Frequently Asked Questions About Port Checking

What is a TCP port and why does it matter?

A port is a numbered logical endpoint on a networked server that routes traffic to the correct application. Think of an IP address as a building and ports as individual office doors — each door leads to a different service. Web servers listen on port 80 for HTTP and port 443 for HTTPS, SSH remote access uses port 22, MySQL databases use port 3306, and PostgreSQL uses port 5432. Without ports, a single IP address could only run one service at a time. To identify the IP address behind any domain before running a port check, use our DNS Lookup tool — the resolved A record address is what you should test.

What does open vs closed mean?

An open port means a service on the server accepted the TCP connection — it is actively listening and ready to communicate. A closed port means either the service is not running on that port, or a firewall is silently dropping packets before they reach the server. A firewall drop causes the check to time out after the full 5 seconds; a genuine service refusal responds instantly with a TCP reset. If port 443 is open but you want to confirm the HTTPS certificate is also valid, run an SSL Checker on the same host immediately after.

How does this tool test ports?

Our server attempts a real TCP three-way handshake to your specified host and port. If the handshake completes within 5 seconds the port is reported as open, and the round-trip time in milliseconds is recorded. If the connection times out or is refused, the port is reported as closed. Because the test originates from our infrastructure rather than your own machine, the result reflects whether the port is publicly reachable from the internet — the scenario that matters for web servers, mail servers, and any externally accessible service. For basic network reachability without port specifics, pair this with our Ping Test.

Why would a port show closed even though my service is running?

This is one of the most common misconfigurations when setting up a new server. The likely causes in order of frequency are: a cloud security group or firewall rule blocking inbound traffic on that port; the application binding to 127.0.0.1 (localhost only) instead of 0.0.0.0 (all interfaces); a network ACL at the infrastructure level separate from the OS firewall; the service running on a different port number than expected; or the process having crashed after its last restart. To confirm you are testing the right public IP, check it first with our What Is My IP tool, then review your firewall rules and application configuration.

Which ports should I verify after setting up a new server?

After provisioning any new server, these are the ports worth confirming first. Port 22 (SSH) should be open if you need remote CLI access — restrict it to specific trusted source IPs where possible. Port 80 (HTTP) should be open if you are serving a website, even if you redirect all traffic to HTTPS. Port 443 (HTTPS) must be open for all web traffic — always follow up with an SSL certificate check to confirm the certificate is valid. Database ports such as 3306 (MySQL) and 5432 (PostgreSQL) should be closed to the public internet and accessed only through SSH tunnels or private network ranges. Port 3389 (RDP) is one of the most aggressively scanned ports worldwide and should never be exposed to the internet without strict IP allowlisting.

Can I check multiple ports at once?

Yes — pass a comma-separated list of port numbers via the ports query parameter alongside your host, for example /port-checker?host=example.com&ports=22,80,443,3306. The tool tests each port in sequence and presents results in a table showing the service name, open/closed status, and response time. This is useful for a quick firewall audit after provisioning a new cloud instance or after modifying a security group. Combine it with a DNS Lookup first to confirm the domain resolves to the IP you intend to test.

What is the difference between a port check and a ping?

A ping sends ICMP echo requests to measure whether a host is reachable at the network layer and how long the round trip takes. A port check goes one step further and attempts a full TCP connection to a specific service, confirming the application itself is listening and accessible. Many cloud providers and corporate networks block ICMP pings entirely, meaning a failed ping does not necessarily mean the host is down — it often just means ICMP is blocked while HTTP and HTTPS are working perfectly. Use our Ping Test alongside this tool for a complete picture of both network reachability and service availability.

Why is port 443 more important than port 80 for security?

Port 80 carries unencrypted HTTP traffic. Any data exchanged — form submissions, session cookies, API responses — can be intercepted by anyone on the network path between the user and the server. Port 443 carries HTTPS traffic encrypted with TLS, making eavesdropping computationally infeasible. Modern best practice is to have both ports open but immediately redirect all HTTP traffic from port 80 to HTTPS on port 443, then use HSTS headers to enforce this at the browser level for returning visitors. After confirming port 443 is open here, use our SSL Certificate Checker to verify the certificate is valid and correctly installed, and our HTTP Headers Checker to confirm HSTS is configured.

What does a firewall do differently from closing a port?

A closed port is one where no application is listening — the operating system immediately sends a TCP RST response, which is why refused connections appear instantaneous in a port check. A firewalled port is one where the firewall silently discards the incoming packet without any reply, causing the connection attempt to hang until the timeout period elapses. From a port checker's perspective, a firewall drop produces a slow timeout response while a genuinely stopped service produces an instant refusal. If this tool always takes the full 5 seconds before reporting closed on a particular host, a drop firewall rule is far more likely than a stopped service. Use our WHOIS Lookup to identify the network operator controlling an IP if you need to investigate further.

How do mail-related ports differ, and which should I test?

Email delivery uses several ports depending on the connection type and direction. Port 25 (SMTP) is used for server-to-server mail delivery — most residential and shared hosting providers block outbound port 25 to prevent spam from compromised machines. Port 587 (SMTP with STARTTLS) is the standard authenticated submission port for email clients sending outbound mail through your mail server. Port 465 (SMTPS) uses implicit TLS and is the modern alternative. Ports 993 (IMAPS) and 995 (POP3S) are the encrypted versions of the IMAP and POP3 protocols used to retrieve email. After checking these ports are open, verify the mail server's DNS records — SPF, DKIM, and MX entries — with our DNS Lookup tool and check the TLS certificate with our SSL Checker.

Is scanning ports on other people's servers legal?

Scanning your own infrastructure is standard security practice and completely legal. Scanning servers you do not own or have explicit written authorisation to test may violate computer access laws in many jurisdictions — including the Computer Fraud and Abuse Act in the United States and the Computer Misuse Act in the United Kingdom. This tool is intended solely for testing infrastructure you own or manage. It tests one port at a time from our server and is not a network reconnaissance platform. Use our ASN Lookup to verify ownership of any IP range before running connectivity tests against it.

Does port checking work for UDP services?

No — this tool only tests TCP ports. UDP is a connectionless protocol with no three-way handshake to probe, so checking UDP requires sending a protocol-specific payload and waiting for a service-specific response. That behaviour varies significantly by application and is not reliably testable from a remote web tool. Services commonly using UDP include DNS (port 53), VPN protocols like WireGuard and OpenVPN, and game servers. To verify DNS responses specifically, use our dedicated DNS Lookup tool which queries DNS records directly in real time.

Other Network & Security Tools on Convixy

Port Checker is part of a full suite of free network utilities available on Convixy:

What Is My IP — Find your public IPv4 and IPv6 address with full ISP, location, and connection details.
DNS Lookup — Retrieve all DNS records for any domain: A, AAAA, MX, TXT, CNAME, NS, and SOA.
WHOIS Lookup — Check domain registration details, registrar, expiry date, and registrant information.
SSL Checker — Verify the TLS certificate on any hostname is valid, trusted, and not expired.
Reverse DNS — Convert any IP address to its associated hostname via PTR record lookup.
ASN Lookup — Find the Autonomous System number, operator name, and IP ranges for any network.
HTTP Headers — Inspect the full HTTP response headers returned by any URL.
Ping Test — Measure ICMP response time and connectivity to any host from our server.
IP Geolocation — Get detailed geographic and network data for any IP address.
MAC Address Lookup — Identify the hardware manufacturer for any network device by its MAC address.
Subnet Calculator — Compute network ranges, broadcast addresses, and usable host counts for any CIDR block.