100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

What is Port Scanning?

Learn what port scanning is, how Nmap classifies open/closed/filtered ports, and its defensive vs offensive use — interview Q&A.

mediumQ87 of 224 in Computer Networks Est. time: 5 minsLast updated:
Open Code Lab

Expected Interview Answer

Port scanning is the technique of systematically probing a target host’s TCP or UDP ports to discover which ones are open, closed, or filtered, revealing what services are running and listening for connections.

A scanner like Nmap sends crafted packets to a range of ports and interprets the responses: an open TCP port typically replies with a SYN-ACK, a closed port replies with an RST, and a filtered port produces no response at all because a firewall is silently dropping the probes. Security teams use port scanning defensively to audit their own exposed attack surface and catch services that should never be internet-facing, such as an exposed database port. Attackers use the same technique offensively during reconnaissance to fingerprint a target before attempting exploitation of a known-vulnerable service version. Because scanning is easy to detect via connection logs or intrusion detection systems, unauthorized scanning of systems you do not own or have permission to test is both unethical and, in most jurisdictions, illegal.

  • Reveals which services are exposed on a host for security auditing
  • Distinguishes open, closed, and filtered ports based on response behavior
  • Explains the dual-use nature: defensive audit tool vs attacker reconnaissance
  • Highlights firewalls and IDS as the practical countermeasures

AI Mentor Explanation

Port scanning is like walking around a stadium’s perimeter checking every gate to see which ones are unlocked, which are bolted shut, and which have a guard silently refusing to respond at all. An unlocked gate is an open port ready to let someone in, a bolted gate is a closed port that actively rejects entry, and a guarded gate that ignores knocking entirely is a filtered port hidden behind a firewall. Ground security regularly checks their own gates this way to make sure nothing was left open by mistake. An intruder doing the same walk before a break-in is exactly what a malicious port scan looks like.

Step-by-Step Explanation

  1. Step 1

    Target selection

    A scanner is pointed at a host or range of IPs and a set of ports to probe.

  2. Step 2

    Probe packets

    Crafted TCP or UDP packets (e.g., SYN packets) are sent to each target port.

  3. Step 3

    Response classification

    SYN-ACK marks a port open, RST marks it closed, and no response marks it filtered by a firewall.

  4. Step 4

    Fingerprinting

    Responses and banners are analyzed to identify the running service and version for further assessment.

What Interviewer Expects

  • Clear definition: probing ports to find open/closed/filtered status
  • Names a real tool (Nmap) and explains SYN-ACK/RST/no-response classification
  • Distinguishes legitimate security auditing from unauthorized attacker reconnaissance
  • Mentions firewalls and IDS/IPS as detection and prevention measures

Common Mistakes

  • Thinking port scanning itself exploits a vulnerability rather than discovering exposure
  • Confusing a filtered port (firewall drops silently) with a closed port (active RST)
  • Not knowing scanning without authorization is illegal in most jurisdictions
  • Assuming only TCP ports exist — forgetting UDP services can also be scanned

Best Answer (HR Friendly)

Port scanning is checking which doors, or network ports, on a computer are open and listening for connections, which closed ones actively refuse, and which ones a firewall is silently blocking. Security teams use it responsibly to audit their own systems and close anything left exposed by accident, while attackers use the exact same technique to scope out a target before an attack — which is why doing it against systems you do not have permission to test is illegal.

Code Example

Scanning a host with Nmap
# Scan the 1000 most common TCP ports on a host you own/manage
nmap 192.168.1.10

# Scan specific ports and attempt to identify service versions
nmap -p 22,80,443,3306 -sV 192.168.1.10

# Example output:
# PORT     STATE    SERVICE
# 22/tcp   open     ssh
# 80/tcp   open     http
# 443/tcp  open     https
# 3306/tcp filtered mysql

Follow-up Questions

  • What is the difference between a closed port and a filtered port?
  • How does a SYN scan differ from a full TCP connect scan?
  • Why is unauthorized port scanning considered illegal?
  • How can a firewall or IDS detect and rate-limit port scanning attempts?

MCQ Practice

1. What response typically indicates an open TCP port during a scan?

A SYN-ACK response means the port accepted the connection attempt, marking it open.

2. What does a “filtered” port status mean?

Filtered means no response was received, typically because a firewall is dropping the probe packets.

3. Which tool is most commonly used to perform port scans?

Nmap is the industry-standard tool for port scanning and service fingerprinting.

Flash Cards

What is port scanning?Probing a host's ports to determine which are open, closed, or filtered.

Open vs closed vs filtered?Open replies SYN-ACK, closed replies RST, filtered gives no response (firewall drop).

Common port scanning tool?Nmap.

Is unauthorized port scanning legal?No — scanning systems without permission is illegal in most jurisdictions.

1 / 4

Continue Learning