Why is HTTP-based probing different from nmap?

nmap's default scan (-sS, SYN scan) crafts raw IP packets and reads TCP flags directly. It can complete a half-open handshake — SYN/ACK received, RST sent in reply — without making the application layer aware of a connection attempt. Application logs stay clean. Cloudflare Workers do not expose raw sockets, so this tool issues full HTTP/HTTPS connections from edge POPs: the handshake completes, the application logs the connection, and any rate-limit or fail2ban rule fires as it would for a real client. The trade-off is fidelity to what an actual external client experiences versus stealth — impossible from this runtime. For broad reachability checks the HTTP probe is sufficient; for protocol-specific deep inspection, nmap from a host you control remains the right tool.

How does IANA decide which ports get assigned numbers?

RFC 6335 (Cotton, Eggert, Touch, Westerlund & Cheshire, 2011) defines three procedures by range. System Ports (0–1023) require IETF Review or IESG Approval — registration usually accompanies a published RFC, which is why every entry in this range traces to a standards-track document. User Ports (1024–49151) accept Expert Review submissions: the requester documents the protocol, IANA's expert checks for conflicts and assigns. Dynamic and/or Private Ports (49152–65535) are not assigned by IANA; operating systems pick from this range when an application opens an outbound connection without specifying a source port. Many third-party services bind in the User range (Redis 6379, PostgreSQL 5432, MySQL 3306) — their numbers are advisory only; nothing in the protocol layer forces a server to use them.

Port Scanner Online Free

Q: What's the difference between filtered and closed?

Both states indicate the service isn't reachable, but the wire-level signature differs. A closed port returns a TCP RST flag immediately — RFC 9293 §3.10.7 specifies this as the kernel's response when no socket is listening on the probed port. The host is alive; it just isn't running that service. Filtered means the probe got no answer at all within the timeout. Three different conditions produce that same silence: a stateful firewall dropped the SYN packet, the route to the host is broken upstream, or the host itself is offline. The scanner cannot distinguish among them without TCP traceroute or ICMP echo. Filtered is a 'something is between you and the service' signal, not a confirmed firewall verdict.

Q: Is port scanning legal?

Scanning your own infrastructure or systems you have written permission to test is legal everywhere. Scanning third-party hosts without authorisation occupies a grey zone that varies by jurisdiction. In the United States, Moulton v. VC3, Inc. (USDC ND Ga 2000) ruled that an unauthorised port scan and throughput test against VC3's servers — absent damage exceeding the $5,000 CFAA threshold — did not violate 18 USC §1030 or the Georgia Computer Systems Protection Act. The court found the activity reckless but the statutory damage requirement unmet. That precedent applies to facts resembling Moulton; courts in other circuits have decided differently. In Germany, §202c StGB ('Hacker-Paragraph', 2007 amendment) criminalises preparation of data interception and has been read to cover unauthorised scanning tools. Written authorisation is the only safe operating principle, regardless of jurisdiction.

Q: Why does a port appear open from this tool but closed when scanned from inside the network?

Cloud-hosted scanners hit your perimeter the way the internet sees it — through the public-facing security group, load balancer, or NAT gateway. Internal scans run after that perimeter and only see the host firewall (iptables, Windows Firewall). A port can be open at the perimeter (security group permits 22/tcp) but blocked at the host (iptables drops it). The reverse is also common: the host listens but the perimeter blocks. The verdict you trust depends on the threat model: external scans answer 'what can the internet reach?', internal scans answer 'what would a compromised internal box reach?'. Both views are useful; neither is wrong.

Online Port Scanner — Open Ports & Service Detection

Port scanning queries a host to find which TCP services are reachable from the public internet. Each probe lands in one of three states: open (a service completes the handshake), closed (the host actively refuses with a TCP RST per RFC 9293 §3.10.7), or filtered (no response within the timeout, typically meaning a firewall dropped the SYN silently). The IANA Service Name and Transport Protocol Port Number Registry, governed by RFC 6335 (Cotton, Eggert, Touch, Westerlund & Cheshire, 2011), partitions the 16-bit space into System Ports (0–1023, IETF Review only), User Ports (1024–49151, expert-reviewed), and Dynamic Ports (49152–65535, unassigned). This tool sends HTTP/HTTPS probes from a Cloudflare edge server: it detects socket liveness but cannot identify what software responds — banner-grabbing and version detection are separate steps. UDP scanning is fundamentally harder because UDP (RFC 768) carries no connection state; closedness is signalled by an ICMP destination-unreachable reply (RFC 792), and absence of any reply leaves open and filtered indistinguishable. Authorisation matters: scan only systems you own or have written permission to test.

How to scan ports

Enter the target host (domain or IP). Leave the custom-ports field empty to scan the 17 common defaults, or list up to 5 comma-separated ports.
Each port is probed via HTTP/HTTPS handshake from a Cloudflare edge server. Open responds with SYN/ACK, closed with TCP RST, filtered with no answer.
Review open ports against the expected service inventory — anything unexpected open warrants firewall review.
Close unnecessary ports at the firewall, redeploy, and rerun the scan to confirm the expected state.

Common use cases

Auditing a freshly deployed cloud server before pointing DNS, to confirm only the intended services are exposed.
Verifying a security-group or iptables rule change actually blocked the port it was meant to block.
Checking what services an IoT or edge device exposes from a residential or office network.
Confirming a Docker container's published ports match the host firewall and security-group policy.

Frequently asked questions

What's the difference between filtered and closed?

Closed returns a TCP RST flag (RFC 9293 §3.10.7) — the host's kernel actively says 'no service here'. Filtered means no answer at all: a stateful firewall dropped the SYN silently, the route is broken, or the host is offline. Wire-level evidence is identical across the three.

Is port scanning legal?

Scanning systems you own or have written permission to test is legal everywhere. Without authorisation, jurisdiction matters — Moulton v. VC3 (USDC ND Ga 2000) ruled an unauthorised scan absent CFAA-threshold damage isn't a §1030 violation; Germany's §202c StGB criminalises preparation of data interception. Get authorisation in writing.

Why does a port appear open from this tool but closed when scanned from inside the network?

Cloud-hosted scanners hit your perimeter (security group, load balancer, NAT gateway). Internal scans only see the host firewall (iptables, Windows Firewall). A port can be open at one layer and blocked at the other; both views are valid for different threat models.

Why does HTTP-based probing differ from nmap?

nmap's default crafts raw SYN packets and reads TCP flags directly; the handshake never completes, so application logs stay clean. This tool runs in Cloudflare Workers and uses fetch() rather than the cloudflare:sockets connect() API; either way the runtime can't craft raw IP packets, so the application logs every probe.

How does IANA assign port numbers?

RFC 6335 splits the 16-bit space into System (0–1023, IETF Review), User (1024–49151, Expert Review) and Dynamic (49152–65535, OS-picked, unassigned). Service binding numbers are advisory; the protocol layer doesn't enforce them.

How port scans interpret silence — TCP RST, no answer, and HTTP probes

The TCP handshake is a request-response interaction defined in RFC 9293 (Eddy, Ed., 2022, which obsoletes the original RFC 793 from 1981). When a probe arrives at a closed port, the kernel responds with a RST flag — the host is alive, just not running anything on that port. When the probe hits an open port, the stack returns SYN/ACK and the scanner tears down without sending data. When nothing comes back, three causes share one wire-level signature: a stateful firewall dropped the SYN silently, the route to the host is broken, or the host itself is unreachable. The scanner reports filtered for all three, because the evidence is identical. HTTP-based probing differs from raw SYN scanning. nmap's default sends a single SYN and reads TCP flags directly, completing the handshake only on -sT (connect scan). This tool runs inside Cloudflare Workers and uses the fetch() API rather than the newer cloudflare:sockets connect() API; either way the runtime can't craft raw IP packets, so handshakes always complete and the application logs every probe. The trade-off is correctness — the result is exactly what a public HTTP client sees from your edge — at the cost of stealth. For services that don't speak HTTP (Redis, MySQL, raw SSH banners), the probe still reports openness via the TCP handshake but cannot identify the protocol.

17 common ports scanned by default (HTTP, HTTPS, SSH, FTP, SMTP, DNS, MySQL, PostgreSQL, Redis, etc.)
Custom port selection up to 5 comma-separated ports (1–65535)
Open / closed / filtered status per RFC 9293 §3.10.7 semantics
Service hint from IANA Service Name and Transport Protocol Port Number Registry
Color-coded results table
HTTP/HTTPS probe runtime (Cloudflare Workers, no raw SYN scan)

Free. No signup. Browser tools (subnet, JWT, password strength) run locally; lookup tools query public APIs (Cloudflare DoH, RDAP, certificate logs). Full per-tool breakdown at /methodology/.

Sources (5)

Cotton, M., Eggert, L., Touch, J., Westerlund, M., & Cheshire, S. (2011). Internet Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol Port Number Registry. RFC 6335, IETF.
Eddy, W. (Ed.) (2022). Transmission Control Protocol (TCP). RFC 9293, IETF (obsoletes RFC 793).
Postel, J. (1980). User Datagram Protocol. RFC 768, IETF.
Postel, J. (1981). Internet Control Message Protocol. RFC 792, IETF.
Internet Assigned Numbers Authority (IANA) (live). Service Name and Transport Protocol Port Number Registry. iana.org/assignments/service-names-port-numbers.

These are the IETF RFCs, NIST publications, and W3C standards the tool implements or queries. Locate them on the IETF Datatracker (datatracker.ietf.org) or the official standards body.

Related guides

Port Scanning — Legality, Ethics, and Safe UseWhen port scanning is legal, when it is a crime, and how to use scanners responsibly — with a jurisdictional breakdown and tool tradeoffs.

By Marco B. · Last verified June 2026 — runs in your browser