What is Port Scanning?

Every networked service binds to a numbered port, and a port can be in one of three observable states: open (a service accepted the probe), closed (the host replied but nothing is listening), or filtered (a firewall silently dropped the probe so no conclusion can be drawn). A port scanner systematically probes a range of ports and infers these states from the responses. The classic distinction is between a TCP connect scan and a TCP SYN scan. A connect scan (Nmap's -sT) uses the operating system's normal connect() call to complete the full three-way handshake (SYN, SYN/ACK, ACK), which requires no special privileges but is slower and is logged by the target application as a real connection. A SYN scan (Nmap's -sS) sends only a SYN, reads the SYN/ACK that signals an open port, then immediately sends a RST to tear the connection down before it completes. Because the handshake is never finished it is called half-open scanning; it is faster, generates less application-level logging, and requires raw-packet privileges (root or administrator).

UDP scanning (Nmap's -sU) is fundamentally harder and slower than TCP. UDP is connectionless, so an open UDP port often returns nothing at all, while a closed port returns an ICMP port-unreachable message. The scanner must therefore distinguish 'open' from 'filtered' largely by the absence of an ICMP error, and ICMP rate limiting on most operating systems forces long waits between probes. This is why services like DNS, SNMP, NTP, and exposed databases that speak UDP are frequently missed by quick scans and require deliberate, patient UDP coverage to surface.

Knowing that a port is open is only half the job; the more valuable signal is what is actually listening there. Service and version detection (Nmap's -sV) interrogates each open port with a sequence of protocol-specific probes and compares the replies against the nmap-service-probes database, which holds roughly 6,500 pattern matches spanning over 650 protocols. From this it deduces the protocol (SSH, HTTP, SMTP, FTP), the application name and version number, sometimes the device type or operating system family, and Common Platform Enumeration (CPE) identifiers. A simpler relative of this is banner grabbing, where the scanner simply reads the greeting a service emits on connection. Version data matters because vulnerability decisions hinge on it: an open port 22 is unremarkable, but 'OpenSSH 7.4 on port 22' maps directly to known CVEs.

Port scanning is distinct from, but feeds, several adjacent activities. Network discovery (host discovery) determines which IP addresses are alive at all before ports are probed; port scanning then enumerates services on those live hosts. Vulnerability scanning goes a step further, taking the discovered service and version data and matching it against vulnerability databases to flag exploitable weaknesses. Service fingerprinting and OS fingerprinting are the identification layers that sit on top of raw port-state results. In the EASM (External Attack Surface Management) context, port scanning is the engine that converts a list of resolved subdomains and IPs into the concrete, enumerable surface that everything else is built on. It is also an activity governed by responsible-use norms: scanning systems you do not own or have explicit authorization to test can violate computer-misuse laws and provider acceptable-use policies, so legitimate scanning is scoped, authorized, and rate-limited.