How to Check Open Ports & Listening Services: The 2025 Cross-Platform Guide
That mysterious service. That unexpected connection. That security finding from your scanner.
An open port is a door into your system. Knowing which doors are open, what’s behind them, and who has the keys is the first rule of system hardening. It doesn’t matter if you’re on Windows, Linux, or macOS—the question is the same: “What is listening on my machine?”
But the answer depends on your OS. Juggling the different commands is a pain.
This guide cuts through the complexity. We’re giving you the one definitive command for each major operating system. Bookmark this. It’s the only cheatsheet you’ll need.
The Universal Goal: Find LISTENing Sockets
Before we start, know what we’re looking for. We don’t just want all connections; we want the services that are listening for incoming connections. These are the potential entry points.
A web server listens on port 80/443. SSH listens on port 22. Malware might listen on a random high port. Our job is to find them all.
The Command Cheat Sheet
| Task | Windows | Linux | macOS | |
|---|---|---|---|---|
| Primary Command | netstat -ano | ss -tulnp | `lsof -i -P | grep LISTEN` |
| Show Listening Ports | -a | -l | grep LISTEN | |
| Show TCP/UDP | (default) | -t (TCP), -u (UDP) | -i (Internet) | |
| Resolve Hostnames | (default) | -n (prevents resolve) | -P (prevents resolve) | |
| Show Process Info | -o (PID) | -p (PID/Name) | (built into lsof) |
Windows: The netstat -ano Powerhouse
Windows has a reliable, if a bit dated, workhorse.
- Open Command Prompt or PowerShell as Administrator. (Admin rights are needed to see all PIDs).
- Run the golden command:cmdnetstat -ano
-a: Shows all connections and listening ports.-n: Shows addresses and port numbers numerically. (Faster, no DNS lookup).-o: Shows the Process ID (PID) for each connection.
- Find the listener: Look for state
LISTENING. - Find the process: Note the PID. Open Task Manager, go to the “Details” tab, find the PID, and see exactly what application or service it is.
Pro Tip: To only see listening ports, you can filter the command:
cmd
netstat -ano | findstr "LISTENING"
Linux: The Modern ss -tulnp Command
On modern Linux, netstat is deprecated. The ss (socket statistics) tool is its faster, more powerful replacement.
- Open a terminal. (You’ll likely need
sudoto see all process names). - Run the definitive command:bashsudo ss -tulnp
-t: TCP ports.-u: UDP ports.-l: Listening sockets only.-n: Numeric. Don’t resolve service names.-p: Show process information. This is what ties the port to the application.
The output is incredibly clear, showing the port, the state, and the process name/PID that’s listening on it.
Legacy/Nostalgia: The old netstat -tulnp command still works on most systems, but ss is the future.
macOS: The lsof -i -P Detective
macOS uses the powerful lsof (List Open Files) command. Since everything is a file, including network connections, it’s the perfect tool for the job.
- Open Terminal.
- Run the classic command:bashlsof -i -P | grep LISTEN
-i: Lists all Internet network files (sockets).-P: Crucial. Inhibits the conversion of port numbers to port names (e.g., shows5432instead ofpostgresql). This is much clearer.| grep LISTEN: Pipes the output togrepto filter only for lines with “LISTEN”.
The output shows the command (process name), PID, user, and the port it’s listening on.
For a more focused view: To see what’s listening on a specific port, like 80:
bash
lsof -i :80 -P
Why This Matters: Security & Troubleshooting
You’re not just running commands. You’re conducting an audit.
- Identify Unknown Services: Is something listening on port 31337? That’s a huge red flag. Investigate that PID immediately.
- Verify Configuration: You installed a new web server. Is it actually listening on the IP and port you configured? This command gives you an instant answer.
- Diagnose Connection Issues: “Can’t connect to the database?” First, check if the database process is even listening for connections. If not, you’ve found your problem.
- Pass Security Audits: Many compliance frameworks require you to justify every open port on a system. This is your evidence.
Conclusion: One Task, Three Commands
You don’t need to memorize everything. You just need to know where to look.
- On a Windows server?
netstat -ano | findstr "LISTENING" - SSH’d into a Linux box?
sudo ss -tulnp - Working on a Mac?
lsof -i -P | grep LISTEN
This is cross-platform fluency. This is what makes a proficient sysadmin, DevOps engineer, or security analyst.
Now you can answer the question on any machine, in under 10 seconds.
Found a suspicious port? The next step is to investigate the process. Our guide on [ investigating running processes on Windows, Linux, and Mac] will show you how.
FAQ Section
Q: What is the difference between ‘listening’ and ‘established’ ports?
A: A ‘listening’ port is an open port where a service is waiting and actively accepting new incoming connections. An ‘established’ port is a port that is currently being used for an active, two-way connection between your computer and a remote machine. For security hardening, the ‘listening’ ports are your primary focus, as they represent potential entry points.
Q: Why do I need to use sudo on Linux to see process names?
A: The ss -p and netstat -p options try to read process information from the /proc filesystem. Information about processes not owned by your current user is protected by Linux’s file permissions. Using sudo elevates your privileges to root, allowing you to see the name and PID of every process listening on a port, which is essential for a complete security audit.
Q: Is there a GUI tool to see open ports?
A: Yes, but the command-line is universally faster and more powerful. On Windows, the built-in Resource Monitor (resmon) has a “Listening Ports” section under the Network tab. On Linux and macOS, various third-party GUI system monitors exist. However, for quick remote access and scripting, the CLI commands (netstat, ss, lsof) are the tools of choice for professionals.
Q: How can I close an open port?
A: You don’t close the port itself; you stop or configure the process that is listening on it. An open port is a symptom, not the cause. Using the commands in this guide, identify the Process ID (PID) and the application name. From there, you can stop the service (e.g., sudo systemctl stop nginx), uninstall the application, or reconfigure it to stop listening on that interface or port.