How to Watch TCP and UDP Ports in Real-time

In software terms, especially at the operating system level, a port is a logical construct that identifies a specific process/application or a type of network service and each network service running on a Linux system uses a particular protocol (the most common being the TCP (Transmission Control Protocol) and UDP (User Datagram Protocol)) and a port number for communicating with other processes or services.

In this short article, we will show you how to list and monitor or watch running TCP and UDP ports in real-time with a socket summary on a Linux system.

List All Open Ports in Linux

To list all open ports on a Linux system, you can use the netstat command or ss utility as follows.

It is also crucial to mention that netstat command has been deprecated and instead ss command has taken its place in showing more detailed network statistics.

$ sudo netstat -tulpn
OR
$ sudo ss -tulpn
List Open Ports in Linux
List Open Ports in Linux

From the output of the above command, the State column shows whether a port is in a listening state (LISTEN) or not.

In the above command, the flag:

  • -t – enables listing of TCP ports.
  • -u – enables listing of UDP ports.
  • -l – prints only listening sockets.
  • -n – shows the port number.
  • -p – show process/program name.

Watch TCP and UDP Open Ports in Real-Time

However, to watch TCP and UDP ports in real-time, you can run the netstat or ss tool with the watch utility as shown.

$ sudo watch netstat -tulpn
OR
$ sudo watch ss -tulpn
Watch Open Ports in Real Time in Linux
Watch Open Ports in Real Time in Linux

To exit, press Ctrl+C.

You will also find the following articles useful:

  1. 3 Ways to Find Out Which Process Listening on a Particular Port
  2. How to Check Remote Ports are Reachable Using ‘nc’ Command
  3. How to List All Running Services Under Systemd in Linux
  4. 29 Practical Examples of Nmap Commands for Linux System/Network Administrators

That’s all for now! If you have any questions or thoughts to share about this topic, reach us via the comment section below.

Hey TecMint readers,

Exciting news! Every month, our top blog commenters will have the chance to win fantastic rewards, like free Linux eBooks such as RHCE, RHCSA, LFCS, Learn Linux, and Awk, each worth $20!

Learn more about the contest and stand a chance to win by sharing your thoughts below!

Aaron Kili
Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

14 Comments

Leave a Reply
    • tcpdump this is quite different.

      The author of the guide probably did not notice that he wrote a little ambiguously. However, people more associate the tcpdump command with the tool for viewing transmitted data.

      The “watch” command runs another command periodically from time to time. The name of the command is not important here. Real-time can have two definitions here.

      The first is “speed performance 1 kbit/s”
      Second, “the ability to display the entire data queue per second”.

      For someone, refreshment once every two seconds or once a month can also be real-time.

      This is the magic of human definition.

      More in “man watch” and in first line of output.

      Reply
    • “admin” / Aaron, maybe this tutorial is not big about “watch” command how to use and how to get help, but don’t worry, because I like to read something interesting.

      I mean, it is better than nothing or nonsense and I read with pleasure.

      So forgive me sometimes harsh words.

      Reply
  1. The title of this article is misleading. the watch command is batch based on a timer event triggering you can specify the granularity but it’s clearly not real-time.

    Reply
    • You don’t need to write the same command to check.

      However, if you see the open port, it means that malware/virus is too slow to open and close port below 2s.

      Reply

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.