Ports and Sockets: How Devices Communicate
Ports are logical endpoints that identify specific services on a device, while sockets combine IP address and port to establish communication between applications over a network.
Ports and Sockets
When two devices communicate over a network, an IP address alone is not enough to deliver data to the right place. Ports and sockets are the mechanisms that make it possible to run dozens of networked applications simultaneously on a single device, each receiving only the traffic intended for it.
What Is a Port
A port is a numerical identifier that specifies which application or service on a device should receive incoming network traffic. If an IP address is like the street address of a building, a port is like the apartment number inside it. The IP address gets the data to the right machine, and the port number gets it to the right application running on that machine.
Port numbers range from 0 to 65535. This range is divided into three categories. Well-known ports from 0 to 1023 are reserved for common system services and require administrator privileges to use. Registered ports from 1024 to 49151 are assigned to specific applications and services by the Internet Assigned Numbers Authority (IANA). Dynamic or ephemeral ports from 49152 to 65535 are assigned temporarily by the operating system to client applications when they initiate outbound connections.
Every network connection involves two ports: one on the server side, which is typically a well-known or registered port that the service listens on permanently, and one on the client side, which is a temporary ephemeral port assigned for the duration of that connection. When the connection ends, the ephemeral port is released and becomes available for reuse.
Common Well-Known Ports
Well-known ports are standardised assignments that allow clients to know which port to connect to without any prior negotiation. When your browser wants to load a website over HTTPS, it knows to connect to port 443 because that is the universally agreed port for HTTPS traffic. This standardisation is what makes the internet interoperable across billions of devices and software implementations.
| Port | Protocol | Service | Description |
|---|---|---|---|
| 20, 21 | TCP | FTP | File Transfer Protocol for uploading and downloading files |
| 22 | TCP | SSH | Secure Shell for encrypted remote terminal access |
| 25 | TCP | SMTP | Simple Mail Transfer Protocol for sending email |
| 53 | TCP/UDP | DNS | Domain Name System for resolving domain names to IP addresses |
| 80 | TCP | HTTP | Unencrypted web traffic |
| 110 | TCP | POP3 | Post Office Protocol for retrieving email from a server |
| 143 | TCP | IMAP | Internet Message Access Protocol for managing email on a server |
| 443 | TCP | HTTPS | Encrypted web traffic over TLS |
| 3306 | TCP | MySQL | MySQL database server connections |
| 5432 | TCP | PostgreSQL | PostgreSQL database server connections |
| 6379 | TCP | Redis | Redis in-memory data store connections |
| 27017 | TCP | MongoDB | MongoDB database server connections |
What Is a Socket
A socket is the combination of an IP address and a port number that together uniquely identify one endpoint of a network connection. If a port tells you which application to deliver data to, a socket tells you precisely which connection on which machine at which port is involved. A socket is the full address of a communication endpoint.
Sockets are always paired. A complete network connection consists of two sockets: one on the client side and one on the server side. Together they form a four-tuple that uniquely identifies the connection across the entire network: the client IP address, the client port, the server IP address, and the server port. No two active connections on the internet share the same four-tuple simultaneously, which is what allows the network to route each packet to exactly the right destination.
Client socket: 192.168.1.10:54823 (ephemeral port assigned by OS)
Server socket: 93.184.216.34:443 (well-known HTTPS port)
Full connection four-tuple:
192.168.1.10:54823 <--> 93.184.216.34:443The operating system uses this four-tuple to demultiplex incoming packets, meaning it inspects the destination IP and port to determine which socket, and therefore which application process, should receive each packet. This is how a machine running a web server on port 443, a database on port 5432, and an SSH daemon on port 22 can receive traffic on all three simultaneously without any data ending up in the wrong place.
How Ports and Sockets Work Together
Understanding how ports and sockets interact during a real connection makes the abstract concepts concrete. The following sequence describes what happens when a browser opens an HTTPS connection to a web server.
- The browser decides to connect to a web server at IP address 93.184.216.34 on port 443
- The operating system assigns an ephemeral port, for example 54823, to this outbound connection on the client side
- A client socket is created representing the local endpoint: 192.168.1.10:54823
- The browser initiates a TCP handshake with the server socket at 93.184.216.34:443
- The server accepts the connection and the full four-tuple is established
- Data flows in both directions over this specific socket pair until the connection is closed
- When the connection closes, the ephemeral port 54823 is released back to the OS pool
A web server can handle thousands of simultaneous connections on the same port 443 because each connection is distinguished by the client's unique IP and ephemeral port combination. The server port stays the same across all connections. It is the client side of the four-tuple that makes each connection unique.
TCP Ports vs UDP Ports
Ports exist in two separate namespaces corresponding to the two main transport protocols: TCP and UDP. Port 80 on TCP and port 80 on UDP are independent of each other. A service can listen on TCP port 80 without affecting anything that might use UDP port 80, though in practice most services use one transport protocol or the other rather than both.
| Feature | TCP Ports | UDP Ports |
|---|---|---|
| Connection type | Connection-oriented, requires handshake before data flows | Connectionless, data is sent without prior setup |
| Reliability | Guaranteed delivery with retransmission of lost packets | No guaranteed delivery, lost packets are not resent |
| Ordering | Data arrives in the order it was sent | Packets may arrive out of order or not at all |
| Speed | Slower due to handshake and acknowledgement overhead | Faster with less overhead, suitable for real-time traffic |
| Common uses | HTTP, HTTPS, SSH, email, database connections | DNS, DHCP, video streaming, online gaming, VoIP |
Choosing between TCP and UDP affects which port namespace is used and what behaviour the application can expect from the transport layer. Applications that need every byte to arrive correctly and in order use TCP. Applications where speed matters more than perfect reliability, such as live video or gaming, often prefer UDP and handle any necessary error correction themselves at the application layer.
Listening, Binding, and Connecting
When a server application starts up, it goes through a sequence of steps to make itself available for incoming connections. Understanding these steps clarifies what it means for a port to be "open" and why certain errors occur when two services try to use the same port.
First, the application creates a socket. Then it binds the socket to a specific port number on a specific network interface, which tells the operating system that this application wants to receive traffic on that port. After binding, the application calls listen, which marks the socket as ready to accept incoming connections and sets up a queue for connection requests that arrive before the application has time to process them. Finally, when a client connects, the application calls accept, which creates a new dedicated socket for that specific client connection while the original socket continues listening for new ones.
If another application tries to bind to the same port on the same interface while the first is already using it, the operating system returns an error. This is the cause of the common "address already in use" error when starting a server. Only one application can bind to a given port on a given interface at a time, though multiple applications can listen on the same port using the SO_REUSEPORT socket option in Linux, which distributes incoming connections across multiple processes for load balancing purposes.
Port Scanning and Security
Because open ports represent active services listening for connections, they are a natural target for attackers. Port scanning is the practice of systematically probing a range of ports on a target machine to identify which ones are open and what services are running behind them. Tools like Nmap are widely used for this purpose by both security professionals auditing their own infrastructure and attackers looking for vulnerabilities to exploit.
Reducing the attack surface of a server means closing any ports that do not need to be publicly accessible. A database server, for example, should not have its port exposed to the public internet. It should be bound only to a private network interface or localhost so that only applications on the same machine or trusted internal network can connect to it. Firewalls enforce these restrictions by blocking inbound connections on specific ports, providing a network-level layer of control on top of what the applications themselves expose.
Frequently Asked Questions
- What does it mean when a port is open or closed?
An open port means an application is actively listening on that port and is ready to accept incoming connections. A closed port means no application is listening on it, and the operating system will reject connection attempts with a reset signal. A filtered port, which firewalls create, means incoming packets are silently dropped rather than rejected, giving no response to the connecting party. - Can two applications use the same port at the same time?
Not by default. The operating system prevents two applications from binding to the same port and protocol combination on the same network interface. If you try to start a second web server on port 80 while one is already running, the second will fail with an address already in use error. The exception is the SO_REUSEPORT socket option available on Linux, which intentionally allows multiple processes to share a port for load distribution purposes. - What is an ephemeral port and how is it chosen?
An ephemeral port is a temporary port number assigned by the operating system to the client side of an outgoing connection. The OS picks a number from the ephemeral range, typically 49152 to 65535 on most systems, that is not already in use and assigns it to the connection for its duration. When the connection closes, the port is returned to the pool. A single client machine can have tens of thousands of simultaneous outgoing connections, each distinguished by a different ephemeral port number. - What is the difference between a socket and a port?
A port is just a number that identifies a service or application on a single machine. A socket is the combination of an IP address and a port number that identifies a specific communication endpoint. A complete network connection involves two sockets, one on each end, forming a four-tuple of client IP, client port, server IP, and server port. The port is one component of the socket, not the same thing as the socket itself. - Why do some services use both TCP and UDP on the same port number?
Some protocols need both the reliability of TCP and the low-latency characteristics of UDP for different aspects of their operation. DNS is the most common example, using UDP port 53 for standard queries because speed matters and queries fit in a single packet, but falling back to TCP port 53 for large responses like zone transfers that exceed the UDP size limit. The same port number is used on both protocols for consistency, but the two are entirely independent listeners at the OS level. - How does a firewall use port numbers to control traffic?
A firewall inspects the source and destination port numbers in each incoming or outgoing packet header and applies rules to decide whether to allow or block that packet. A rule might allow all inbound traffic on port 443 for HTTPS while blocking everything on port 3306 to prevent external access to a MySQL database. Stateful firewalls also track established connections so that response packets from an outbound connection are automatically permitted without needing an explicit inbound rule for each ephemeral port used.
Conclusion
Ports and sockets are the mechanism that transforms a network of IP addresses into a system capable of supporting thousands of simultaneous, correctly routed conversations between applications. Ports identify which service should receive traffic on a given machine. Sockets combine IP addresses and ports into precise communication endpoints. Together they form the four-tuple that uniquely identifies every active connection on the network, allowing operating systems to demultiplex traffic accurately across all running applications. Understanding ports and sockets is foundational to working with firewalls, debugging connectivity issues, configuring servers, and reasoning about network security. To go deeper, explore TCP vs UDP, TCP handshake, Network Address Translation, and HTTP vs HTTPS.