This chapter covers the essential TCP and UDP port numbers that CompTIA A+ 220-1101 expects you to know for the Networking domain (Objective 2.1). Ports are how computers distinguish between different network services, and exam questions frequently ask you to match a service to its port number or identify which port a given application uses. Roughly 10-15% of the exam touches on ports and protocols, either directly or as part of troubleshooting scenarios. Mastering this chapter will help you answer those questions quickly and accurately.
Jump to a section
Imagine a large apartment building with a single street address (the IP address). The building has a main lobby (the network interface) where all mail arrives. Each apartment has a unique number (a port number). When a delivery person arrives with a package, they look at the apartment number on the package to know which resident to deliver to. Similarly, when data arrives at a computer, the operating system looks at the destination port number to decide which application (like a web browser or email client) should receive the data. Different types of deliveries use different doors: packages come through the front door (port 443 for secure web traffic), letters through a side door (port 25 for email), and maintenance requests through a service entrance (port 22 for SSH). If a delivery person tries to deliver to an apartment that doesn't exist (a closed port), the package is returned or discarded. The building's directory (the /etc/services file or IANA registry) lists which apartment numbers correspond to which services. Just as a building might have a doorman who logs deliveries (a firewall), ports can be filtered or blocked to prevent unwanted visitors. Without port numbers, all data would pile up at the front desk with no way to route it to the correct resident.
What Are Ports and Why Do They Exist?
In networking, a port is a 16-bit number (0-65535) used by transport layer protocols (TCP and UDP) to identify a specific process or service on a host. The IP address identifies the host; the port number identifies the application. This allows a single computer to run multiple network services simultaneously without data getting mixed up.
Ports are divided into three ranges: - Well-known ports (0-1023): Assigned by IANA for common services (e.g., HTTP on 80, HTTPS on 443). On Unix-like systems, binding to these ports typically requires root privileges. - Registered ports (1024-49151): Used by user applications that are not as common; companies can register them with IANA (e.g., Microsoft SQL Server uses 1433). - Dynamic/private ports (49152-65535): Used for temporary, client-side connections. When your browser connects to a web server, it uses a random ephemeral port from this range as its source port.
How Ports Work: The Mechanism
When an application wants to send data over the network, it requests a port from the operating system. The application binds to a specific port number (e.g., a web server binds to port 80). The OS then creates a socket — a combination of IP address and port number — that uniquely identifies that service.
For outgoing connections, the client application requests a port from the dynamic range. The OS assigns an available port (e.g., 52001) and uses it as the source port in the TCP or UDP header. The destination port is the well-known port of the service being contacted (e.g., 80 for HTTP).
The transport layer header contains both source and destination port fields, each 16 bits. When a packet arrives, the receiving OS reads the destination port and delivers the data to the application listening on that port. If no application is listening, the OS sends an ICMP Port Unreachable message (UDP) or a TCP RST (TCP) back to the sender.
Key Ports for CompTIA A+ 220-1101
The exam objectives list the following ports as essential knowledge. You must know the port number, the protocol (TCP or UDP), and the service name.
20/21 (TCP) – FTP: File Transfer Protocol. Port 21 is used for control (commands), port 20 for data transfer (active mode). FTP is unencrypted; use SFTP or FTPS for security.
22 (TCP) – SSH: Secure Shell. Used for secure remote administration and file transfers (SFTP, SCP). Replaces Telnet.
23 (TCP) – Telnet: Unencrypted remote terminal access. Legacy; insecure because passwords are sent in plaintext.
25 (TCP) – SMTP: Simple Mail Transfer Protocol. Used for sending email between mail servers. Also used by clients to submit outgoing mail (though port 587 is preferred for submission).
53 (TCP/UDP) – DNS: Domain Name System. UDP is used for standard queries; TCP is used for zone transfers or when responses exceed 512 bytes (with EDNS0, up to 4096 bytes).
80 (TCP) – HTTP: Hypertext Transfer Protocol. The foundation of web traffic. Unencrypted.
110 (TCP) – POP3: Post Office Protocol v3. Used to retrieve email from a server. Downloads and typically deletes messages from the server.
143 (TCP) – IMAP: Internet Message Access Protocol. Used to retrieve email but keeps messages on the server, allowing multiple clients to sync.
443 (TCP) – HTTPS: HTTP over TLS/SSL. Encrypted web traffic.
3389 (TCP) – RDP: Remote Desktop Protocol. Used by Microsoft Remote Desktop for GUI remote access.
137-139 (TCP/UDP) – NetBIOS/NetBT: NetBIOS over TCP/IP. Used by legacy Windows file sharing (SMB over NetBIOS). Ports 137 (name service), 138 (datagram service), 139 (session service). Modern SMB uses port 445 directly.
445 (TCP) – SMB: Server Message Block over TCP. Used by Windows for file and printer sharing, directly over TCP (without NetBIOS). Also used by Active Directory.
427 (TCP/UDP) – SLP: Service Location Protocol. Used by Apple Bonjour and some network devices to discover services.
548 (TCP) – AFP: Apple Filing Protocol. Used for file sharing on older Mac networks. Modern macOS uses SMB.
67/68 (UDP) – DHCP: Dynamic Host Configuration Protocol. Port 67 is the server, port 68 is the client. Used to assign IP addresses automatically.
69 (UDP) – TFTP: Trivial File Transfer Protocol. Simple, connectionless file transfer. Used for network booting (PXE) and router/switch config backups. No authentication; limited to 512-byte blocks.
161/162 (UDP) – SNMP: Simple Network Management Protocol. Port 161 is used for queries (GET, SET), port 162 for traps (alerts) from agents to the manager.
389 (TCP/UDP) – LDAP: Lightweight Directory Access Protocol. Used to access and maintain directory services (e.g., Active Directory).
636 (TCP) – LDAPS: LDAP over SSL/TLS. Encrypted LDAP.
993 (TCP) – IMAPS: IMAP over SSL/TLS. Encrypted IMAP.
995 (TCP) – POP3S: POP3 over SSL/TLS. Encrypted POP3.
587 (TCP) – SMTP Submission: Used by email clients to submit outgoing messages. Often requires authentication and TLS.
1723 (TCP) – PPTP: Point-to-Point Tunneling Protocol. Legacy VPN protocol; insecure.
1701 (UDP) – L2TP: Layer 2 Tunneling Protocol. Often used with IPsec for VPNs.
500 (UDP) – IKE: Internet Key Exchange. Used for IPsec VPN key management.
4500 (UDP) – IPsec NAT-T: IPsec NAT Traversal. Used when IPsec passes through NAT devices.
1433 (TCP) – MSSQL: Microsoft SQL Server database.
3306 (TCP) – MySQL: MySQL database.
5432 (TCP) – PostgreSQL: PostgreSQL database.
27017 (TCP) – MongoDB: MongoDB database.
5060/5061 (UDP/TCP) – SIP: Session Initiation Protocol. Used for VoIP signaling. 5060 is unencrypted, 5061 is encrypted (SIP over TLS).
2427/2727 (UDP) – MGCP: Media Gateway Control Protocol. Used in VoIP networks.
123 (UDP) – NTP: Network Time Protocol. Used for time synchronization.
162 (UDP) – SNMP Trap: Already mentioned; note that it's a separate port from SNMP queries.
514 (UDP) – Syslog: Used for system log messages.
2049 (TCP/UDP) – NFS: Network File System. Used for file sharing in Unix/Linux environments.
3268/3269 (TCP) – Global Catalog: LDAP for Active Directory global catalog. 3268 is unencrypted, 3269 is encrypted.
TCP vs. UDP: When to Use Each
TCP is connection-oriented: it establishes a three-way handshake (SYN, SYN-ACK, ACK), guarantees delivery, and maintains order. Use TCP for applications that require reliability: web (HTTP/HTTPS), email (SMTP, IMAP, POP3), remote access (SSH, RDP), file transfer (FTP).
UDP is connectionless: no handshake, no guaranteed delivery, no ordering. Use UDP for applications where speed is critical and occasional loss is acceptable: DNS queries, DHCP, streaming media, VoIP (RTP), SNMP, TFTP.
Some services use both: DNS uses UDP by default but switches to TCP for large responses; SIP can use UDP or TCP.
How Ports Interact with Firewalls and NAT
Firewalls filter traffic based on port numbers. A common security practice is to block all ports except those needed for business operations. For example, a web server firewall might allow inbound traffic on ports 80 and 443, but block everything else.
NAT (Network Address Translation) modifies port numbers to map multiple private IPs to a single public IP. This is called PAT (Port Address Translation). The NAT device keeps a table of internal IP:port to external IP:port mappings so it can forward return traffic correctly.
Verifying Port Usage
On Windows, you can use netstat -an to see all active connections and listening ports. On Linux, ss -tuln or netstat -tuln. To test if a port is open on a remote host, use telnet host port (TCP only) or nc -zv host port (netcat). Port scanners like Nmap can scan multiple ports.
Common Exam Traps
Port 25 vs. 587: SMTP traditionally uses port 25, but email submission by clients should use port 587 (with authentication). The exam may ask which port is used for SMTP submission.
Port 110 vs. 143: POP3 downloads and deletes; IMAP synchronizes. Know which is which.
Port 21 vs. 20: FTP control is 21; data is 20. Many candidates mix them up.
Port 53: DNS uses UDP for queries, but TCP for zone transfers. The exam may ask which protocol DNS uses for standard queries.
Port 161 vs. 162: SNMP queries go to 161; traps go to 162.
Port 137-139 vs. 445: Legacy NetBIOS vs. modern SMB. Windows 10/11 and Server 2016+ use port 445 primarily.
Port 3389: RDP is often tested in the context of remote administration.
Port 22: SSH is the secure alternative to Telnet (port 23).
Port 443: HTTPS is the secure version of HTTP (port 80).
Configuration Example: Windows Firewall Rule
To allow RDP (port 3389) through Windows Firewall:
netsh advfirewall firewall add rule name="Open RDP" dir=in action=allow protocol=TCP localport=3389To verify:
netsh advfirewall firewall show rule name="Open RDP"Conclusion
Port numbers are fundamental to network communication. For the 220-1101 exam, focus on memorizing the well-known ports listed in the objectives. Use mnemonics, flashcards, or practice quizzes to reinforce your memory. Understanding the difference between TCP and UDP, and knowing which services use which, will help you troubleshoot connectivity issues and configure firewalls correctly.
Application Requests a Port
When a network application starts (e.g., a web server), it requests a specific port number from the operating system. The application calls the bind() system call with the desired port (e.g., 80). The OS checks if that port is already in use. If available, the OS creates a socket and associates it with the port. If the port is already bound to another application, the bind() fails with an 'Address already in use' error. This is why you cannot run two web servers on the same port simultaneously.
OS Assigns Ephemeral Port for Client
For outgoing connections (e.g., a web browser), the client application does not specify a source port. Instead, the OS automatically assigns an ephemeral port from the dynamic range (49152-65535 on modern systems, though older systems may use 1024-5000). The OS selects a port that is not currently in use. This port becomes the source port in the TCP/UDP header. The destination port is the well-known port of the target service (e.g., 80).
Packet Switches with Port Info
The transport layer encapsulates the application data with a TCP or UDP header that includes both source and destination port numbers (each 16 bits). This header is then passed to the network layer (IP), which adds source and destination IP addresses. The packet is routed through the network. At each hop, routers look only at the IP addresses; ports are not examined by routers (they are only inspected by firewalls and NAT devices). The packet eventually reaches the destination host.
Destination OS Reads Destination Port
When the packet arrives at the destination host, the network interface card (NIC) strips the Ethernet frame, and the IP layer processes the IP header. The transport layer then reads the destination port number. The OS checks its list of listening sockets. If a socket is bound to that port, the data is delivered to the corresponding application. If no socket is bound, the OS sends an ICMP Port Unreachable (UDP) or a TCP RST (TCP) back to the sender. For TCP, the connection attempt is rejected.
Application Processes Data
The application receives the data from the socket. For TCP, the data is a stream that the application reads sequentially. For UDP, the application reads datagrams (individual messages). The application then processes the request (e.g., an HTTP server parses the HTTP request and generates a response). The response is sent back using the same socket, but with source and destination ports swapped: the original source port becomes the destination port, and the original destination port becomes the source port.
Enterprise Scenario 1: Web Server Firewall Configuration
A company hosts a public-facing web application on a server in a DMZ. The security team must configure the firewall to allow only necessary traffic. They create an inbound rule that permits TCP ports 80 (HTTP) and 443 (HTTPS) from any source. All other inbound ports are blocked. Additionally, they allow outbound traffic on port 53 (DNS) so the server can resolve domain names, and port 123 (NTP) for time synchronization. They also allow port 22 (SSH) from a specific management subnet for administration. A common mistake is to leave port 3306 (MySQL) open to the internet, thinking it's needed for the web app. In reality, the database should be on a separate internal server, and the web server connects to it over the internal network. Misconfiguration can lead to data breaches.
Enterprise Scenario 2: Email Server Ports
An organization runs its own email server using Microsoft Exchange. The server must accept incoming email on port 25 (SMTP) from the internet. It also needs to support clients: Outlook uses port 587 (SMTP submission) for outgoing mail, port 993 (IMAPS) for encrypted incoming mail, and port 995 (POP3S) for encrypted POP3. The firewall is configured to allow these ports from internal IP ranges. Additionally, the server uses port 53 (DNS) to look up MX records. A common issue is that port 25 is blocked by the ISP for residential connections, preventing the server from sending email directly. In that case, the organization might use a smart host (relay) on port 587.
Enterprise Scenario 3: VPN Remote Access
A company allows remote employees to connect to the corporate network via VPN. They use a VPN appliance that supports IPsec with IKE (UDP 500) and IPsec NAT-T (UDP 4500). The firewall at the office must allow these ports from any external IP. Additionally, once the VPN is established, employees need access to internal services like file shares (SMB on TCP 445) and RDP (TCP 3389) for remote desktop. The VPN appliance typically handles routing so that traffic to internal IPs is sent through the VPN tunnel. A common problem is that the firewall blocks UDP 500 or 4500, causing the VPN to fail to establish. Another issue is that the VPN client's home router might not support IPsec passthrough, requiring the use of NAT-T.
What the 220-1101 Tests on Ports and Protocols
CompTIA A+ 220-1101 Objective 2.1 requires you to 'Identify common network ports and protocols.' The exam expects you to know the port numbers and associated services for at least the following: 20/21 (FTP), 22 (SSH), 23 (Telnet), 25 (SMTP), 53 (DNS), 80 (HTTP), 110 (POP3), 143 (IMAP), 443 (HTTPS), 3389 (RDP), 137-139 (NetBIOS/NetBT), 445 (SMB), 427 (SLP), 548 (AFP), 67/68 (DHCP), 69 (TFTP), 161/162 (SNMP), 389 (LDAP), 636 (LDAPS), 993 (IMAPS), 995 (POP3S), 587 (SMTP submission), 1723 (PPTP), 1701 (L2TP), 500 (IKE), 4500 (IPsec NAT-T), 1433 (MSSQL), 3306 (MySQL), 5432 (PostgreSQL), 27017 (MongoDB), 5060/5061 (SIP), 2427/2727 (MGCP), 123 (NTP), 162 (SNMP Trap), 514 (Syslog), 2049 (NFS), 3268/3269 (Global Catalog).
Common Wrong Answers and Why Candidates Choose Them
Confusing POP3 (110) with IMAP (143): Candidates often mix up these email protocols because both are used for receiving email. The trick is to remember that POP3 is 'Post Office' — like picking up mail from a post office box (download and delete). IMAP keeps messages on the server.
Thinking FTP uses port 21 for data: Many think port 21 is for data transfer, but it's actually for control commands. Data uses port 20 in active mode. Passive mode uses a random high port. The exam may ask which port FTP uses for control.
Assuming DNS only uses UDP: Candidates forget that DNS uses TCP for zone transfers and large responses. The exam may present a scenario where a DNS query fails because the response is too large for UDP and the server doesn't support TCP.
Mixing up SNMP ports: Port 161 is for queries (GET/SET), port 162 is for traps. Candidates often reverse them.
Believing SMB only uses port 445: While modern SMB uses 445, legacy systems use NetBIOS over TCP/IP on ports 137-139. The exam may test knowledge of both.
Numbers and Values That Appear on the Exam
The exact port numbers listed above.
The protocol (TCP or UDP) for each service. For example, DNS uses UDP for queries, TCP for zone transfers. DHCP uses UDP (67 server, 68 client). TFTP uses UDP. SNMP uses UDP.
The default port for HTTPS is 443, not 8080 (which is sometimes used as an alternate HTTP port).
RDP uses port 3389, not 5900 (VNC).
SSH uses port 22, not 23 (Telnet).
Edge Cases and Exceptions
FTP Active vs. Passive Mode: In active mode, the server initiates a data connection back to the client on port 20. In passive mode, the client initiates both connections, and the server uses a random high port. Firewalls often block active FTP because the incoming connection is seen as unsolicited.
SMTP Submission Port: While SMTP traditionally uses port 25, email clients should use port 587 for submission. The exam may ask which port is used for SMTP with authentication.
LDAP vs. LDAPS: LDAP uses port 389 (unencrypted), LDAPS uses 636 (encrypted). Global Catalog uses 3268 (unencrypted) and 3269 (encrypted).
How to Eliminate Wrong Answers
If a question asks which port a service uses, first identify the service. Then recall the port number. If you are unsure, eliminate options that are obviously wrong: for example, if the question is about a secure service, eliminate ports associated with insecure versions (e.g., for secure web, eliminate port 80). Also, note the protocol: if the service requires reliability (e.g., file transfer, email), it likely uses TCP; if it's time-sensitive or lightweight (e.g., DNS, DHCP), it likely uses UDP. This can help narrow down choices.
Ports are 16-bit numbers (0-65535) used to identify services on a host.
Well-known ports (0-1023) are assigned to common services; registered ports (1024-49151) are for user applications; dynamic ports (49152-65535) are for ephemeral client connections.
TCP is connection-oriented and reliable; UDP is connectionless and faster but unreliable.
Memorize the following ports: FTP (20/21 TCP), SSH (22 TCP), Telnet (23 TCP), SMTP (25 TCP), DNS (53 TCP/UDP), HTTP (80 TCP), POP3 (110 TCP), IMAP (143 TCP), HTTPS (443 TCP), RDP (3389 TCP), DHCP (67/68 UDP), TFTP (69 UDP), SNMP (161/162 UDP), LDAP (389 TCP/UDP), SMB (445 TCP), NTP (123 UDP).
Email submission uses port 587 (SMTP with authentication), not port 25.
FTP control is port 21; data is port 20 in active mode.
DNS uses UDP for queries, TCP for zone transfers.
SNMP queries go to port 161; traps go to port 162.
RDP uses port 3389; SSH uses port 22.
Knowing the protocol (TCP/UDP) helps eliminate wrong answers on the exam.
These come up on the exam all the time. Here's how to tell them apart.
TCP (Transmission Control Protocol)
Connection-oriented: establishes a session via three-way handshake (SYN, SYN-ACK, ACK).
Guarantees delivery through acknowledgments and retransmission.
Maintains order: packets are sequenced and reassembled in order.
Flow control and congestion control (sliding window, AIMD).
Higher overhead due to headers (20 bytes) and connection state.
UDP (User Datagram Protocol)
Connectionless: no handshake, just send data.
No delivery guarantee: packets may be lost without notification.
No ordering: packets may arrive out of sequence.
No flow control: sender can overwhelm receiver.
Lower overhead: header is 8 bytes; no connection state.
Mistake
Port 25 is used for sending email from clients.
Correct
Port 25 is used for SMTP between mail servers. Email clients should use port 587 (SMTP submission) with authentication. Many ISPs block port 25 to prevent spam, so client submissions on port 25 may fail.
Mistake
FTP uses only one port (21).
Correct
FTP uses two ports: port 21 for control commands and port 20 for data transfer in active mode. In passive mode, data uses a random high port negotiated during control connection.
Mistake
DNS always uses UDP.
Correct
DNS uses UDP for standard queries, but TCP is used for zone transfers and when the response size exceeds 512 bytes (or with EDNS0, 4096 bytes). Some recursive resolvers may also use TCP for reliability.
Mistake
HTTPS uses port 8080.
Correct
HTTPS uses port 443 by default. Port 8080 is sometimes used as an alternate HTTP port (e.g., for proxy servers), but it is not the standard for HTTPS.
Mistake
All Microsoft file sharing uses port 445.
Correct
Modern Windows uses port 445 for SMB directly. However, legacy systems (Windows NT/2000/XP) and certain configurations may use NetBIOS over TCP/IP on ports 137-139. Both are still tested on the exam.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
HTTPS uses port 443 by default. It is HTTP over TLS/SSL, providing encrypted communication. On the exam, if you see a question about secure web traffic, the answer is port 443. The unencrypted version, HTTP, uses port 80.
Both are used for receiving email. Port 110 is POP3 (Post Office Protocol v3), which downloads emails to the client and typically deletes them from the server. Port 143 is IMAP (Internet Message Access Protocol), which keeps emails on the server and allows multiple clients to synchronize. IMAP is more modern and flexible.
DNS uses UDP for standard queries because it is faster and has lower overhead. However, when the response is larger than 512 bytes (e.g., DNSSEC records), DNS switches to TCP to ensure reliable delivery. Also, zone transfers between DNS servers always use TCP.
RDP (Remote Desktop Protocol) uses port 3389 over TCP. It is used by Microsoft Remote Desktop to provide GUI remote access to Windows computers. On the exam, if you see a question about remote desktop, the answer is port 3389.
No, port 25 is used for SMTP between mail servers. Email clients like Outlook should use port 587 (SMTP submission) for outgoing mail, which often requires authentication and TLS encryption. Many ISPs block port 25 to prevent spam, so using port 587 is more reliable.
In FTP, port 21 is used for control commands (e.g., login, directory listing). Port 20 is used for data transfer in active mode. In passive mode, the data connection uses a random high port negotiated over the control channel. The exam may ask which port is used for FTP control.
SNMP uses port 161 for queries (GET, SET) and port 162 for traps (unsolicited alerts from agents to the manager). Traps are sent from the managed device to the NMS (Network Management System). Remember: queries go to 161, traps go to 162.
You've just covered Common Ports and Protocols for A+ — now see how well it sticks with free 220-1101 practice questions. Full explanations included, no account needed.
Done with this chapter?