2

I'm trying to understand which ports are actively listening (in use?) on my machine and don't really know what I'm doing. The three commands I've experimented with are nmap, ss (?netscan?) and lsof.

netscan reports that only 1 port is actively listening (631):

$ sudo nmap -sT localhost Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-02 21:28 EDT Nmap scan report for localhost (127.0.0.1) Host is up (0.000094s latency). Not shown: 999 closed ports PORT STATE SERVICE 631/tcp open ipp

ss (?netscan?) reports 2 ports are in use (631 & 53):

$ sudo ss -tulwn | grep LISTEN tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* tcp LISTEN 0 5 127.0.0.1:631 0.0.0.0:* tcp LISTEN 0 5 [::1]:631 [::]:*

Finally, if I check individual ports with lsof -i:xx, I see results for 631 & 53, but also for ports 80 & 443:

$ sudo lsof -i:80 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME firefox 3481 me 74u IPv4 85172 0t0 TCP Machine:56024->lga25s63-in-f3.1e100.net:http (ESTABLISHED) $ sudo lsof -i:443 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME skypeforl 2426 me 27u IPv4 77133 0t0 TCP Machine:60396->13.83.65.43:https (ESTABLISHED) skypeforl 2453 me 72u IPv4 56536 0t0 TCP Machine:58945->40.86.187.166:https (ESTABLISHED) firefox 3481 me 95u IPv4 81375 0t0 TCP Machine:53788->104.16.249.249:https (ESTABLISHED) firefox 3481 me 157u IPv4 80283 0t0 TCP Machine:49080->lga34s15-in-f5.1e100.net:https (ESTABLISHED) chrome-gn 3799 me 74u IPv4 55080 0t0 TCP Machine:42196->server-52-85-61-100.ewr53.r.cloudfront.net:https (CLOSE_WAIT) chrome-gn 3799 me 95u IPv4 55072 0t0 TCP Machine:43998->104.16.248.249:https (CLOSE_WAIT)

I had thought these three commands were basically different views of the same information. Why are some ports only revealed by some of these commands?

Improve this question

1 Answer 1

Reset to default
3

Starting with the difference between ss and nmap. For port 53, the reason is the difference between localhost and the other 16 million addresses reserved for the local machine. 127.0.0.1 is not the same as 127.0.0.53. ss is reporting all the ports for the local machine whilst nmap is restricting itself to the address 127.0.0.1.

As for the extra reports from lsof, this is looking for something very different. Your ss and nmap commands are looking for sockets in LISTEN state, i.e. waiting for incoming connections. Your lsof is looking for all sockets, in particular this includes any established connections and connections which have been torn down. You are looking for things where either end is using port 80 or either end is using port 443.

So the punchline is these 3 commands show different things because your belief that these are showing the same information is incorrect. This is an apple to orange to banana comparison. 3 different commands show different information because they show different information.

Improve this answer
3
  • Also nmap will only scan most common 1000 ports by default. Commented Jun 4, 2021 at 3:34
  • Super good answer. Interested in understanding the numbers behind the 16M addresses you mention. What address range is reserved for local machine? Always thought of localhost just as 127.0.0.1 Commented Feb 28, 2023 at 18:23
  • @Kiteloopdesign The 127.0.0.0/8 address space is reserved for the local machine, which gives you 2^24 addresses of which 2 (127.255.255.255 and 127.0.0.0) are reserved for the broadcast and network addresses leaving you with 16,777,214 addresses. As a concrete example if you are running a modern systemd based system you may well find that /etc/resolv.conf lists the nameserver as running on 127.0.0.53. Commented Mar 2, 2023 at 0:21

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.