This chapter covers TCP/IP and common ports, a foundational networking topic for the CompTIA A+ 220-1101 exam. Understanding how TCP and UDP use port numbers to direct traffic to the correct application is critical for troubleshooting connectivity and security issues. Approximately 10-15% of the exam questions touch on ports and protocols, making this a high-yield area. You will learn the exact port numbers for major services, the differences between TCP and UDP, and how to identify and resolve port-related problems.
Jump to a section
Think of an IP address as the street address of a large apartment building. The building has a main door (the network interface) where all mail arrives. Inside, there are hundreds of individual mailboxes, each with a unique number. These mailboxes are like TCP and UDP port numbers. When a delivery person (a data packet) arrives at the building, they look at the apartment number written on the envelope to decide which mailbox to drop the mail into. Without the apartment number, the mail would just pile up in the lobby, and no resident would get their specific letters. Similarly, a computer receives all network traffic through its IP address, but the port number tells the operating system which application or service should handle that data. For example, web traffic goes to port 80 or 443 (like mailbox #80 or #443), email to port 25, and so on. The mapping of well-known ports to services is standardized, just as apartment numbers are typically assigned in a predictable sequence. If a new resident moves in, they get a new mailbox number that isn't already in use. In computing, this is analogous to dynamic or private ports (49152-65535) used for temporary connections. The key mechanism is that the port number is a 16-bit field in the TCP or UDP header, allowing 0-65535 ports. The first 1024 are reserved for well-known services, and the system administrator can assign higher ports for custom applications. This mailbox analogy helps visualize how port multiplexing works: one IP address can serve many services simultaneously because each service listens on its own port.
TCP/IP (Transmission Control Protocol/Internet Protocol) is the suite of protocols that powers the internet and most private networks. At its core, IP handles addressing and routing of packets from source to destination. TCP and UDP are transport layer protocols that sit on top of IP and provide communication between applications on a host. An IP address identifies a host, but a single host may run multiple network applications (web server, email client, game, etc.). To distinguish which application should receive incoming data, TCP and UDP use port numbers. A port is a 16-bit number (0-65535) that acts as a sub-address within a host. When a packet arrives, the operating system examines the destination port number in the TCP or UDP header and delivers the payload to the application that is listening on that port.
How TCP and UDP Use Ports
TCP (Transmission Control Protocol) is connection-oriented. It establishes a reliable, ordered, error-checked stream of data between two applications. Before data exchange, TCP performs a three-way handshake (SYN, SYN-ACK, ACK) to set up the connection. Each TCP segment includes source and destination port numbers. The combination of source IP, source port, destination IP, destination port, and protocol (TCP) uniquely identifies a connection, called a socket. This allows multiple simultaneous connections to the same destination port from different sources.
UDP (User Datagram Protocol) is connectionless. It sends datagrams without establishing a connection, offering no guarantees of delivery, ordering, or error recovery. UDP headers also contain source and destination port numbers, but the lack of connection state makes it faster and suitable for real-time applications like streaming video or VoIP. UDP ports work similarly to TCP ports: an application binds to a specific UDP port to receive datagrams.
Port Number Ranges
Ports are divided into three ranges: - Well-Known Ports (0-1023): Assigned by IANA for common services. On Unix-like systems, binding to these ports typically requires root/admin privileges. Examples: HTTP (80), HTTPS (443), FTP (20,21), SSH (22), DNS (53), DHCP (67,68). - Registered Ports (1024-49151): Used by applications that are not as universal but still need a consistent port. IANA maintains a list. Examples: Microsoft SQL Server (1433), Oracle DB (1521), RDP (3389). - Dynamic/Private Ports (49152-65535): Used for ephemeral (temporary) connections. When a client initiates an outbound connection, the OS assigns a random port from this range as the source port. This allows the client to have many simultaneous connections to the same server port.
Common Ports for the A+ Exam
The 220-1101 exam expects you to know the following ports by heart: - FTP (File Transfer Protocol): TCP ports 20 (data transfer) and 21 (control). FTP uses two connections: control on 21, data on 20 in active mode. Passive mode uses random high ports. - SSH (Secure Shell): TCP port 22. Encrypted remote login and command execution. Replaces Telnet (port 23). - Telnet: TCP port 23. Unencrypted remote terminal access. Insecure, rarely used today. - SMTP (Simple Mail Transfer Protocol): TCP port 25. Used for sending email between mail servers. Client submission often uses port 587 or 465 (SMTPS). - DNS (Domain Name System): UDP port 53 (primary) and TCP port 53 (zone transfers). DNS queries are usually UDP, but if the response is large (>512 bytes), TCP is used. - DHCP (Dynamic Host Configuration Protocol): UDP ports 67 (server) and 68 (client). DHCP uses broadcast and unicast to assign IP addresses dynamically. - HTTP (Hypertext Transfer Protocol): TCP port 80. Unencrypted web traffic. - HTTPS (HTTP Secure): TCP port 443. Encrypted web traffic using TLS/SSL. - POP3 (Post Office Protocol version 3): TCP port 110. Retrieves email from a server; downloads messages to client. Often encrypted on port 995. - IMAP (Internet Message Access Protocol): TCP port 143. Retrieves email but keeps messages on the server; allows folder management. Encrypted on port 993. - IMAP4: Same as IMAP, port 143/993. - RDP (Remote Desktop Protocol): TCP port 3389. Microsoft's remote desktop service. - SMB/CIFS (Server Message Block): TCP port 445 (direct over TCP). Also uses NetBIOS over TCP/IP on ports 137-139 (legacy). Used for file and printer sharing. - SNMP (Simple Network Management Protocol): UDP ports 161 (queries) and 162 (traps). Used to monitor network devices. - LDAP (Lightweight Directory Access Protocol): TCP port 389. Directory services like Active Directory. LDAPS uses port 636. - NetBIOS/NetBT: UDP ports 137 (name service), 138 (datagram service), TCP port 139 (session service). Legacy Windows networking.
TCP vs UDP: When to Use Which
TCP is used when reliability is critical: web browsing, email, file transfers. UDP is used when speed is more important than reliability: streaming, VoIP, DNS queries, DHCP. Some protocols use both: DNS uses UDP for queries but TCP for zone transfers; VoIP typically uses UDP but may fall back to TCP if needed.
Port Number Verification and Troubleshooting
On Windows, use netstat -an to list all active connections and listening ports. The output shows protocol, local address (IP:port), foreign address, and state. For example:
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
UDP 0.0.0.0:53 *:*This shows a web server listening on port 80 and a DNS server on port 53. To see which process owns a port, use netstat -ano and match the PID in Task Manager.
On Linux, netstat -tulpn or ss -tulpn shows listening ports with process names. For example:
$ ss -tulpn | grep :80
tcp LISTEN 0 128 0.0.0.0:80 0.0.0.0:* users:(("apache2",pid=1234,fd=4))Common Port Conflicts and Misconfigurations
Port already in use: If an application tries to bind to a port already used by another process, the OS returns an error like "Address already in use." Use netstat to find the conflicting process.
Firewall blocking port: A common cause of connectivity issues. Verify firewall rules allow traffic on the required port. On Windows, check Windows Defender Firewall; on Linux, check iptables/nftables.
Service not listening: If the service is not running, the port will not show as LISTENING. Start the service or check its configuration.
Wrong protocol: Some services expect TCP but a client sends UDP, or vice versa. Ensure the correct transport protocol is used.
Interaction with Other Technologies
Port numbers are fundamental to network address translation (NAT). NAT routers use port numbers to map multiple internal IPs to a single public IP. The router changes the source port of outgoing packets to a unique value and remembers the mapping so return traffic can be forwarded to the correct internal host. This is called PAT (Port Address Translation).
Firewalls filter traffic based on port numbers. For example, a firewall can allow inbound TCP port 443 (HTTPS) but block all others. Understanding ports is essential for configuring security rules.
Key RFCs
RFC 793: TCP
RFC 768: UDP
RFC 1700: Assigned Numbers (historic, now maintained by IANA)
RFC 6335: Internet Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol Port Number Registry
Exam Tips
Memorize the common ports listed above. The exam will ask which port a service uses, or which service uses a given port.
Know the difference between TCP and UDP: TCP is connection-oriented, reliable; UDP is connectionless, best-effort.
Understand that ports are logical, not physical. They are part of the transport layer header.
Be aware that some services use multiple ports (e.g., FTP uses 20 and 21; DHCP uses 67 and 68).
Recognize that well-known ports (0-1023) require administrative privileges to bind on Unix/Linux.
Client Initiates Connection
When a client application (e.g., web browser) wants to communicate with a server, it first determines the server's IP address (via DNS) and the destination port number (e.g., 80 for HTTP). The client's operating system assigns an ephemeral source port from the dynamic range (49152-65535) to uniquely identify this connection. The client then creates a TCP or UDP packet with source IP:ephemeral_port and destination IP:well-known_port. For TCP, the client sends a SYN packet to begin the three-way handshake. The packet is handed to the IP layer for routing to the destination.
Packet Arrives at Server
The server's network interface receives the packet. The IP layer verifies the destination IP matches the server's address. Then the transport layer (TCP/UDP) examines the destination port number. The operating system checks if any application is listening on that port. If a service (e.g., Apache web server) has bound to port 80, the packet is queued for that application. If no service is listening, the server sends an ICMP Port Unreachable (for UDP) or a TCP RST (for TCP) back to the client. The server also records the source IP and port to send responses back.
Server Processes Request
The listening application (e.g., web server) receives the data from the socket. It processes the request (e.g., HTTP GET) and generates a response. The response is sent back using the same source and destination ports but swapped: now the server's port is the source (80) and the client's ephemeral port is the destination. The server's TCP/UDP layer creates a packet with server IP:80 as source and client IP:ephemeral_port as destination. The response is routed back through the network.
Client Receives Response
The client's network interface receives the response packet. The IP layer verifies the destination IP. The transport layer looks at the destination port, which matches the ephemeral port the client originally used. The OS identifies which application owns that socket (based on the 5-tuple: protocol, source IP, source port, dest IP, dest port) and delivers the data to the correct application. The application processes the response (e.g., renders a web page). For TCP, the connection may be kept alive for further requests or closed after a timeout.
Connection Termination (TCP)
When the communication is complete, TCP performs a graceful close using a four-way handshake. Either side sends a FIN packet. The other side acknowledges with ACK, then sends its own FIN, which is acknowledged. This ensures all data is delivered. After the handshake, the ports become available for reuse. The OS may keep the port in a TIME_WAIT state for 2*MSL (Maximum Segment Lifetime, typically 30-120 seconds) to handle any delayed packets. During this time, the port cannot be reused by the same socket pair. UDP does not have connection state, so no termination is needed; the application simply stops sending.
Enterprise Web Server Deployment
A large e-commerce company runs its website on a cluster of web servers behind a load balancer. Each web server runs Apache listening on TCP port 80 (HTTP) and 443 (HTTPS). The load balancer accepts incoming traffic on these ports and distributes requests to backend servers. The backend servers also run application services on custom ports (e.g., 8080 for Tomcat, 3306 for MySQL). The network team configures firewalls to allow inbound traffic only on ports 80 and 443 from the internet, and internal traffic on port 8080 and 3306 only from the web servers to the app and database servers. This segmentation reduces attack surface. Common issues include misconfigured firewall rules that block port 443, causing HTTPS failures, or a web server that fails to start because port 80 is already used by another process (e.g., IIS instead of Apache). The team uses netstat -an to verify listening ports and telnet <ip> <port> to test connectivity from a client.
Remote Administration with SSH
A managed service provider (MSP) administers hundreds of Linux servers for clients. Each server runs SSH on TCP port 22. The MSP uses a jump box with a firewall that allows outbound SSH to client servers. To enhance security, the MSP changes the default SSH port to a high-numbered port (e.g., 2222) to reduce automated attacks. They configure the firewall to allow inbound on port 2222 only from the jump box IP. When a technician cannot connect, they first verify that the SSH service is running (systemctl status sshd) and listening on the correct port (ss -tulpn | grep 2222). They also check that the firewall on the server allows the port (iptables -L -n). A common mistake is forgetting to update the firewall rule after changing the port, resulting in connection timeouts.
Email Server Configuration
A small business runs its own email server using Postfix (SMTP) and Dovecot (IMAP/POP3). Postfix listens on TCP port 25 for incoming mail from other servers, and also on port 587 for authenticated client submissions. Dovecot listens on ports 143 (IMAP) and 110 (POP3), with SSL/TLS on ports 993 and 995 respectively. The firewall must allow inbound on ports 25, 587, 143, 993, 110, 995. A frequent issue is that port 25 is blocked by the ISP for residential connections, preventing inbound mail. The solution is to use a relay service or request the ISP to unblock. Internally, the network team uses telnet mail.example.com 25 to test SMTP connectivity. They also monitor logs for failed authentication attempts on port 587, which may indicate a misconfigured email client using the wrong port (e.g., using 25 instead of 587).
Exactly What 220-1101 Tests
CompTIA A+ 220-1101 Objective 2.1 requires you to "Identify common ports and protocols." The exam expects you to match each service with its default port number and transport protocol (TCP or UDP). You must know the following ports verbatim: 20/21 (FTP), 22 (SSH), 23 (Telnet), 25 (SMTP), 53 (DNS), 67/68 (DHCP), 80 (HTTP), 110 (POP3), 137-139 (NetBIOS/NetBT), 143 (IMAP), 161/162 (SNMP), 389 (LDAP), 443 (HTTPS), 445 (SMB/CIFS), 3389 (RDP). The exam will also test your understanding of TCP vs UDP characteristics and the concept of well-known vs ephemeral ports.
Most Common Wrong Answers and Why
Confusing FTP ports: Many candidates think FTP uses only port 21. The exam may ask which port is used for FTP data transfer; the correct answer is 20 (active mode) or a random high port (passive mode). A common trap is choosing 21 for data.
Mixing SMTP and POP3/IMAP: Candidates often assign port 25 to POP3 or IMAP. Remember: SMTP (25) is for sending, POP3 (110) and IMAP (143) are for receiving.
Assuming DNS only uses UDP: While DNS queries are typically UDP, zone transfers use TCP port 53. The exam may ask which protocol DNS uses for zone transfers; the answer is TCP.
Confusing SMB ports: Legacy SMB uses NetBIOS over TCP/IP on ports 137-139, but modern SMB uses direct TCP port 445. The exam may ask for the port used by SMB in a modern Windows network; the answer is 445.
Specific Numbers and Terms That Appear
Port numbers: 20, 21, 22, 23, 25, 53, 67, 68, 80, 110, 137, 138, 139, 143, 161, 162, 389, 443, 445, 3389.
Protocol names: FTP, SSH, Telnet, SMTP, DNS, DHCP, HTTP, HTTPS, POP3, IMAP, SNMP, LDAP, SMB/CIFS, RDP.
Transport types: TCP (connection-oriented, reliable), UDP (connectionless, best-effort).
Port ranges: Well-known (0-1023), Registered (1024-49151), Dynamic/Private (49152-65535).
Edge Cases the Exam Loves
DHCP uses two ports: Server listens on 67, client on 68. The exam may ask which port the DHCP client uses to send requests (68) or which port the server uses (67).
FTP active vs passive: In active mode, the server initiates data connection from port 20 to a client ephemeral port. In passive mode, the server opens a random high port and the client connects to it. The exam may not test the distinction deeply, but knowing that FTP uses two connections is important.
IMAP4 vs IMAP: IMAP4 is the same as IMAP; port 143/993.
SNMP traps: Port 162 is used for traps (unsolicited alerts), while queries go to 161.
How to Eliminate Wrong Answers
If a question asks for the port of a service, recall the service's function. For example, web browsing = 80/443, email sending = 25, email receiving = 110 or 143.
For protocol type (TCP/UDP), think about reliability needs. If the service requires guaranteed delivery (web, email, file transfer), it's TCP. If it's real-time or simple queries (DNS, DHCP, streaming), it's UDP.
Pay attention to wording: "default port" is key; some services can be configured to use different ports, but the exam tests the default.
Watch for trick questions that ask for the port of a service that doesn't exist (e.g., "What port does FTP use for secure control?" — FTP is not inherently secure; SFTP uses SSH port 22).
Memorize these ports: FTP (20,21 TCP), SSH (22 TCP), Telnet (23 TCP), SMTP (25 TCP), DNS (53 UDP/TCP), DHCP (67,68 UDP), HTTP (80 TCP), POP3 (110 TCP), IMAP (143 TCP), SNMP (161,162 UDP), LDAP (389 TCP), HTTPS (443 TCP), SMB/CIFS (445 TCP), RDP (3389 TCP).
Port numbers are 16-bit values from 0 to 65535; well-known ports are 0-1023, registered 1024-49151, dynamic 49152-65535.
TCP is connection-oriented and reliable; UDP is connectionless and faster but unreliable.
A socket is uniquely identified by the 5-tuple: protocol, source IP, source port, destination IP, destination port.
Use netstat -an (Windows) or ss -tulpn (Linux) to see listening ports and active connections.
Firewalls filter traffic based on port numbers; misconfigured firewalls are a common cause of connectivity issues.
Some services use multiple ports (FTP, DHCP, DNS); know the exact ports for each service.
These come up on the exam all the time. Here's how to tell them apart.
TCP (Transmission Control Protocol)
Connection-oriented: establishes a session before data transfer using three-way handshake.
Reliable: guarantees delivery, ordering, and error checking via acknowledgments and retransmission.
Slower due to overhead of handshake, acknowledgments, and flow control.
Used for applications requiring data integrity: web (HTTP), email (SMTP), file transfer (FTP).
Port numbers are used to identify connections; state is maintained per socket.
UDP (User Datagram Protocol)
Connectionless: no session establishment; data is sent immediately.
Unreliable: no guarantees of delivery, ordering, or error recovery; best-effort delivery.
Faster because minimal overhead; no handshake or acknowledgments.
Used for real-time or loss-tolerant applications: streaming, VoIP, DNS queries, DHCP.
Port numbers are used but no connection state; each datagram is independent.
Mistake
Port numbers are physical connectors on a computer.
Correct
Port numbers are logical addresses in the TCP/UDP header, not physical jacks. Physical ports are Ethernet ports, USB ports, etc. Logical ports are 16-bit numbers that identify applications.
Mistake
TCP and UDP use the same port numbers, so they conflict.
Correct
TCP and UDP are separate protocol spaces. A TCP port 80 and a UDP port 80 are different and can be used simultaneously by different services. The OS tracks them separately.
Mistake
All well-known ports require administrator privileges to bind on any OS.
Correct
On Unix/Linux systems, binding to ports below 1024 requires root privileges. On Windows, by default, any user can bind to any port, though some ports may be reserved.
Mistake
DNS always uses UDP port 53.
Correct
DNS primarily uses UDP for queries, but when the response exceeds 512 bytes or for zone transfers, it uses TCP port 53. The exam expects you to know both.
Mistake
FTP uses only one port (21).
Correct
FTP uses two connections: control on port 21 and data on port 20 (active mode) or a random high port (passive mode). The exam tests port 20 as the data port.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
HTTPS uses TCP port 443. It is HTTP over TLS/SSL, providing encrypted web traffic. The exam expects you to know that HTTPS uses port 443, while HTTP uses port 80.
A port is a number that identifies an application on a host. A socket is the combination of an IP address and a port number, e.g., 192.168.1.10:80. In practice, a socket is used for communication; the port is part of it.
DNS uses UDP for standard queries because it is fast and low-overhead. However, when the response is larger than 512 bytes (e.g., zone transfers or DNSSEC), TCP is used to ensure reliable delivery. The exam expects you to know that DNS uses UDP for queries and TCP for zone transfers.
Yes, if they use different transport protocols (TCP vs UDP) or different IP addresses (e.g., different network interfaces). On the same IP and protocol, only one application can bind to a specific port at a time.
Open Command Prompt as administrator and run `netstat -ano`. This shows all connections and listening ports with the associated process ID (PID). Then open Task Manager, go to Details tab, and match the PID to the application name. Alternatively, use `netstat -anb` to see the executable name (requires admin rights).
An ephemeral port is a short-lived transport layer port assigned by the client's OS from the dynamic range (49152-65535) when initiating a connection. It is used as the source port for the client side of a TCP or UDP session. After the connection closes, the port becomes available for reuse.
RDP (Remote Desktop Protocol) uses TCP port 3389 by default. It is used for remote desktop connections to Windows machines. The exam expects you to know this port number.
You've just covered TCP/IP and Common Ports for A+ — now see how well it sticks with free 220-1101 practice questions. Full explanations included, no account needed.
Done with this chapter?