How to check listening ports on Linux

Topic: Networking basics

List which ports are listening and which process owns them using ss or netstat. Use this to confirm a service is bound to the expected address and port, to find what is using a port, or to verify before opening a firewall. Use ss -tlnp for TCP and -ulnp for UDP.

Intent: How-to

Quick answer

  • Run ss -tlnp for TCP listeners ( -u for UDP, -n for numeric); columns show local address:port, process (PID and name if root).
  • To find what is using port 80: ss -tlnp | grep :80 or ss -tlnp 'sport = :80'; the process name and PID are in the last column.
  • Listen on 0.0.0.0 means all interfaces; 127.0.0.1 means localhost only (not reachable from other hosts); use this to verify before allowing the port in the firewall.

Prerequisites

Steps

  1. List TCP listeners

    ss -tlnp ( -t TCP, -l listening, -n numeric, -p process); add -4 or -6 for IPv4 or IPv6 only. Output shows local address:port and the process that owns the socket.

  2. List UDP listeners

    ss -ulnp; UDP is stateless so 'listening' means the process has bound the port; same format as TCP for local address and process.

  3. Filter by port or address

    ss -tlnp 'sport = :80' or ss -tlnp 'dport = :443'; or pipe: ss -tlnp | grep :22. Use this to confirm nothing else is using the port you plan to assign.

  4. Interpret listen address

    0.0.0.0:80 means listen on all IPv4 interfaces (reachable from other hosts); 127.0.0.1:80 means localhost only. Prefer 0.0.0.0 for a server that must accept external connections (and use firewall to restrict).

Summary

Use ss (or netstat) to list listening TCP and UDP ports and the process that owns each. Use this to confirm a service is listening on the right address and port and to see what is using a port before changing config or firewall.

Prerequisites

Steps

Step 1: List TCP listeners

ss -tlnp
  • -t: TCP
  • -l: listening
  • -n: numeric (no DNS)
  • -p: process (PID and name; may require root)

Step 2: List UDP listeners

ss -ulnp

UDP has no connection state; a bound port appears as listening. Format is the same as TCP.

Step 3: Filter by port or address

ss -tlnp 'sport = :80'
ss -tlnp | grep :22

Use to confirm whether a given port is in use and by which process.

Step 4: Interpret listen address

  • 0.0.0.0:port: Listening on all IPv4 interfaces; reachable from other hosts (subject to firewall).
  • 127.0.0.1:port: Localhost only; not reachable from the network.
  • ::port or [::]:port: IPv6 all interfaces.

Verification

  • You can list all listening ports, filter by port number, and state whether each is reachable from the network or localhost only.

Troubleshooting

Port not listed but service claims to listen — Service may bind to another interface or port; check service config. Run ss as root to see process names.

Permission denied for -p — Process names require root; use sudo ss -tlnp or omit -p and match by port, then use ps to identify the PID.

Next steps

Continue to