Every service has an address. Every address has a number.
Your boss walks up: "Port 443 is down on the web server." You nod like you know exactly what that means.
But do you actually understand what a port is, why it exists, and what to do about it?
Let's fix that.
An IP address is a building. A port is a specific office inside that building.
Server
192.168.1.5
:80HTTP (Web)
:443HTTPS (Secure Web)
:22SSH (Remote Access)
:25SMTP (Mail)
:3389RDP (Remote Desktop)
How It Works
The IP address routes the packet to the correct machine on the network.
The port number tells that machine which service should handle the connection.
Without ports, the server would not know whether an incoming packet is for the web server, the mail server, or SSH.
Socket = IP + Port
192.168.1.5:443
The Scenario
When your boss says "Port 443 is down," they mean the HTTPS service on that server
is not accepting connections. The IP is fine. The machine is up. Just that specific door is closed.
Ports are defined at Layer 4 (Transport Layer) of the OSI model. TCP and UDP both use port numbers.
Port numbers range from 0 to 65535. That is 16 bits.
Slide 3 of 10
The Three Port Ranges
Not all 65,535 ports are equal. They are organized into three tiers.
Well-Known
Registered
Dynamic
0 → 10231024 → 4915149152 → 65535
0 – 1023
Well-Known
Reserved by IANA. Services in this range must run with root/admin privileges. HTTP (80), HTTPS (443), SSH (22) live here. These are the standards.
1024 – 49151
Registered
Vendors register these with IANA for specific applications. MySQL (3306), PostgreSQL (5432), RDP (3389). Widely used but not universally reserved.
49152 – 65535
Dynamic / Ephemeral
Your OS assigns these temporarily when YOU initiate a connection. Also called client ports or private ports. They disappear when the session ends.
Your PC:51483↔
google.com:443
Your OS picked 51483. The server's reply goes back to that port.
The source port (dynamic range) is embedded in every packet so the server knows where to send the reply.
This is how one machine can have hundreds of simultaneous browser tabs open — each tab gets its own source port.
Slide 4 of 10
Exam Ports — Tier 1
Know these cold. They will appear on the exam, in job interviews, and in daily work.
20 / 21
FTP
File transfer. 21 = control channel. 20 = data channel.
22
SSH
Encrypted remote access. Replaced Telnet as the standard.
23
Telnet
Insecure remote access. Credentials sent plaintext. Do not use.
25
SMTP
Sending email between mail servers. Outbound mail relay.
53
DNS
Name resolution. UDP for queries. TCP for zone transfers.
67 / 68
DHCP
Automatic IP assignment. 67 = server. 68 = client.
80
HTTP
Unencrypted web traffic. Still common for redirects.
110
POP3
Receive email by downloading and removing from server.
143
IMAP
Receive email. Messages stay on server and sync across devices.
443
HTTPS
Encrypted web. TLS-wrapped HTTP. The default today.
Every insecure protocol has a TLS-wrapped or encrypted replacement. Know the pairs.
:23 Telnet
Plaintext shell
↓
:22 SSH
Encrypted shell
:80 HTTP
Plaintext web
↓
:443 HTTPS
TLS-encrypted web
:21 FTP
Plaintext file transfer
↓
:22 SFTP / :990 FTPS
SFTP = SSH-based, FTPS = TLS
:25 SMTP
Unencrypted relay
↓
:587 SMTPS
Authenticated submission
:389 LDAP
Plaintext directory
↓
:636 LDAPS
TLS-encrypted directory
:110 POP3
Plaintext email retrieval
↓
:995 POP3S
TLS-encrypted POP3
:143 IMAP
Plaintext email sync
↓
:993 IMAPS
TLS-encrypted IMAP
:161 SNMPv1/v2
No encryption, weak auth
↓
:161 SNMPv3
Same port, added encryption
Exam tip: If a question asks "which is the secure alternative to X" — look for the TLS/SSL-wrapped version.
The port number usually changes, except SNMPv3 which kept port 161 and added encryption internally.
Slide 7 of 10
TCP vs UDP — Which Ports Use What?
TCP guarantees delivery. UDP prioritizes speed. The protocol a service uses reflects what it needs.
TCP Only — Reliability Required
20/21FTP — file integrity matters
22SSH — interactive commands
23Telnet — interactive shell
25SMTP — email must arrive
80HTTP — web pages
110POP3 — email retrieval
143IMAP — email sync
443HTTPS — encrypted web
445SMB — file sharing
3389RDP — remote desktop
UDP Only — Speed Required
67/68DHCP — fast broadcast
69TFTP — lightweight, no auth
123NTP — small time packets
161/162SNMP — frequent polling
514Syslog — fire and forget logs
Both TCP + UDP
53DNS — see below
5060SIP — call setup
Why DNS uses both
UDP port 53 for standard queries — small, fast, good enough.
TCP port 53 for zone transfers — large data sets that need guaranteed delivery.
Exam tip: When asked which transport protocol a service uses — think about whether that service needs reliability (missing data = broken connection = use TCP) or tolerates loss in exchange for speed (use UDP).
Slide 8 of 10
Port States — What netstat Tells You
Knowing a port number is step one. Being able to read real output is step two.
LISTENING
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING
Service is running and waiting for connections. Port 443 is open. The web server is healthy.
ESTABLISHED
TCP 10.0.1.5:49201 93.184.216.34:443 ESTABLISHED
Active session. Your machine (port 49201) is talking to a remote server on port 443 right now.
TIME_WAIT
TCP 10.0.1.5:49201 93.184.216.34:443 TIME_WAIT
Connection just closed. OS holds the port briefly to catch any delayed packets. Normal behavior.
Security states (from a port scanner perspective):FILTERED = a firewall is silently dropping packets (no response).
CLOSED = no service running, but the OS sends a TCP RST (reset) back.
Filtered is harder to detect than closed.
Commands:
netstat -anWindows — all connections + listening ports
ss -tlnpLinux — TCP listening ports with process names
Your boss says "Port 443 is down." Run netstat -an | findstr 443 on the server.
If it shows LISTENING, the service is up — check the firewall. If nothing shows, the web service crashed — restart it.
Slide 9 of 10
Security — When Ports Go Wrong
Ports are also attack surfaces. Three real-world examples every admin needs to know.
Port 445 (SMB)
WannaCry ransomware (2017) spread across the world by exploiting SMB exposed to the Internet.
Rule: SMB should never be accessible from outside your network. No exceptions.
Port 23 (Telnet)
Any credentials typed over Telnet are sent as plaintext. A single network tap captures your admin password.
Rule: If you see Telnet in production in 2026, that is an immediate finding.
Port 3389 (RDP)
RDP exposed directly to the Internet is one of the most-attacked services globally. Credential brute force runs 24/7.
Rule: Always require VPN before RDP. Optionally restrict source IPs.
Defense Posture
Close unused ports — if no service runs on it, firewall it off
Use the secure alternative — SSH over Telnet, HTTPS over HTTP
Deny by default — firewall rules should permit exceptions, not deny exceptions
Audit regularly — run netstat or nmap on your own systems before attackers do
When your boss says "Port 443 is down," the failure could be the service, the firewall, or the TLS certificate.
Port knowledge lets you diagnose systematically instead of guessing.
Slide 10 of 10 | N10-009 Obj 1.4
You Speak Ports Now
Your boss says "Port 443 is down on the web server." You now know: that is HTTPS — TCP, well-known range (0-1023), Layer 4.
You run netstat -an | findstr 443 on the server. If it shows LISTENING, the service is alive —
check the firewall or the TLS certificate. If it shows nothing, the web service crashed — restart it and check the logs.
You do not need to guess. You understand what the port number means, what protocol it uses, what state it should be in,
and what failure looks like. That is the difference between nodding and knowing.