TCP/UDP port cheat sheet, 60+ services, search by number or name, copy in one click, browser-only
- Runs locally
- Category Developer & DevOps
- Best for Formatting, validating, shrinking, or inspecting code-adjacent text.
| Port | Protocol | Service |
|---|---|---|
| TCP | FTP Data — Active-mode FTP file transfer channel. The control channel is on 21; the server opens 20 back to the client to push file bytes. Well-known 0-1023 | |
| TCP | File Transfer Protocol — FTP control channel: login, directory listing and transfer commands. Plaintext, so credentials travel unencrypted unless wrapped in FTPS. Well-known 0-1023 | |
| TCP | Secure Shell — Encrypted remote login and command execution. Also carries SCP, SFTP file transfer and git-over-ssh. The default target for any ssh user@host. Well-known 0-1023 | |
| TCP | Telnet — Legacy plaintext remote terminal. Everything including passwords is sent in the clear, so it is replaced by SSH almost everywhere. Well-known 0-1023 | |
| TCP | Simple Mail Transfer Protocol — Server-to-server email relay. Many home ISPs block outbound 25 to fight spam, so clients submit mail on 587 instead. Well-known 0-1023 | |
| TCP/UDP | Domain Name System — Name resolution. UDP for normal queries, TCP for large responses and zone transfers. Every domain lookup on the internet starts here. Well-known 0-1023 | |
| UDP | DHCP Server — The server side of automatic IP address assignment. The client broadcasts from 68 and the server answers on 67. Well-known 0-1023 | |
| UDP | DHCP Client — The client side of DHCP. A booting machine listens here for the lease offer that hands it an IP, gateway and DNS. Well-known 0-1023 | |
| UDP | Trivial File Transfer Protocol — Minimal UDP file transfer with no authentication. Used for PXE network boot and pushing firmware to routers and switches. Well-known 0-1023 | |
| TCP | HyperText Transfer Protocol — Unencrypted web traffic. Most public sites now redirect 80 to 443; it stays open mainly to perform that redirect to HTTPS. Well-known 0-1023 | |
| TCP | Post Office Protocol v3 — Downloads email from the server, traditionally deleting it after. Largely superseded by IMAP, which keeps mail on the server. Well-known 0-1023 | |
| UDP | Network Time Protocol — Clock synchronisation. A drifting clock breaks TLS certificate validation and TOTP two-factor codes, so NTP quietly matters a lot. Well-known 0-1023 | |
| TCP | Internet Message Access Protocol — Reads email while keeping it on the server, syncing folders and read state across devices. The encrypted variant IMAPS is on 993. Well-known 0-1023 | |
| UDP | Simple Network Management Protocol — Polls switches, routers and printers for metrics like interface counters and CPU load. Traps (alerts) go to the manager on 162. Well-known 0-1023 | |
| UDP | SNMP Trap — The alert channel of SNMP: devices push unsolicited trap notifications to the management station instead of waiting to be polled. Well-known 0-1023 | |
| TCP | Lightweight Directory Access Protocol — Directory queries and authentication, the backbone of Active Directory and corporate single sign-on. The TLS variant LDAPS is on 636. Well-known 0-1023 | |
| TCP | HTTP over TLS — Encrypted web traffic. The default for every modern site, also where HTTP/2 and HTTP/3 (over QUIC/UDP) negotiate. The most-opened port on the internet. Well-known 0-1023 | |
| TCP | SMB / Microsoft-DS — Windows file and printer sharing. A frequent ransomware vector (EternalBlue), so it should never be exposed to the public internet. Well-known 0-1023 | |
| TCP | SMTP over TLS — Mail submission wrapped in implicit TLS from the first byte. Came back into favour after 587-with-STARTTLS as a simpler always-encrypted option. Well-known 0-1023 | |
| UDP | Syslog — The classic UNIX log shipping protocol. Network devices and servers stream log lines to a central collector here, usually over UDP. Well-known 0-1023 | |
| TCP | Mail Submission (STARTTLS) — The modern port for an email client to submit outgoing mail, upgraded to TLS via STARTTLS. Use this, not 25, for sending from an app. Well-known 0-1023 | |
| TCP | LDAP over TLS — The encrypted form of LDAP directory access. Required when binding with credentials so they are not sniffed on the wire. Well-known 0-1023 | |
| TCP/UDP | DNS over TLS / QUIC — Encrypted DNS so resolvers and ISPs cannot read your lookups in plaintext. TCP for DoT, UDP for the newer DNS-over-QUIC. Well-known 0-1023 | |
| TCP | rsync Daemon — The native rsync daemon protocol for fast incremental file sync and mirroring, distinct from running rsync tunnelled over SSH on 22. Well-known 0-1023 | |
| TCP | FTPS Data — The data channel of FTP wrapped in implicit TLS. Pairs with the control channel on 990 to encrypt legacy file transfers. Well-known 0-1023 | |
| TCP | FTPS Control — FTP control channel with implicit TLS from connect. Encrypts the credentials and commands that plain FTP on 21 sends in the clear. Well-known 0-1023 | |
| TCP | IMAP over TLS — Encrypted IMAP. This is what a mail app actually connects to today for reading mail securely; plain 143 is rarely used directly. Well-known 0-1023 | |
| TCP | POP3 over TLS — Encrypted POP3 for downloading mail over TLS. The secure counterpart to plaintext 110. Well-known 0-1023 | |
| TCP | SOCKS Proxy — A general-purpose proxy that forwards arbitrary TCP (and UDP) connections, used for tunnelling, circumvention and ssh -D dynamic proxies. Registered 1024-49151 | |
| TCP | Microsoft SQL Server — The default listener for Microsoft SQL Server. Should sit behind a firewall; exposing it invites brute-force and injection scans. Registered 1024-49151 | |
| TCP | Oracle Database Listener — The Oracle TNS listener that brokers client connections to an Oracle database instance. Registered 1024-49151 | |
| TCP | PPTP VPN — An old Microsoft VPN protocol. Cryptographically broken and deprecated; modern setups use WireGuard or OpenVPN instead. Registered 1024-49151 | |
| TCP/UDP | Network File System — UNIX network file sharing that mounts remote directories as if local. Common in clusters and homelab NAS setups. Registered 1024-49151 | |
| TCP | Docker API (plain) — The unencrypted Docker daemon REST API. Anyone reaching it gets root on the host, so it must never be exposed without TLS on 2376. Registered 1024-49151 | |
| TCP | Docker API (TLS) — The TLS-protected Docker daemon API with mutual-certificate auth. The only safe way to expose Docker to a remote client. Registered 1024-49151 | |
| TCP | etcd Client API — The client API of etcd, the distributed key-value store behind Kubernetes. Peer traffic between etcd nodes uses 2380. Registered 1024-49151 | |
| TCP | Dev Server / Grafana — A de-facto default for local dev servers (Node, Next.js, Rails) and the Grafana dashboard. Not IANA-assigned, just convention. Registered 1024-49151 | |
| TCP | MySQL / MariaDB — The default port for MySQL and MariaDB. App code connects here; bind it to localhost or a private network rather than 0.0.0.0. Registered 1024-49151 | |
| TCP | Remote Desktop Protocol — Windows graphical remote desktop. A top brute-force and ransomware target, so put it behind a VPN rather than facing the internet. Registered 1024-49151 | |
| TCP/UDP | Session Initiation Protocol — Sets up and tears down VoIP calls and video sessions. The encrypted variant SIPS runs on 5061. Registered 1024-49151 | |
| TCP | PostgreSQL — The default port for PostgreSQL. Like any database port, keep it off the public internet and use SSL plus host-based auth. Registered 1024-49151 | |
| TCP | AMQP / RabbitMQ — The Advanced Message Queuing Protocol, the default for RabbitMQ brokers. The management web UI is on a separate port, 15672. Registered 1024-49151 | |
| TCP | Virtual Network Computing — Cross-platform graphical remote control. Display :0 is 5900, :1 is 5901, and so on. Tunnel it over SSH rather than exposing it raw. Registered 1024-49151 | |
| TCP | WinRM (HTTP) — Windows Remote Management over HTTP, used by PowerShell Remoting and Ansible to drive Windows hosts. The HTTPS variant is 5986. Registered 1024-49151 | |
| TCP | Redis — The default Redis port. Redis has no auth by default, so an exposed 6379 is a classic data-leak and crypto-mining entry point. Registered 1024-49151 | |
| TCP | Kubernetes API Server — The HTTPS endpoint of the Kubernetes control plane that kubectl and every controller talk to. Guard it with strong RBAC. Registered 1024-49151 | |
| TCP | Internet Relay Chat — The classic real-time text chat protocol still used by open-source communities. TLS-encrypted IRC commonly runs on 6697. Registered 1024-49151 | |
| TCP | HTTP Alternate / Dev — A common alternate HTTP port for local dev servers and Python http.server. Convention, not an IANA assignment for browsing. Registered 1024-49151 | |
| TCP | HTTP Alternate / Proxy — The most common alternate HTTP port: app servers behind a reverse proxy (Tomcat, Jenkins, many containers) and forward proxies listen here. Registered 1024-49151 | |
| TCP | HTTPS Alternate — A common alternate HTTPS port for admin consoles and app servers (Tomcat SSL, Kubernetes dashboards) that should not sit on 443. Registered 1024-49151 | |
| TCP | InfluxDB HTTP API — The HTTP API and write endpoint of InfluxDB, the time-series database often paired with Grafana for metrics dashboards. Registered 1024-49151 | |
| TCP | PHP-FPM / SonarQube — A heavily reused port: PHP-FPM FastCGI, the MinIO/SonarQube consoles and Portainer all default here, so collisions are common. Registered 1024-49151 | |
| TCP | Prometheus — The Prometheus monitoring server web UI and query API. It scrapes metrics from targets that usually expose them on 9100, 9091, etc. Registered 1024-49151 | |
| TCP | Apache Kafka — The default broker port for Apache Kafka. Producers and consumers connect here to publish and subscribe to event streams. Registered 1024-49151 | |
| TCP | Elasticsearch HTTP — The Elasticsearch / OpenSearch REST API. Node-to-node transport uses 9300. An open 9200 with no auth has leaked many databases. Registered 1024-49151 | |
| TCP/UDP | Memcached — An in-memory cache with no built-in auth. Its UDP side was abused for massive amplification DDoS, so bind it to localhost only. Registered 1024-49151 | |
| TCP | RabbitMQ Management UI — The web management dashboard for RabbitMQ, separate from the AMQP message port on 5672. Used to inspect queues and connections. Registered 1024-49151 | |
| TCP | Minecraft Server — The default port for a Java-edition Minecraft server. Friends connect to your IP on this port to join the world. Registered 1024-49151 | |
| TCP | MongoDB — The default MongoDB port. Early versions bound to 0.0.0.0 with no auth, causing famous mass ransom incidents — bind it privately. Registered 1024-49151 | |
| TCP/UDP | Source Engine Games — The default for Valve Source-engine game servers (Counter-Strike, Team Fortress 2). UDP carries gameplay, TCP the optional RCON console. Registered 1024-49151 | |
| UDP | WireGuard VPN — The default UDP port for WireGuard, the modern lightweight VPN. There is no listening TCP port; all traffic is UDP by design. Dynamic 49152-65535 | |
| TCP/UDP | Echo Protocol — A diagnostic service that bounces back whatever bytes it receives. Almost always disabled now, since it can be abused as a UDP amplification reflector. Well-known 0-1023 | |
| TCP/UDP | Character Generator — A legacy test service that spews a stream of characters. Like echo, its UDP form is a classic DDoS amplification vector, so keep it off. Well-known 0-1023 | |
| TCP/UDP | Time Protocol (RFC 868) — An old clock service returning the seconds since 1900 as a 32-bit number. Superseded by NTP on 123, which gives far better precision. Well-known 0-1023 | |
| TCP | WHOIS — Queries registration records for a domain or IP block: registrar, registrant and nameservers. The whois CLI connects straight here. Well-known 0-1023 | |
| TCP/UDP | Kerberos — The ticket-granting authentication protocol at the core of Active Directory and many enterprise single sign-on setups. Well-known 0-1023 | |
| TCP/UDP | ONC RPC Portmapper — The portmapper that tells clients which dynamic ports NFS and other RPC services live on. Exposing it leaks your internal service map. Well-known 0-1023 | |
| TCP | Network News Transfer Protocol — Carries Usenet newsgroup articles between servers and to readers. Largely historical now but still alive in a few corners of the internet. Well-known 0-1023 | |
| UDP | NetBIOS Name Service — Legacy Windows name resolution on the LAN. It leaks hostnames and is a recon target, so block it at the network edge. Well-known 0-1023 | |
| TCP | NetBIOS Session — The older session channel for Windows file sharing before SMB moved to 445. Often still open on legacy hosts and a frequent scan target. Well-known 0-1023 | |
| TCP | Border Gateway Protocol — The protocol that exchanges routing tables between autonomous systems and effectively glues the whole internet together. Well-known 0-1023 | |
| TCP | IRC (IANA-assigned) — The IANA-assigned port for Internet Relay Chat. In practice most networks listen on 6667 instead, with 194 rarely used. Well-known 0-1023 | |
| TCP/UDP | Service Location Protocol — A discovery protocol used by VMware ESXi and some NAS gear. Exposed SLP has been weaponised for huge DDoS amplification, so firewall it. Well-known 0-1023 | |
| UDP | IPsec IKE — The key-exchange phase of IPsec VPNs. It negotiates the tunnel; the encrypted payload then flows over ESP or UDP 4500 when behind NAT. Well-known 0-1023 | |
| TCP | Kerberos rlogin — The Kerberos-authenticated version of the old BSD rlogin remote shell. Obsolete and replaced by SSH everywhere. Well-known 0-1023 | |
| TCP | Apple Filing Protocol — The native macOS network file-sharing protocol, used by Time Machine over the network. Apple now favours SMB, but AFP persists on older NAS. Well-known 0-1023 | |
| TCP | Internet Printing Protocol / CUPS — The Internet Printing Protocol behind CUPS on Linux and macOS. It both submits print jobs and serves the printer admin web UI. Well-known 0-1023 | |
| UDP | OpenVPN — The default port for OpenVPN, the long-standing TLS-based VPN. UDP is the default for speed; it can also run over TCP 443 to slip past firewalls. Registered 1024-49151 | |
| UDP | RADIUS Authentication — Centralised authentication for VPNs, Wi-Fi (WPA2-Enterprise) and network gear. Accounting runs on the neighbouring 1813. Registered 1024-49151 | |
| TCP | MQTT — The lightweight publish-subscribe protocol that dominates IoT messaging. Plaintext by default; the TLS variant listens on 8883. Registered 1024-49151 | |
| TCP | Apache ZooKeeper — The client port of ZooKeeper, the coordination service older Kafka and Hadoop clusters rely on for leader election and config. Registered 1024-49151 | |
| TCP/UDP | Oracle DB (no TLS) — The IANA-registered Oracle database port without SSL. The TLS-wrapped variant is 2484; many installs still default to the legacy 1521. Registered 1024-49151 | |
| TCP | iSCSI Target — Block storage over IP: a SAN exposes raw disks that hosts mount as local drives. Keep it on a dedicated storage network, never public. Registered 1024-49151 | |
| TCP/UDP | STUN / TURN — NAT-traversal helpers for WebRTC and VoIP. STUN discovers your public address; TURN relays media when a direct peer link is impossible. Registered 1024-49151 | |
| UDP | IPsec NAT Traversal — Carries IPsec ESP packets wrapped in UDP so the VPN can cross NAT gateways. Pairs with IKE on 500 to complete the tunnel. Registered 1024-49151 | |
| UDP | Multicast DNS / Bonjour — Zero-config local name resolution behind Apple Bonjour and Avahi. It is how .local hostnames and AirPlay or Chromecast discovery work. Registered 1024-49151 | |
| TCP | Kibana — The web dashboard for Kibana, the visualisation front end of the Elastic stack that queries Elasticsearch on 9200. Registered 1024-49151 | |
| TCP | Nagios NRPE — The Nagios Remote Plugin Executor, letting a Nagios server run check scripts on a remote host to gather monitoring data. Registered 1024-49151 | |
| TCP | WinRM (HTTPS) — Windows Remote Management over HTTPS, the encrypted counterpart to plain WinRM on 5985. Preferred for PowerShell Remoting and Ansible. Registered 1024-49151 | |
| TCP | Amazon Redshift — The default port for Amazon Redshift, the managed data warehouse. It speaks the PostgreSQL wire protocol but defaults to 5439, not 5432. Registered 1024-49151 | |
| TCP | Redis over TLS — The common convention for a TLS-enabled Redis listener, kept separate from the plaintext default on 6379 so both can run side by side. Registered 1024-49151 | |
| TCP | Cassandra Internode — The inter-node cluster communication port for Apache Cassandra. Clients connect separately on 9042; TLS internode traffic uses 7001. Registered 1024-49151 | |
| TCP | Cassandra CQL — The native CQL client port for Apache Cassandra and ScyllaDB. Application drivers connect here to read and write rows. Registered 1024-49151 | |
| TCP | Elasticsearch Transport — The binary node-to-node transport for an Elasticsearch / OpenSearch cluster, distinct from the REST API on 9200. Internal traffic only. Registered 1024-49151 | |
| TCP | CockroachDB — The default SQL client port for CockroachDB, the distributed SQL database. It speaks the PostgreSQL wire protocol, so psql can connect. Registered 1024-49151 | |
| TCP | RethinkDB Client — The client driver port for RethinkDB. Its web admin UI runs separately on 8080 and the intracluster port is 29015. Registered 1024-49151 | |
| TCP | Apache Spark Master — The cluster manager port that Spark workers and spark-submit jobs register with on a standalone Spark master. The web UI is on 8080. Registered 1024-49151 | |
| TCP | NATS Messaging — The client port for NATS, a high-throughput cloud-native messaging system. Its HTTP monitoring endpoint runs separately on 8222. Registered 1024-49151 | |
| TCP | ActiveMQ (OpenWire) — The default OpenWire broker port for Apache ActiveMQ. Its web console is on 8161, and STOMP clients use 61613. Dynamic 49152-65535 | |
| TCP | Hugo Dev Server — The default port for the Hugo static-site generator dev server with live reload. A convention, not an IANA assignment. Registered 1024-49151 | |
| TCP | Jekyll / Phoenix Dev — A common local dev-server port: Jekyll serves its preview here, and Elixir Phoenix defaults to it too. Convention rather than assigned. Registered 1024-49151 | |
| TCP | Angular CLI Dev Server — The default port for ng serve, the Angular CLI development server. Convention, easily changed with --port. Registered 1024-49151 | |
| TCP | Vite Dev Server — The default port for the Vite dev server, used by modern Vue, React and Svelte projects. Vite picks the next free port if it is taken. Registered 1024-49151 | |
| TCP | Jupyter Notebook — The default port for Jupyter Notebook and JupyterLab. Access is token-protected by default; never expose it raw to the internet. Registered 1024-49151 | |
| TCP | Expo Dev Server — The default port for the Expo development server used in React Native projects. The Metro bundler runs alongside it. Registered 1024-49151 | |
| TCP | etcd Peer — The peer-to-peer port etcd nodes use to replicate and elect a leader, distinct from the client API on 2379. Internal cluster traffic only. Registered 1024-49151 | |
| TCP | HashiCorp Vault — The HTTP API and UI port for HashiCorp Vault, the secrets manager. Always front it with TLS since it brokers your most sensitive credentials. Registered 1024-49151 | |
| TCP | HashiCorp Consul — The HTTP API and web UI of HashiCorp Consul for service discovery and health checks. The DNS interface answers on 8600. Registered 1024-49151 | |
| TCP | Prometheus Alertmanager — The Alertmanager that receives alerts from Prometheus on 9090 and routes them to email, Slack or PagerDuty after grouping and silencing. Registered 1024-49151 | |
| TCP | Prometheus Node Exporter — The default port where the Prometheus node exporter publishes host metrics (CPU, memory, disk) for the Prometheus server to scrape. Registered 1024-49151 | |
| TCP | Grafana Loki — The HTTP port for Grafana Loki, the log-aggregation system designed to pair with Grafana the way Prometheus pairs for metrics. Registered 1024-49151 | |
| UDP | Minecraft Bedrock — The default UDP port for a Minecraft Bedrock-edition server, distinct from the Java edition on TCP 25565. Mobile and console clients use it. Registered 1024-49151 | |
| TCP/UDP | Mumble Voice Server — The default port for a Mumble (Murmur) low-latency voice server. TCP carries control and TLS, UDP carries the encrypted voice stream. Dynamic 49152-65535 | |
| TCP | Minecraft RCON — The default remote-console port for administering a Minecraft server, letting operators run commands over the network. Protect it with a strong password. Registered 1024-49151 | |
| TCP/UDP | Xbox Live — The main port Xbox Live consoles use for multiplayer matchmaking and voice. Routers often need it forwarded for an open NAT type. Registered 1024-49151 | |
| TCP | Squid Proxy — The default port for the Squid caching forward proxy. Clients route HTTP through it for caching, filtering or access control. Registered 1024-49151 | |
| TCP/UDP | Shadowsocks — A frequently used default for a Shadowsocks encrypted proxy server. The port is configurable and often changed to blend in with normal traffic. Registered 1024-49151 | |
| UDP | SSDP / UPnP Discovery — The discovery layer of UPnP that finds smart TVs, printers and media servers on the LAN. Exposed SSDP is a known DDoS amplification vector. Registered 1024-49151 | |
| TCP/UDP | LLMNR — Link-Local Multicast Name Resolution, a Windows fallback for resolving names when DNS fails. A classic target for credential-spoofing attacks. Registered 1024-49151 | |
| TCP | MQTT over TLS — The TLS-secured form of MQTT, the encrypted counterpart to plaintext 1883. The right choice for any IoT messaging crossing the public internet. Registered 1024-49151 | |
| TCP | IRC over TLS — The de-facto port for TLS-encrypted IRC, the secure counterpart to plaintext 6667. Most modern IRC networks default to it. Registered 1024-49151 | |
| TCP | SIP over TLS — The TLS-secured form of SIP, the encrypted counterpart to plaintext 5060. It protects VoIP call signalling from interception. Registered 1024-49151 |
What this tool does
A searchable cheat sheet of the network ports you actually run into. Type a port number (22, 443, 3306) or a service keyword (ssh, https, redis) and the table filters to matching rows instantly. Each row gives the port number, the transport protocol (TCP, UDP or both), the service name, a one-line plain-language note on what runs there, and the IANA range it belongs to: well-known (0-1023), registered (1024-49151) or dynamic (49152-65535). It covers 60+ services every developer and ops engineer meets: FTP 20/21, SSH 22, Telnet 23, SMTP 25, DNS 53, HTTP 80, POP3 110, IMAP 143, HTTPS 443, MySQL 3306, PostgreSQL 5432, Redis 6379, MongoDB 27017, RDP 3389, the 8080 proxy port, AMQP 5672, Elasticsearch 9200 and more. Click any port or service to copy it. The whole thing is a static table baked into the page, so there is no upload, no API call and no logging, and your search term rides in the URL so a filtered view is shareable. Use it to remember which port to open in a firewall, to label a docker-compose port mapping, or to recognise an unfamiliar port in a log line.
Tool details
- Input
- Text
- The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
- Output
- Live result + Copy + Preview
- The result area focuses on usable output, with copy, download, or preview actions when supported.
- Privacy
- Browser-side processing
- The main tool logic does not call an external API, so inputs normally stay in the current tab.
- Save / share
- Shareable URL state
- Key settings are encoded in the URL so another person can reopen the same setup.
- Performance budget
- Initial JS <= 12 KB
- No WASM budget is declared, keeping the tool quick to open on mobile.
- Best fit
- Developer & DevOps · Developer
- Category and role tags drive related tools, internal links, and quick fit checks.
How to use
-
1. Input
Paste or drop your content into the tool panel.
-
2. Process
Click the button. All processing is local in your browser.
-
3. Copy / Download
Copy the result or download to disk in one click.
How Common Ports Reference fits into your work
Use it in the small gaps between coding, reviewing, debugging, and shipping.
Developer jobs
- Formatting, validating, shrinking, or inspecting code-adjacent text.
- Preparing snippets for documentation, tickets, commits, or handoff.
- Checking a small payload quickly without switching tools.
Developer checks
- Run irreversible transforms like minify or obfuscate on a copy.
- Keep secrets out of pasted snippets unless the tool explicitly stays local.
- Use your normal tests or linter before shipping transformed code.
Good next steps
These links move the current task into a more complete workflow.
- 1 HTTP Status Code Explorer HTTP status code explorer — all 70+ codes with meaning, common causes, real examples, and what to check. Open
- 2 DNS Record Explainer DNS record explainer — all 18 common record types (A, AAAA, CNAME, MX, TXT, SRV, etc.) with syntax, examples, and gotchas. Open
- 3 IP Subnet Calculator (CIDR) Type an IPv4 CIDR and get network, broadcast, host range, mask, wildcard, class and subnet splits — browser-only. Open
Real-world use cases
Open the right port in a firewall or security group
You are writing a cloud security-group rule and need to allow your web app and its database. Search https to confirm 443, search postgres to confirm 5432, and open exactly those two inbound. The range tag reminds you that database ports are registered ports that should face a private subnet, not 0.0.0.0/0, so you scope the source range tightly instead of opening the world.
Label a docker-compose or Kubernetes port mapping
You are mapping container ports in a compose file and cannot recall whether Redis is 6379 or 6739. Search redis, copy 6379, and write the mapping with confidence. For a stack of services, look each one up in turn (Kafka 9092, RabbitMQ 5672 plus its 15672 UI, Elasticsearch 9200) so every published port in the file is the real default and nothing collides.
Recognise an unfamiliar port in a log or netstat output
A connection log shows traffic to port 11211 and you do not recognise it. Search the number here, find it is Memcached, read the note that its UDP side has been abused for amplification DDoS, and immediately know it should be bound to localhost. The reference turns a bare number in a log line into something you can act on.
Study for a networking certification or interview
Preparing for CompTIA Network+, Security+ or a systems interview means memorising the default ports cold. Filter by the well-known range to drill the 0-1023 classics, search by service to test yourself in reverse, and use the one-line notes to anchor each port to a real scenario instead of rote numbers, which is what an interviewer actually probes.
Common pitfalls
Assuming a port number is the same on TCP and UDP. They are separate address spaces; 53 TCP and 53 UDP can host different services. DNS uses both for different jobs, which is why several rows are marked TCP/UDP.
Reading the port off a log and assuming the standard service is what is running. The reference shows the conventional purpose; anything can bind any port. Verify with a live ss -tulpn or netstat -ano before you trust it.
Exposing a database or cache port (3306, 5432, 6379, 27017) to 0.0.0.0 on the public internet. These default to weak or no authentication; bind them to localhost or a private subnet and firewall them, or you join the long list of mass-ransom victims.
Confusing the well-known boundary. Well-known ports end at 1023, not 1024. Port 1024 is the first registered port. Off-by-one here trips people on certification exams and when reasoning about which ports need root to bind.
Privacy
This tool is a static port table compiled into the page. There is no server call, no scan of your machine, and no logging of what you search. The only data that can leave your browser is the optional shareable URL, which encodes your current search term (for example ?q=ssh) in the query string so a colleague lands on the same filtered view. That term is harmless for normal lookups, but query strings do show up in browser history and server access logs, so if you ever search something you would rather not record, copy the result manually instead of sharing the URL.
FAQ
Tool combos
Folks in your role tend to reach for these alongside this tool.
- 555 Timer Calculator Astable f = 1.44/((R1+2R2)C) + monostable t = 1.1RC — pick R1, R2, C in Ω/kΩ and µF/nF, read frequency, duty cycle and pulse width — browser-only
- Add Line Numbers Number every line of pasted text — set start, step and separator, zero-pad to align, skip blanks, or strip numbers back off — browser-only
- AES Text Encryptor Encrypt & decrypt text with a password — AES-256-GCM + PBKDF2 via WebCrypto — 100% in your browser, nothing uploaded
- Affine Cipher Encoder & Decoder Encrypt and decrypt the ax+b affine cipher with live modular-inverse check, browser-only