linuxlab.io
Tutorials▾
  • Linux & networking
    File system, processes, TCP/IP, BGP and OSPF
    →
  • Terraform & IaC
    HCL, state, plan/apply on a LocalStack sandbox
    →
  • Git & GitHub
    Object model, plumbing, branching, GitHub Actions
    →
All tutorials →
PricingAboutSign inCreate account
/
  • Introduction
  • Lessons
  • How it works
  • Simulator
  • Knowledge base
  • Interview prep
Index
Categories
All entries
Footer
linuxlab-TutorialsPricingAboutPrivacy & cookies
Copyright © 2026 LinuxLab. All rights reserved.
home/linux/kb/Networking: L4 and above/port

kb/network-l4 ── Networking: L4 and above ── beginner

Port: How Multiple Services Share One IP

A 16-bit number (0-65535) that identifies the **destination process** on a host. IP says which host; port says which process. 80 is HTTP, 443 is HTTPS, 22 is SSH.

view as markdownaka: tcp-port, udp-port, port-number

Why ports exist

An IP address targets a machine. But that machine runs a dozen processes at once: a web server, SSH daemon, database, monitoring agent. When a packet arrives at 192.168.1.50, which process should receive it?

A port answers that question. It is a 16-bit number (0 to 65535) carried in the TCP/UDP header. Every listening process binds to a specific port via bind() + listen(). When a packet arrives on that port, the kernel delivers it to the bound process.

The pair (IP, port) forms a socket address, a globally unique endpoint address on the internet.

Port categories

RangeNameWho uses it
0-1023well-knownStandard services (root-only on Linux)
1024-49151registeredServices registered with IANA
49152-65535dynamic / ephemeralOutgoing client connections

Common well-known ports:

  • 22 SSH
  • 53 DNS
  • 67/68 DHCP server / client
  • 80 HTTP
  • 123 NTP
  • 443 HTTPS
  • 3306 MySQL
  • 5432 PostgreSQL
  • 6379 Redis

The full list is in /etc/services.

Ephemeral ports: why you see 54321 in a curl trace

When a client opens a connection, it does not pick its source port explicitly. The OS picks a random port from the ephemeral range (on Linux the default is 32768-60999; check it with cat /proc/sys/net/ipv4/ip_local_port_range).

These ports live only for the duration of the connection. After it closes, they are released (after a TIME_WAIT delay, see tcp-states).

This means: if you open many outgoing connections rapidly, you can exhaust the ephemeral range. On a cloud NAT gateway handling thousands of clients, that is a real operational problem.

One port, one process?

In general, yes. Only one process can bind() to a given (IP, port) pair. A second attempt returns EADDRINUSE.

Exceptions:

  • SO_REUSEPORT lets multiple processes listen on the same port; the kernel distributes incoming connections among them (nginx and haproxy use this).
  • 0.0.0.0 vs. a specific IP: bind 0.0.0.0:80 and bind 1.2.3.4:80 may or may not conflict depending on the order of the bind calls.

Checking who listens on what

bash
ss -tlnp                # all TCP listening sockets with process info
ss -ulnp                # UDP
lsof -i :443            # who is on port 443
netstat -tulnp          # classic alternative, still works

Flag breakdown for ss:

  • -t TCP, -u UDP
  • -l listening sockets only
  • -n no DNS resolution
  • -p show process (requires root for other users' sockets)

§ команды

bash
ss -tlnp

All TCP sockets in LISTEN state with the bound process shown

bash
ss -tn state established

Active TCP connections; both local and remote ports are visible

bash
lsof -i :443

Which process is using port 443 (incoming or outgoing)

bash
cat /proc/sys/net/ipv4/ip_local_port_range

Ephemeral port range configured on this host

bash
sudo nc -l 8080

Open a listening port 8080 for experimentation (TCP)

§ см. также

  • tcp-handshakeTCP three-way handshakeTCP connection opens with three packets: SYN from the client, SYN-ACK from the server, ACK from the client. After that the connection is Established and data transfer can begin.
  • udp-basicsUDP: User Datagram ProtocolUDP delivers datagrams without establishing a connection, without retransmits, and without ordering guarantees. Header is 8 bytes. Use it for DNS, DHCP, QUIC, VoIP, and any case where latency matters more than reliability.
  • tls-handshakeTLS HandshakeTLS is the encryption layer above TCP. Before data flows, both sides run a handshake: they exchange keys, verify the certificate, and agree on a cipher.
  • http-protocolHTTP/1.1, HTTP/2, HTTP/3HTTP/1.1 is a text-based protocol with keep-alive. HTTP/2 is binary with multiplexing over a single TCP connection. HTTP/3 carries HTTP/2 semantics over QUIC/UDP without TCP head-of-line blocking.
Footer
linuxlab-
Copyright © 2026 LinuxLab. All rights reserved.
Tutorials
Pricing
About
Privacy & cookies