Scan any host for open ports, identify running services, and audit your network security directly from your iPhone.
Download Free on the App StorePort scanner and all 19 tools are free. No ads, no account required.
PingKit's port scanner attempts TCP connections to a range of ports on any host you specify. For each port, it reports whether the port is open, closed, or filtered, and identifies the service typically associated with that port number. It is the same fundamental technique used by professional tools like nmap, packaged in an interface you can use from anywhere on your phone.
Scan common ports or the full range from 1 to 65535. Results show open, closed, and filtered states so you know exactly what is exposed and what is properly locked down.
Open ports are labeled with their commonly associated service — HTTP, HTTPS, SSH, FTP, MySQL, RDP, and hundreds more. Quickly understand what is running without memorizing port numbers.
Scan a single port, a specific range, or use built-in presets for common services, web servers, databases, or the top 100 most used ports. Flexible enough for any use case.
Verify your firewall is blocking what it should. Check that decommissioned services are no longer listening. Confirm that only intended ports are reachable from outside your network.
You deployed a web server and need to confirm ports 80 and 443 are open while everything else is closed. Or you just changed your SSH port from 22 to a custom number and want to verify it is reachable. PingKit lets you run these checks from your phone, from any network, without needing to SSH into another machine first.
Penetration testers and security-conscious administrators use port scanning as the first step in assessing an attack surface. PingKit shows what an external attacker would see when probing your host. If your database port is open to the internet or an old service is still listening on a port you thought was closed, you want to find that before someone else does.
An application cannot connect to a server? Before diving into application logs, check whether the port is even reachable. If PingKit shows the port as filtered, the problem is a firewall or network configuration — not the application. If the port is closed, the service is not running. If it is open but the app still fails, the issue is at the application layer. Port scanning eliminates the most common causes in seconds.
Firewall rules are easy to get wrong and hard to verify from the inside. The only reliable way to confirm a firewall is working is to test it from outside. Run PingKit's port scanner from your phone on cellular data to see exactly what your server or home network exposes to the internet. Compare the results against your intended rules and close any gaps.
A port scanner answers one deceptively simple question: is something listening on this port, and can I reach it from here? That question comes up constantly once you start running services at home or managing a server. Here are the situations where reaching for a port scanner saves you the most time.
Self-hosting a Minecraft world, a Synology NAS, or a Plex media server means a specific port needs to be reachable. Plex defaults to TCP 32400, many game servers use a custom high port, and a NAS web interface often sits on 5000 or 5001. Point PingKit at the device's IP and scan that exact port. An open result confirms the service is up and accepting connections; a closed or filtered result tells you the service or the network in front of it is the thing to fix. If you want to find the device's IP in the first place, the LAN scanner lists every host on your network so you do not have to dig through the router admin page.
Port forwarding is notoriously fiddly. You add a rule in the router, but there is no easy confirmation it took effect. The honest test is to scan your public IP from outside your home network — turn off WiFi on your phone and scan over cellular. If the forwarded port shows open, the rule works end to end. If it shows filtered, either the rule is wrong, the host's own firewall is blocking it, or your ISP is filtering the port before it ever reaches you.
Sometimes the goal is to find ports you did not expect. A database left listening on 3306, a remote desktop port open to the internet on 3389, or an old admin panel still running months after you stopped using it — these are the things attackers look for first. Scanning your own public IP shows you the same picture an outsider sees. For a deeper, guided look at exposure, pair the scan with our security scan, which flags common risky configurations automatically.
When an app cannot reach a server, a port scan tells you which layer to blame before you waste time reading application logs. Open means the service is listening and the network path is clear, so the fault is at the application or authentication layer. Closed means nothing is listening — the service probably is not running or is bound to the wrong address. Filtered means a firewall is in the way. Three results, three very different fixes.
Even if you are not a security professional, periodically scanning your own router, home lab, and any servers you run is good hygiene. Devices accumulate services over time, firmware updates can re-open ports, and a setting you changed last year may not be doing what you think. A two-minute scan from your phone is a low-effort way to catch the obvious problems. Guardian goes a step further and adds AI explanations of what each open port means, so you do not need to memorize port numbers or guess whether something should be exposed.
There are several port scanner apps on the App Store. We think PingKit holds up well, but we will be straight about where it fits. PingKit is a focused mobile toolkit, not a replacement for a full desktop scanner like nmap when you need deep, scriptable scans.
| What matters | PingKit | Typical port scanner app |
|---|---|---|
| Price | Free, all 19 tools included | Often free scan but paywalled ranges or results |
| Ads & accounts | No ads, no account required | Frequently ad-supported or sign-in gated |
| Beyond port scanning | LAN scan, DNS, ping, traceroute, security scan, and more in one app | Usually port scanning only |
| Understanding results | Service labels free; AI explanations with Guardian | Raw open/closed list, you interpret it yourself |
If you want a single, ad-free app that scans ports and also does the dozen other network checks you reach for in the same week, PingKit is built for exactly that. If you need to run thousands of scripted scans against a fleet of servers, a desktop tool is the right call — and our sister Mac app Noxen, linked below, exists for that audit-at-scale job.
When PingKit reports an open port, it labels the service usually associated with that number. Here is a quick reference for the ports you are most likely to run into. Remember that any service can run on any port — these are conventions, not guarantees.
| Port | Service | What it means |
|---|---|---|
| 22 | SSH | Remote shell access. Expected on servers; should be locked to keys, not passwords. |
| 53 | DNS | Name resolution. Normal on routers and DNS servers, unusual on a desktop. |
| 80 | HTTP | Unencrypted web traffic. Fine for a web server, but real sites should redirect to HTTPS. |
| 443 | HTTPS | Encrypted web traffic. The expected port for any modern website or web service. |
| 445 | SMB | Windows file sharing. Should never be exposed to the internet — a frequent attack target. |
| 3306 | MySQL | Database. Should be reachable only from trusted hosts, never the open internet. |
| 3389 | RDP | Windows Remote Desktop. High-risk if internet-facing; put it behind a VPN. |
| 5000 / 5001 | NAS web UI | Common Synology and other NAS admin interfaces on the local network. |
| 8080 | HTTP alt | Proxies, dev servers, and admin panels often listen here. |
| 32400 | Plex | Plex Media Server. Open this if you stream Plex remotely. |
Tip: Seeing 445 or 3389 open on a host that faces the internet is worth investigating immediately. These are among the most exploited ports because they expose file sharing and remote desktop directly. For step-by-step checks, our guide on how to check if a port is open walks through interpreting each result.
This is the most common surprise. Usually the service is bound to localhost (127.0.0.1) instead of the network interface, so it only accepts connections from the same machine. Check the service's listen or bind address and switch it to 0.0.0.0 or the LAN IP if you want it reachable from other devices. Other culprits are a host firewall blocking the port, or scanning the wrong IP — easy to do when a device has both a wired and wireless address.
A closed port replies that nothing is listening, so the scan returns quickly. A firewalled port typically drops the packet silently, so the scan shows filtered and takes longer to time out. The distinction matters: closed means "the host is here, but this service is off," while filtered means "something is deliberately refusing to answer." If a port you expect to be open shows filtered, look at the firewall before the service.
Scanning a device on your own WiFi uses its local IP, and the only thing between you and it is that device's own firewall. Scanning a remote host — or your own home network from the outside — crosses your router, your ISP, and possibly the host's firewall. That is why a port can look open from inside your network but filtered from the internet. When you are verifying internet exposure, always scan the public IP from a network outside your own.
Many residential internet providers block common inbound ports to discourage home hosting — ports 25 (email), 80, and 445 are frequently filtered before traffic ever reaches your router. If a forwarded port stubbornly shows filtered no matter what you change, your ISP may be the reason. The quick way to confirm is to scan the same port from a different network; if it behaves differently, the block is on the path, not on your host.
Port scanning is a normal, legitimate tool for managing your own systems — your router, NAS, home lab, and any servers you administer. It becomes a problem only when it is pointed at systems you have no right to test. Please scan only networks and hosts that you own or have explicit authorization to assess. PingKit is built for personal network management and authorized security auditing, and that is the spirit in which we ask you to use it.
Find the local IP of the device running the service — Plex on 32400, a NAS web UI on 5000 or 5001, a game server on its custom port — then enter that IP in PingKit and scan the specific port. Open means it is listening and reachable. To check from the internet instead of your home WiFi, scan your public IP so you can see whether port forwarding is working.
Usually because the service is bound to localhost only, a firewall is blocking it, you are scanning the wrong IP, or the service uses UDP while a TCP scan reports closed. Confirm the bind address and firewall rules, then scan the device's actual LAN IP from another device on the same network.
A closed port actively refuses the connection, which tells you the host is up but nothing is listening. A firewalled port is usually filtered — packets are dropped silently and the scan times out with no answer. Filtered is the quieter, more secure state.
Yes — it is one of the most reliable methods. Add the forwarding rule, then scan your public IP from outside your home network, for example over cellular with WiFi off. An open result means the rule works end to end; filtered or closed points to the rule, the host firewall, or your ISP.
PingKit runs TCP connect scans, which cover the vast majority of services people care about — web, SSH, databases, remote desktop, and most media servers all use TCP. UDP scanning is inherently unreliable without a handshake, so TCP gives you clear, trustworthy results for everyday checks.
If every port comes back filtered, the host is often behind a firewall that drops unsolicited traffic, the device is offline, or your ISP is blocking inbound connections. Many residential ISPs filter ports such as 25, 80, and 445. Try a port you know should be open, and test from a different network to rule out ISP filtering.
Open ports are normal — every service depends on one. The risk is open ports you did not intend, outdated or misconfigured services, or sensitive services like databases and remote desktop exposed to the internet. The goal is not zero open ports; it is making sure every open port is intentional, patched, and authenticated.
The free scanner labels each open port with its common service. PingKit Guardian ($2.99/mo or $24.99/yr) adds AI explanations in plain language — what the port does, whether it is normally internet-facing, and what to check if it looks risky — plus 24/7 monitoring from the companion Mac Agent.
No. Only scan networks and hosts you own or are authorized to test. Scanning your own router, NAS, home lab, or servers you administer is normal and legitimate; scanning third-party systems without permission can violate computer-misuse laws.
Port scanning is one piece of the network security puzzle. Pair it with PingKit's Security Scan for an automated vulnerability assessment, use the Device Scanner to discover every host on your local network, or run a DNS Lookup to verify records before scanning. With 19 tools in one app, you can go from discovery to diagnosis to verification without switching apps or reaching for a laptop.
Continuous TLS cert monitoring, ISO 27001 PDF export, Network History AI, Apple Watch complication, and unlimited AI. $4.99/mo.
Learn about Guardian Plus →Noxen is our sister Mac app for nightly security audits across remote Linux/VPS hosts — port scanning, SSH inventory, TLS, and CVE matching. Built by the PingKit team.
Visit noxen.app →Download PingKit free and see what your network is exposing.
Download Free on the App StoreRequires iOS 17.0 or later.