Nmap (TCP-connect)

Polite TCP-connect port scan of a single public host (max 128 ports) with optional banner grab.

Port states
open
— TCP handshake completed; a service is listening on that port.
closed
— host actively refused the connection (RST / ECONNREFUSED). The host is reachable; nothing is listening on that port.
filtered
— no response before the timeout. A firewall is most likely dropping the probe; the port's true state can't be determined.

Monitor this automatically

NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.

Start monitoring free → See all monitoring products

Frequently Asked Questions

What does the Port Scanner check?

It performs TCP connect scans against a public host, reporting which ports are open, closed, or filtered. An optional banner grab reads the initial response from each open port to identify the service. This is a polite, sequential scan — not a stealth scan — and only works against public IP addresses.

What is the difference between open, closed, and filtered ports?

Open — a service accepted the TCP connection. Closed — the host responded with TCP RST (port is accessible but no service is listening). Filtered — no response received within the timeout (a firewall is dropping packets without responding). Filtered ports are the hardest to scan reliably because timeouts are slow.

Which ports should I scan first?

Common well-known ports: 22 (SSH), 25 (SMTP), 53 (DNS), 80 (HTTP), 443 (HTTPS), 3306 (MySQL), 5432 (PostgreSQL), 6379 (Redis), 8080/8443 (alternate HTTP/HTTPS), 27017 (MongoDB). Open database or cache ports (Redis, MongoDB) on public IPs are serious security risks — they should never be publicly accessible.

Do I need permission to scan a host?

Yes — port scanning systems you don't own or have explicit permission to test is illegal in many jurisdictions and violates most hosting providers' terms of service. This tool is intended for scanning your own infrastructure. An IP ownership check is performed before scanning; targets that fail ownership verification are blocked.