Networking Linux Theory

Ports & Sockets

Understanding network ports, sockets, and communication channels for service troubleshooting and monitoring

Ports and sockets are fundamental networking concepts in Linux. Ports are numbered endpoints for network communication, while sockets are the actual communication channels between processes. Understanding these is crucial for network troubleshooting, service management, and security configuration.

Key Concepts

  • Port: Numerical identifier (0-65535) for network services
  • Socket: Communication endpoint between processes
  • Well-known Ports: Standard ports (0-1023) for common services
  • Ephemeral Ports: Temporary ports (32768-65535) for client connections
  • TCP Socket: Reliable, connection-oriented communication
  • UDP Socket: Fast, connectionless communication
  • Unix Socket: Inter-process communication on same system

Command Syntax

Network monitoring commands:

  • netstat [options] - Display network connections
  • ss [options] - Modern replacement for netstat
  • lsof [options] - List open files and sockets
  • nmap [options] target - Network port scanner

Common Options

netstat/ss options: -l - Show only listening ports -n - Show numerical addresses -t - Show TCP connections -u - Show UDP connections -p - Show process IDs and names -a - Show all connections

Practical Examples

Example 1: List all listening ports 

1
2
3

ss -tuln
# or
netstat -tuln

Shows all TCP/UDP ports in listening state with numerical addresses

Example 2: Find process using specific port 

1
2

lsof -i :80
ss -tulpn | grep :80

Identifies which process is using port 80

Example 3: Check if service is listening 

1
2

ss -tln | grep :22
netstat -tln | grep :22

Verifies SSH daemon is listening on port 22

Example 4: Show all connections for a process 

1
2

lsof -p 1234
ss -p | grep "pid=1234"

Displays all network connections for process ID 1234

Example 5: Scan for open ports 

1
2

nmap localhost
nmap -p 1-1000 192.168.1.1

Scans for open ports on local or remote systems

Port Categories

Well-Known Ports (0-1023)

  • Port 22: SSH
  • Port 23: Telnet
  • Port 25: SMTP
  • Port 53: DNS
  • Port 80: HTTP
  • Port 443: HTTPS
  • Port 993: IMAPS
  • Port 995: POP3S

Registered Ports (1024-49151)

  • Port 3306: MySQL
  • Port 5432: PostgreSQL
  • Port 6379: Redis
  • Port 8080: HTTP alternate

Use Cases

  • Service Monitoring: Check if services are running
  • Security Auditing: Identify unnecessary open ports
  • Troubleshooting: Debug network connectivity issues
  • Performance Analysis: Monitor connection states
  • Firewall Configuration: Determine required port rules

telnet host port - Test port connectivity nc -l port - Create listening socket (netcat) fuser -n tcp port - Find process using TCP port iptables -L - View firewall port rules systemctl status service - Check service status

Tips & Troubleshooting

Common Issues

  • Permission denied: Use sudo for ports < 1024
  • Address already in use: Another process owns the port
  • Connection refused: Service not listening on port

Security Best Practices

  • Close unused ports with firewalls
  • Use non-standard ports for services when possible
  • Monitor for unexpected listening services
  • Regularly audit open ports with nmap

Performance Notes

  • ss is faster than netstat on modern systems
  • Use -n flag to avoid DNS lookups for speed
  • Limit output with specific filters to reduce overhead

Socket States

  • LISTEN: Waiting for connections
  • ESTABLISHED: Active connection
  • TIME_WAIT: Connection closing
  • CLOSE_WAIT: Waiting for application to close