Port Scan vs netstat -- Advantages & Disadvantages?

Posted on 2009-02-20
Last Modified: 2013-12-04
I need to identify and document the open ports on a Win2k server, but I am a server lightweight. Assuming a server has NOT been compromised, when deciding whether to do a full port scan or just a netstat -a -n, what are the relative merits of each? When & why would their results be different?

Thank you in advance,
Question by:parkerea
    LVL 11

    Accepted Solution

    Regarding their merits, a port scan will let you see what open ports an external service/user/hacker can see given existing firewalls and running services on the scanned computer.  Netstat will let you see existing TCP connection as well as ports on which the computer is listening, among other things (

    The results between the two can differ due to firewall placement (on the host or somewhere between the scanner and scanned computer).  For example, your personal workstation may be listening on port 3389 for Remote Desktop connections on your LAN, but a perimeter firewall may have this port closed, with the result being than a port scan originating from outside your network will not show 3389 as open while netstat on your machine will show 3389 as open.
    LVL 38

    Assisted Solution

    by:Rich Rumble
    As explained above, a netstat is local, and a port scan is typically used against a remote host, but can be used against ones self. A port scan, can go further, telling what version of a webserver, mail server, even what OS (see finger) is running. Nmap can do OS detection, looking at the responses and predicting the OS based on those "finger prints" aka responses.

    Also, as hinted to above, netstat will tell you what port the machine your on listens for connections, but a firewall can do PAT or port forwarding, so if you changed the default port 80 for your webserver to listen to port 123, the firewall can still listen for port 80 and change the packets to go to your server on port 123, so a scanner will never know the difference technically. Essentially Netstat is local and passive, a port scan is typically against a remote host and active.

    Author Closing Comment

    Thank you. I had a general idea that was the fact, but the IT folks have been promoting port scans, and for our uses (documenting the server, not its environment such as the firewall) netstat is more appropriate.

    Thanks again,

    Featured Post

    Superior storage. Superior surveillance.

    WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

    Join & Write a Comment

    Article by: btan
    The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
    Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now