Guide

What Is Port Scanning?

Definition, techniques, and why every security professional needs to understand it.

Introduction

Port scanning is when you probe a computer or network to see which ports are open — the digital doors data flows through. Think of an IP address like a building, and ports like individual doors. Some are supposed to be open (the front door — web servers on 80 or 443). Others should stay locked (that random database server on 3306 nobody remembers setting up).

If you're on the security side, port scanning tells you what services are running, what might be vulnerable, and whether your network is in good shape. Attackers use the exact same techniques — they're just looking for different things.

How Port Scanning Works

Every device connected to the internet has 65,535 TCP ports and just as many UDP ports. When something starts listening — say, a web server — it grabs a port and waits for traffic. A port scanner works by sending carefully crafted packets to a range of these ports, then reading the responses to figure out what's what:

  • Open — The port is actively listening. A service is running and ready to accept connections.
  • Closed — The port is accessible but no service is listening. The host responded with a reset packet.
  • Filtered — The port is blocked by a firewall or packet filter. The scanner received no response or an error.

Common Port Scanning Techniques

SYN Scan (Stealth Scan) -sS

Sends a SYN packet — the first step of the TCP handshake. An open port replies with SYN-ACK; a closed one sends RST back. Because the handshake never finishes, some apps won't log it. This is Nmap's default and fastest scan type.

TCP Connect Scan -sT

Uses the OS's own network API to complete the full TCP handshake instead of sending raw packets. More reliable when raw sockets aren't available (containers, cloud servers) but easier to detect.

UDP Scan -sU

UDP is connectionless, which makes scanning it a pain. The scanner sends empty UDP packets and watches for ICMP "Port Unreachable" replies. Open ports either respond with data or just drop the packet silently. UDP scans are significantly slower than TCP.

FIN / NULL / Xmas Scans -sF / -sN / -sX

These send packets with weird TCP flags — FIN, no flags at all (NULL), or FIN+PSH+URG (Xmas). Closed ports usually respond with RST; open ports tend to drop them silently. Can slip past some firewall rules, but modern OSes don't always play along.

Legitimate vs Malicious Scanning

Is port scanning good or bad? Depends who's doing it and whether they have permission. That's really the only distinction that matters:

Legitimate Use

  • Scanning your own infrastructure
  • Authorized penetration tests
  • Bug bounty programs
  • Security research with permission

Malicious Use

  • Scanning without authorization
  • Reconnaissance for attacks
  • Mapping target infrastructure
  • Finding exploitable services

Important: Always obtain written permission before scanning any system you do not own. Unauthorized scanning may violate computer fraud laws.

Port Scanning with NetAudit AI

NetAudit AI wraps Nmap's scan engine with an AI layer that actually makes sense of the results. You type in a target, pick a profile, and get back a proper vulnerability assessment with things you can go fix — all in your browser, no terminal required.

Related Guides

Check Open Ports OnlineNetwork Vulnerability AssessmentNmap Cheat SheetHow to Secure Open Ports