What command can you use to determine if a network service is listening on the correct port number?

Whenever an application wants to make itself accessible over the network, it claims a TCP/IP port, which means that port can’t be used by anything else. So if you need to use an in-use port, how do you tell what application is holding it?

There’s a number of ways to tell which application has the port locked, here we will use a windows built-in way using the command line and Task Manager.

Using Built-In Tools to See What is Listening on a Port

The first step is to use a command-line tool to see what ports are in use, and use a special flag that tells us which port is assigned to each Windows process identifier number. Then we can use that number to look up exactly which process it is.

Open up a command prompt and type in the following—you may have to open in Administrator mode to see all processes:

netstat -ab | more

This will immediately show you a list, although it’s maybe a little complicated. You’ll see the process name in the list, and you can search for it.

You can also use this other method, which takes an extra step, but makes it easier to locate the actual process:

netstat -aon | more

If you look on the right-hand side, you’ll see where I’ve highlighted the list of PIDs, or Process Identifiers. Find the one that’s bound to the port that you’re trying to troubleshoot—for this example, you’ll see that 0.0.0.0:80, or port 80, is in use by PID 1184.

Now you can simply open up Task Manager—you might have to use the option to Show Processes for All Users, and then you’ll be able to find the PID in the list. Once you’re there, you can use the End Process, Open File Location, or Go to Service(s) options to control the process or stop it.

Alternatively you can even use resource monitor to stop any process that is running. To open resource monitor type resmon.exe in run. This will bring up the resource monitor window.

There would be situations were some other process is running at port 80. To stop anything running in port 80 the following command can be used from command prompt.

net stop http /y

Frequently Asked Questions (FAQs)

What application is listening on a TCP IP port in Windows?
Netstat is a diagnostic tool that creates a list of open ports that the machine is listening to, as well as the ports it is currently connected to on other machines. In Netstat, stat stands for state or statistics, which tells you the current network status of every TCP connection.

How do I find out what application is using a TCP port?
You can use Netstat -b -a -o.

This tool provides a list of all open ports and their associated processes. The -o shows the process id, which you can look up in your task manager or processes tab. To end that process, simply enter taskkill /PID xxxx.

How can I tell if a server is listening on a port?
On the server itself, use Netstat -an to check to see which ports are listening. From outside the server, telnet host port can be used to check connections. A refused connection means nothing is running, whereas an accepted connection means something is running. Timeout implies a firewall is blocking access.

How do I find out what application is using port 8080?
Open the diagnostic tool, netstat -ano. This tool will list the PID (Process Identifier) that is listening to port 80. Open the Task Manager’s Processes tab. Select “View” and “Select Columns” menu. Activate the PID column to see the name of the process listening on port 80.

Is Port 8080 http or https?
Port 8080 is a non-standard, high number port that is popular as an alternative port for HTTP servers, most often application servers. Port 8443 is a default alternative port for HTTPS servers. It can also be used as an alternative port for any protocol like ssh, FTP, NTP, BOOTP, etc.

Why is port 8080 default?
Historically, only authorized system administrators were able to establish and operate a web server on port 80, since this was within the first 1023-port privileged region. When non-administrators wished to run their own web servers, they often chose port 8080 to host a secondary or alternate web server.

After configuring network services, it is important to pay attention to which ports are actually listening on the system's network interfaces. Any open ports can be evidence of an intrusion.

There are two basic approaches for listing the ports that are listening on the network. The less reliable approach is to query the network stack by typing commands such as netstat -an or lsof -i. This method is less reliable since these programs do not connect to the machine from the network, but rather check to see what is running on the system. For this reason, these applications are frequent targets for replacement by attackers. In this way, crackers attempt to cover their tracks if they open unauthorized network ports.

A more reliable way to check which ports are listening on the network is to use a port scanner such as nmap.

The following command issued from the console determines which ports are listening for TCP connections from the network:

The output of this command looks like the following:

Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-09-24 13:49 EDT Interesting ports on localhost.localdomain (127.0.0.1): (The 1653 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 111/tcp open rpcbind 113/tcp open auth 631/tcp open ipp 834/tcp open unknown 2601/tcp open zebra 32774/tcp open sometimes-rpc11 Device type: general purpose Running: Linux 2.4.X|2.5.X|2.6.X OS details: Linux 2.5.25 - 2.6.3 or Gentoo 1.2 Linux 2.4.19 rc1-rc7) Uptime 12.857 days (since Sat Sep 11 17:16:20 2004) Nmap run completed -- 1 IP address (1 host up) scanned in 5.190 seconds

This output shows the system is running portmap due to the presence of the sunrpc service. However, there is also a mystery service on port 834. To check if the port is associated with the official list of known services, type:

cat /etc/services | grep 834

This command returns no output. This indicates that while the port is in the reserved range (meaning 0 through 1023) and requires root access to open, it is not associated with a known service.

Next, check for information about the port using netstat or lsof. To check for port 834 using netstat, use the following command:

The command returns the following output:

tcp 0 0 0.0.0.0:834 0.0.0.0:* LISTEN 653/ypbind

The presence of the open port in netstat is reassuring because a cracker opening a port surreptitiously on a hacked system would likely not allow it to be revealed through this command. Also, the [p] option reveals the process id (PID) of the service which opened the port. In this case, the open port belongs to ypbind (NIS), which is an RPC service handled in conjunction with the portmap service.

The lsof command reveals similar information since it is also capable of linking open ports to services:

Below is the relevant portion of the output for this command:

ypbind 653 0 7u IPv4 1319 TCP *:834 (LISTEN) ypbind 655 0 7u IPv4 1319 TCP *:834 (LISTEN) ypbind 656 0 7u IPv4 1319 TCP *:834 (LISTEN) ypbind 657 0 7u IPv4 1319 TCP *:834 (LISTEN)

These tools reveal a great deal about the status of the services running on a machine. These tools are flexible and can provide a wealth of information about network services and configuration. Consulting the man pages for lsof, netstat, nmap, and services is therefore highly recommended.

Connections between applications work much like conversations between humans. The conversation is started by someone speaking. If no one is listening, then the conversation doesn’t get far. How do you know who’s listening on a Windows PC? The Netstat command-line utility and the PowerShell Get-NetTCPConnection cmdlet.

Not a reader? Watch this related video tutorial! Not seeing the video? Make sure your ad blocker is disabled.

In this tutorial, you will learn how to inspect listening ports and established TCP connections on your Windows computer with Netstat and the native PowerShell command Get-NetTCPConnection.

If you’re an IT pro struggling with too many password reset requests in Active Directory, check out Specops uReset, a secure SSPR solution.

Prerequisites

If you’d like to follow along with examples in this tutorial, be sure you have:

A Windows PC. Any version will do. This tutorial is using Windows 10 Build 21343.1
PowerShell. Both Windows PowerShell and PowerShell 6+ should work. This tutorial us using PowerShell v7.2.0-preview.2

Using Netstat to Find Active and Listening Ports

Netstat is one of those command-line utilities that seems like it’s been around forever. It’s been a reliable command-line utility to inspect local network connections for a long time. Let’s check out how to use it to find listening and established network connections.

Netstat has many different parameters. This tutorial will only use three of them. To learn more about what netstat can do, run netstat /?.

Assuming you’re on a Windows PC:

1. Open up an elevated command prompt (cmd.exe).

2. Run netstat -a to find all of the listening and established connections on the PC. By default, netstat only returns listening ports. Using the -a parameter tells netstat to return listening and established connections.

Run the Netstat -a

The output above is broken out into four columns:

Proto – shows either UDP or TCP to indicate the type of protocol used.
Local Address – shows the local IP address and port that is listening. For many services, this will be 0.0.0.0 for the IP part, meaning it is listening on all network interfaces. In some cases, a service will only listen on a single Network Interface (NIC). In that case, netstat will show the IP address of the NIC. A colon separates the IP address from the port that it is listening on.
Foreign Address – shows the remote IP address the local connection is communicating with. If the Foreign Address is 0.0.0.0:0, the connection is listening for all IPs and all ports. For established connections, the IP of the client machine will be shown.
State – shows the state the port is in, usually this will be LISTENING or ESTABLISHED.

3. Now run netstat -an. You should now see that any names in the output have been turned into IP addresses. By default, netstat attempts to resolve many IP addresses to names.

run netstat -an

4. Finally, perhaps you’d like to know the Windows processes that are listening or have these connections open. To find that, use the -b switch.

Using the -b switch requires an elevated command prompt or PowerShell prompt. You will get the error The requested operation requires elevation if you use the -b switch in a non-elevated prompt.

netstat -anb

Now that you’ve got a chance to see how the old-school netstat utility shows active and listening ports, let’s see how to do it in PowerShell.

Using PowerShell gives you a lot more control to see just what you want, rather than having to scroll through long lists of output. The Get-NetTCPConnection cmdlet is much more specific than netstat about what you want to see.

This tutorial isn’t going to cover all of the parameters that come with the Get-NetTCPConnection cmdlet. If you’re curious, run Get-Help Get-NetTCPConnection -Detailed to discover more examples.

On your Windows PC:

1. Open up a PowerShell console as administrator.

The only reason you need to elevate a PowerShell console is to see the program that owns the connection (like the netstat -b parameter).

2. Run Get-NetTcpConnection. You’ll see output similar to what netstat provided. Instead of just a big string of output, Get-NetTcpConnection returns a list of PowerShell objects.

You can now see the same general information that netstat provided you by now; by default, you have information on the OwningProcess (the -b switch on netstat) and the AppliedSetting field, which relates to the network profile the connection is a part of.

Unlike netstat, the Get-NetTCPConnection cmdlet will now show listening UDP connections.

Get-NetTCPConnection

3. Pipe the output to Select-Object showing all properties. You’ll see PowerShell returns a lot more information that netstat did.

Get-NetTCPConnection | Select-Object -Property *

Pipe the output to Select-Object

4. Now, narrow down the output to just listening ports.

Get-NetTCPConnection -State Listen

narrow down the output

5. Now, find the process names for the OwningProcess fields. To do that, run the Get-Process cmdlet and provide the process ID as shown below.

Get-Process cmdlet

If you’d like to create another property for the process name, you could optionally use a Select-Object calculated field.

Get-NetTCPConnection | Select-Object -Property *,@{'Name' = 'ProcessName';'Expression'={(Get-Process -Id $_.OwningProcess).Name}}

6. Narrow down the states to a bit more by finding Listening and Established states by defining the State parameter value as a comma-delimited list.

Get-NetTCPConnection -State Listen,Established

7. Finally, limit the connections down by the port the connection is connected to with the RemotePort parameter.

Use the LocalPort parameter to filter connections by local port. Get-NetTCPConnection -RemotePort 443

Get-NetTCPConnection -RemotePort 443

RemotePort parameter

If you’re an IT pro struggling with too many password reset requests in Active Directory, check out Specops uReset, a secure SSPR solution.

You have now seen how the Netstat utility and the Get-NetTCPConnection PowerShell cmdlet help you find local network connections.

Now that you can show the processes running on a server combine this with the Test-NetConnection PowerShell cmdlet to get an end-to-end view of connectivity between a client and server.