This chapter covers common TCP and UDP port numbers and their associated protocols, a foundational topic for the CompTIA Network+ N10-009 exam. Understanding ports is essential for configuring firewalls, troubleshooting connectivity, and interpreting network traffic. Approximately 10-15% of exam questions directly test port numbers and protocol associations, making this one of the most memorization-heavy but high-yield areas.
Jump to a section
Imagine a large office building with one main phone number (the IP address). Inside, every department has a unique extension number (the port number). When a caller wants to reach the sales department, they dial the main number and then extension 80 (HTTP). The receptionist (the operating system's network stack) listens on the main line and routes the call to extension 80. If someone dials extension 443 (HTTPS), the call goes to a different room. Without extensions, the receptionist wouldn't know which department to connect. Similarly, if a visitor calls extension 25 (SMTP), they get the mail room. Extensions allow the building to handle many different types of calls simultaneously using one main number. In networking, port numbers (0-65535) identify specific applications or services on a host with a single IP address. Well-known ports (0-1023) are like permanent extensions assigned to critical departments (e.g., 80 for web, 443 for secure web, 25 for email outbound). Registered ports (1024-49151) are like temporary project rooms that companies can reserve. Dynamic/private ports (49152-65535) are like open conference rooms that anyone can use temporarily for outbound connections. The receptionist uses a switchboard log (the port mapping table) to track which internal extension initiated an outbound call and where to route the reply. This is exactly how NAT and port address translation (PAT) work: the router replaces the source port with a unique ephemeral port and remembers the mapping so return traffic reaches the correct internal host.
What Are Ports and Why Do They Exist?
In TCP/IP networking, a port is a 16-bit number (0-65535) that identifies a specific process or service on a host. Ports allow a single IP address to host multiple simultaneous network conversations. For example, a web server can run HTTP (port 80), HTTPS (port 443), and SSH (port 22) all on the same IP address. The transport layer (TCP or UDP) uses the port number in the segment header to demultiplex incoming data to the correct application.
Ports are divided into three ranges by IANA:
Well-known ports (0-1023): Assigned to widely-used services. On Unix/Linux, binding to these ports typically requires root privileges.
Registered ports (1024-49151): Used by applications that vendors can register with IANA, but not as strictly controlled.
Dynamic/private ports (49152-65535): Also called ephemeral ports, used by client applications as temporary source ports when initiating outbound connections.
How Ports Work at the Packet Level
When a client wants to communicate with a server, it creates a socket: a combination of source IP, source port, destination IP, destination port, and protocol. For a TCP connection, the client selects a random ephemeral source port (e.g., 49152) and connects to the server's well-known port (e.g., 80). The server responds using its well-known port as the source and the client's ephemeral port as the destination. This 5-tuple uniquely identifies the conversation.
The TCP segment header includes:
Source port (16 bits)
Destination port (16 bits)
The UDP header similarly includes source and destination ports. Port numbers are the primary mechanism for multiplexing at the transport layer.
Key Ports to Memorize for N10-009
The exam expects you to know the following port numbers and their associated protocols by heart. The most commonly tested protocols are bolded.
FTP (File Transfer Protocol): TCP ports 20 (data) and 21 (control). FTP uses two connections: the control connection on port 21 for commands, and the data connection on port 20 for actual file transfers. In active mode, the server initiates the data connection; in passive mode, the client initiates it. FTP is unencrypted.
SSH (Secure Shell): TCP port 22. Provides encrypted remote login and command execution. Replaces Telnet.
Telnet: TCP port 23. Unencrypted remote terminal access. Legacy, insecure.
SMTP (Simple Mail Transfer Protocol): TCP port 25. Used for sending email between mail servers. Also used by clients to send mail to the server (submission on port 587 is preferred).
DNS (Domain Name System): UDP port 53 (queries) and TCP port 53 (zone transfers). Most DNS queries use UDP for speed; zone transfers use TCP for reliability.
DHCP (Dynamic Host Configuration Protocol): UDP ports 67 (server) and 68 (client). DHCP uses broadcast messages initially; the server listens on port 67, client on port 68.
TFTP (Trivial File Transfer Protocol): UDP port 69. Simple, unencrypted file transfer used for network booting (PXE) and firmware upgrades. No authentication.
HTTP (Hypertext Transfer Protocol): TCP port 80. Unencrypted web traffic.
HTTPS (HTTP Secure): TCP port 443. HTTP over TLS/SSL.
POP3 (Post Office Protocol v3): TCP port 110. Retrieves email from a mail server to a client. Unencrypted.
IMAP4 (Internet Message Access Protocol): TCP port 143. Retrieves email with more features (folders, server-side search). Unencrypted.
NetBIOS/NetBT: UDP ports 137 (name service), 138 (datagram service), TCP 139 (session service). Legacy Windows networking.
SMB/CIFS: TCP port 445. Direct SMB over TCP, used for file sharing in Windows.
SNMP (Simple Network Management Protocol): UDP ports 161 (queries/traps) and 162 (trap notifications). SNMPv1/2c use community strings; SNMPv3 adds encryption and authentication.
LDAP (Lightweight Directory Access Protocol): TCP port 389. Directory services queries. LDAPS uses port 636.
RDP (Remote Desktop Protocol): TCP port 3389. Microsoft's remote desktop protocol.
MySQL: TCP port 3306. MySQL database default.
RDP (Remote Desktop Protocol): TCP 3389.
SIP (Session Initiation Protocol): UDP/TCP ports 5060 (unencrypted) and 5061 (TLS). VoIP signaling.
H.323: TCP 1720. VoIP signaling alternative.
L2TP (Layer 2 Tunneling Protocol): UDP port 1701. VPN tunneling.
PPTP (Point-to-Point Tunneling Protocol): TCP port 1723. Legacy VPN.
IPsec: Uses protocol numbers 50 (ESP) and 51 (AH), not ports. For NAT traversal, UDP port 4500.
GRE (Generic Routing Encapsulation): Protocol number 47. Tunneling.
NTP (Network Time Protocol): UDP port 123. Time synchronization.
Syslog: UDP port 514. System logging.
TACACS+: TCP port 49. Cisco AAA.
RADIUS: UDP ports 1812 (authentication) and 1813 (accounting). Also uses port 1645/1646 legacy.
Kerberos: UDP/TCP port 88. Authentication protocol.
HTTP Proxy: TCP port 3128 (common for Squid) or 8080.
HTTPS Proxy: TCP port 8080 (often used).
Port Numbers vs. Protocol Numbers
A common point of confusion: IP protocol numbers (e.g., 1 for ICMP, 6 for TCP, 17 for UDP) are different from port numbers. Protocol numbers identify the next-level protocol in the IP header. Port numbers are used by TCP and UDP to identify applications. ICMP does not use ports; it uses types and codes.
How Ports Interact with Firewalls
Firewalls filter traffic based on port numbers. For example, a rule might allow inbound TCP/443 to a web server and block all other ports. Stateful firewalls also track connection state: they allow return traffic for established connections. Understanding port numbers is critical for writing firewall rules.
Ephemeral Ports and NAT
When a client initiates an outbound connection, the OS assigns a random ephemeral port (typically from 49152-65535 or 1024-65535 depending on OS). The server sees the source port as this ephemeral value. With NAT/PAT, the router translates the source IP and port to its own public IP and a new ephemeral port, keeping a mapping in its translation table. This allows many internal hosts to share one public IP.
Common Port Scanning Techniques
Port scanning involves sending packets to a range of ports and analysing responses. Common scan types:
TCP SYN scan: sends SYN, waits for SYN-ACK (open) or RST (closed).
TCP connect scan: completes full TCP handshake.
UDP scan: sends UDP packet; no response may indicate open, ICMP unreachable indicates closed.
Verification Commands
On Windows:
- netstat -an shows all listening and established connections with port numbers.
- netstat -an | findstr :80 filters for port 80.
- telnet <host> <port> tests TCP connectivity (e.g., telnet 10.0.0.1 443).
On Linux:
- ss -tuln shows listening TCP/UDP ports.
- netstat -tuln (older).
- nmap -p 80,443 10.0.0.1 scans specific ports.
Port Number Conflicts and Best Practices
Avoid using well-known ports for custom services to prevent conflicts.
On servers, disable unnecessary services to reduce attack surface.
Use firewalls to restrict access to only required ports.
For encrypted variants, use the correct secure port (e.g., 443 for HTTPS, 993 for IMAPS, 995 for POP3S, 587 for SMTP submission with STARTTLS).
Client selects ephemeral source port
When a client application initiates an outbound TCP or UDP connection, the operating system's TCP/IP stack selects a random ephemeral port number from the dynamic range (49152-65535 on modern systems, or 1024-5000 on older Windows). This port is used as the source port in the transport layer header. The client also specifies the destination IP and destination port (e.g., 80 for HTTP). The socket is now defined by the 5-tuple: protocol, source IP, source port, destination IP, destination port.
Client sends SYN segment to server
For TCP, the client sends a SYN segment with source port = ephemeral, destination port = 80, and the SYN flag set. The IP layer encapsulates this in a packet with source IP = client's IP, destination IP = server's IP. The server's network stack receives the packet, examines the destination port, and delivers it to the web server application listening on port 80. The server responds with SYN-ACK, and the handshake completes. For UDP, the client simply sends a datagram with the same port pair.
Server responds using well-known source port
The server's response uses its well-known port (e.g., 80) as the source port and the client's ephemeral port as the destination port. The client's OS uses the destination port to demultiplex the incoming segment to the correct application. This works because the server's source port is predictable (well-known) and the client's ephemeral port is unique per connection.
Firewall inspects port numbers
A firewall between client and server examines the destination port of incoming packets. If the destination port is allowed by policy (e.g., TCP/80), the packet is forwarded. If not, it is dropped. Stateful firewalls also track the connection state: they allow return traffic because it matches an existing session. For UDP, stateful firewalls may use timeout-based state (e.g., 30 seconds of inactivity).
NAT translates port numbers
If the client is behind a NAT router, the router changes the source IP to its public IP and the source port to a new ephemeral port (e.g., 50000). It records this mapping in its NAT table. When the server responds to the router's public IP and port 50000, the router looks up the table and forwards the packet to the original client's private IP and original ephemeral port. This is port address translation (PAT).
Enterprise Scenario 1: Web Server Deployment
A company deploys a public-facing web server hosting both HTTP and HTTPS. The server listens on TCP ports 80 and 443. The firewall allows inbound traffic to these ports from any source, but blocks all other inbound ports (e.g., 22, 3389) to prevent unauthorized access. Internal users access the server via a private IP, but external users reach it via the public IP after NAT. The network engineer configures the firewall with rules: permit tcp any any eq 80, permit tcp any any eq 443, deny ip any any. For management, SSH (port 22) is allowed only from a specific management subnet. Common misconfiguration: leaving port 80 open but forgetting to redirect HTTP to HTTPS, or accidentally exposing port 443 to the internet on a non-web server.
Enterprise Scenario 2: Email Server
An organization runs an email server that accepts incoming mail via SMTP (port 25), allows clients to retrieve mail via IMAP (port 143) and POP3 (port 110), and provides secure versions on ports 993 (IMAPS) and 995 (POP3S). The firewall must allow inbound TCP/25 from any external mail server, but block inbound 25 from internal clients (who should use port 587 for submission). Additionally, outbound TCP/25 is often restricted to the mail server only to prevent spam. The engineer must also configure SPF, DKIM, and DMARC records. Common issue: port 25 blocked by ISP for residential connections, requiring use of a smarthost on port 587.
Enterprise Scenario 3: VPN Remote Access
A company uses IPsec VPN with NAT traversal (UDP 4500) and L2TP/IPsec (UDP 1701). Remote employees connect from home. The firewall at the corporate edge must allow UDP 4500 and UDP 500 (IKE) from any external IP. Additionally, if using PPTP, TCP 1723 and GRE (protocol 47) must be allowed. Common misconfiguration: forgetting to allow ESP (protocol 50) or GRE, causing VPN to establish but no data transfer. Performance: IPsec adds overhead; MTU issues may require MSS clamping.
What N10-009 Tests
Objective 1.3: 'Explain the purposes and uses of ports and protocols.' The exam expects you to:
Match well-known port numbers to their protocols (TCP or UDP).
Identify which protocol uses TCP vs. UDP.
Know which ports are used for secure vs. unsecure versions.
Understand the difference between port numbers and protocol numbers.
Recognize common port numbers in network troubleshooting scenarios.
Most Common Wrong Answers
Confusing TCP and UDP for the same port: For example, DNS uses both UDP (queries) and TCP (zone transfers). The exam may ask 'Which protocol uses UDP port 53?' The answer is DNS, but candidates might pick 'HTTP' because they memorized port 80.
Mixing up port numbers: SMTP is 25, not 110 (POP3) or 143 (IMAP). POP3 is 110, IMAP is 143. Many candidates swap these.
Thinking secure variants use the same port: HTTPS is 443, not 80. IMAPS is 993, not 143. The exam loves to ask 'Which port is used for secure web traffic?' The wrong options will include 80.
Assuming all protocols use TCP: TFTP uses UDP (port 69), not TCP. DHCP uses UDP (67/68). SNMP uses UDP (161/162). Candidates often assume file transfer implies TCP, but TFTP is UDP.
Specific Numbers and Terms
Memorize this list exactly: 20/21 (FTP), 22 (SSH), 23 (Telnet), 25 (SMTP), 53 (DNS), 67/68 (DHCP), 69 (TFTP), 80 (HTTP), 110 (POP3), 123 (NTP), 143 (IMAP), 161/162 (SNMP), 389 (LDAP), 443 (HTTPS), 445 (SMB), 3389 (RDP), 5060/5061 (SIP). Also know that RDP is TCP 3389, not UDP.
Edge Cases and Exceptions
FTP uses two ports: 20 (data) and 21 (control). The exam may ask 'Which port does FTP use for control?' Answer: 21.
DHCP uses UDP, but the server port is 67 and client port is 68. Not 67 for both.
DNS can use TCP for zone transfers, but the exam often says 'DNS uses UDP' as a general rule.
SNMP traps use port 162, queries use 161.
How to Eliminate Wrong Answers
If the question asks for a 'secure' protocol, look for a port different from the standard (e.g., 443 vs 80, 993 vs 143).
If the protocol is for 'file transfer', check if it's FTP (TCP 20/21) or TFTP (UDP 69).
If the question mentions 'encrypted remote administration', it's SSH (22), not Telnet (23).
For email retrieval, POP3 (110) downloads and deletes; IMAP (143) keeps on server.
Port numbers are 16-bit values from 0 to 65535, divided into well-known (0-1023), registered (1024-49151), and dynamic (49152-65535).
Memorize the 20 most common port numbers: 20/21 (FTP), 22 (SSH), 23 (Telnet), 25 (SMTP), 53 (DNS), 67/68 (DHCP), 69 (TFTP), 80 (HTTP), 110 (POP3), 123 (NTP), 143 (IMAP), 161/162 (SNMP), 389 (LDAP), 443 (HTTPS), 445 (SMB), 3389 (RDP), 5060/5061 (SIP).
TCP provides reliable, ordered delivery; UDP provides fast, connectionless delivery. Know which protocol each service uses.
Secure variants often use different ports: HTTPS (443), IMAPS (993), POP3S (995), SMTPS (587 submission).
FTP uses two ports: 21 (control) and 20 (data). TFTP uses UDP port 69.
DNS uses UDP port 53 for queries and TCP port 53 for zone transfers.
DHCP uses UDP ports 67 (server) and 68 (client).
SNMP uses UDP ports 161 (queries/traps) and 162 (trap notifications).
RDP is TCP port 3389. SIP uses UDP/TCP 5060 and 5061 (TLS).
Firewalls filter by port numbers; stateful firewalls track connection state to allow return traffic.
Ephemeral ports are used by clients; well-known ports are used by servers.
IP protocol numbers (e.g., 1 for ICMP, 6 for TCP, 17 for UDP) are different from port numbers.
These come up on the exam all the time. Here's how to tell them apart.
TCP (Transmission Control Protocol)
Connection-oriented: establishes a session via three-way handshake.
Guaranteed delivery: uses acknowledgments and retransmission.
Ordered delivery: sequences segments and reassembles in order.
Flow control: uses windowing to manage data rate.
Used by: HTTP, HTTPS, FTP, SMTP, SSH, Telnet, POP3, IMAP.
UDP (User Datagram Protocol)
Connectionless: no handshake, sends datagrams directly.
No guaranteed delivery: best-effort, no ACKs.
No ordering: datagrams may arrive out of order.
No flow control: simple, low overhead.
Used by: DNS (queries), DHCP, TFTP, SNMP, NTP, VoIP (RTP).
Mistake
Port numbers are assigned by the OS dynamically and never conflict.
Correct
Port numbers can conflict if two applications try to bind to the same port on the same IP. The OS returns an error ('Address already in use'). Ephemeral ports are chosen to avoid conflicts, but well-known ports must be unique per service.
Mistake
TCP and UDP use the same port numbers for the same services.
Correct
Although DNS uses port 53 for both TCP and UDP, most services use only one. For example, HTTP uses TCP 80, not UDP 80. The port number space is shared, but the protocol is separate; a TCP socket and UDP socket on the same port can coexist.
Mistake
All ports below 1024 are reserved and cannot be used by applications.
Correct
On Unix/Linux, binding to ports below 1024 requires root privileges, but applications can still use them if running as root. On Windows, any user can bind to well-known ports. The IANA assignment is advisory, not enforced by the OS.
Mistake
FTP uses only port 21 for everything.
Correct
FTP uses port 21 for control commands and port 20 for data transfer (active mode). In passive mode, the data port is negotiated to a random high port. The exam tests both 20 and 21.
Mistake
Port 443 is used for both HTTP and HTTPS.
Correct
Port 443 is specifically for HTTPS (HTTP over TLS). HTTP uses port 80. Using port 443 for HTTP would break browsers expecting TLS handshake.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
HTTPS uses TCP port 443. It is the secure version of HTTP, using TLS/SSL encryption. Unlike HTTP (port 80), HTTPS encrypts all data between client and server. On the exam, remember that secure protocols often use a different port: HTTPS 443, IMAPS 993, POP3S 995, SMTPS 587.
A port number (16-bit) identifies a specific application or service at the transport layer (TCP or UDP). A protocol number (8-bit) in the IP header identifies the next-level protocol (e.g., 1=ICMP, 6=TCP, 17=UDP). They operate at different layers: protocol numbers at layer 3, port numbers at layer 4.
DNS uses UDP port 53 for standard queries because it is fast and low-overhead. However, DNS uses TCP port 53 for zone transfers (bulk data transfer between DNS servers) and when the response exceeds 512 bytes (UDP limit). TCP ensures reliability and ordered delivery for large transfers.
FTP uses TCP port 20 for data transfer in active mode. The control connection uses port 21. In passive mode, the data port is negotiated to a random high port. The exam expects you to know both 20 and 21 for FTP.
Port 3389 is used by Remote Desktop Protocol (RDP) over TCP. While RDP can also use UDP for some features (like RemoteFX), the standard and most common is TCP. The CompTIA exam tests RDP as TCP 3389.
DHCP uses UDP port 67 for the server and UDP port 68 for the client. The client broadcasts on port 67, and the server responds to port 68. Do not confuse with DHCPv6, which uses different ports (546/547).
An ephemeral port is a short-lived transport layer port assigned by the OS to a client application when initiating an outbound connection. The port number is chosen from the dynamic range (49152-65535 on modern systems) and is released when the connection ends. It allows multiple connections from the same client to the same server.
You've just covered Common Ports and Protocols — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?