show PIDs, so prefer lsof.

# All listening TCP/UDP ports with process names and numeric ports
sudo lsof -i -P -n | grep LISTEN

# A single port
sudo lsof -i :5900 -P -n

The -P keeps ports numeric and -n skips DNS lookups, so output is fast and unambiguous. On a Mac you might spot port 5900 (VNC/screen sharing) or port 631 (CUPS printing).

Mapping a PID to a process

The PID is the bridge between a port and a program. Once a command above gives you the PID, resolve the name:

# Linux / macOS
ps -p 1234 -o pid,comm,args

# Windows
tasklist /FI "PID eq 1234"

If you don't recognise the service, look the port up. For example, an unexpected listener on port 23 (Telnet) or port 1433 (SQL Server) is worth investigating, and port 161 (SNMP) exposed to the internet is a classic misconfiguration.

Scanning a remote host

Local tools only show what one machine believes it is listening on. To learn what is reachable, scan from elsewhere with Nmap:

# Common TCP ports on a host you own
nmap <target>

# Specific ports, e.g. mail and web stacks
nmap -p 25,143,443,8080 <target>

This is how you confirm whether port 25 (SMTP), port 143 (IMAP), or port 8080 (HTTP alt) are actually open to the network rather than just listening locally.

A note on legality

Scan only systems you own or have explicit written authorization to test. Unauthorized scanning can breach computer-misuse laws and trip intrusion-detection systems. Listing ports on your own machine is always fine; scanning someone else's is not.

Conclusion

Use netstat -ano or Get-NetTCPConnection on Windows, ss -tulpn or lsof -i on Linux, and lsof -i -P on macOS to see what is listening, then map the PID to a process to know exactly what each port belongs to. Scan with Nmap to confirm what's reachable from outside. To identify any number you find, browse all ports on ProtocolPorts.