Port Number Ranges: Well-Known, Registered & Ephemeral
Port numbers run 0 to 65535, split into three ranges by IANA. Here's what well-known, registered, and dynamic/ephemeral ports are, where the boundaries fall, and why it matters.
Port numbers aren’t random. The 0–65535 range is divided into three official bands, each with a different purpose. Knowing which band a port falls into tells you a lot about what it’s probably doing before you even look it up.
The three ranges
The IANA (Internet Assigned Numbers Authority) splits the 16-bit port space like this:
| Range | Name | Purpose |
|---|---|---|
| 0 – 1023 | Well-known (system) ports | Core internet services |
| 1024 – 49151 | Registered ports | Vendor / application ports |
| 49152 – 65535 | Dynamic / private / ephemeral | Temporary outbound connections |
Well-known ports (0–1023)
These are reserved for the internet’s core services. The assignments are standardized so that any machine, anywhere, knows that port 443 means HTTPS and port 22 means SSH without being told.
Familiar examples:
- 22 → SSH
- 25 → SMTP (email)
- 53 → DNS
- 80 → HTTP
- 443 → HTTPS
On Unix systems including macOS, binding to a port below 1024 historically requires elevated privileges, which is why running a web server on port 80 directly often needs sudo, while a dev server on 3000 does not. This is a deliberate safety measure: it stops an unprivileged program from impersonating a standard system service.
Registered ports (1024–49151)
These are for applications that asked IANA to reserve a number, plus the vast informal middle ground that developers use day to day. Any user-level program can bind here without special privileges, which is why nearly every dev tool defaults somewhere in this range.
You’ll recognize a lot of them:
- 3000 → Node / React dev servers
- 3306 → MySQL
- 5173 → Vite
- 5432 → PostgreSQL
- 6379 → Redis
- 8080 → alternate HTTP / proxies
Look any of these up in the port reference.
Dynamic / ephemeral ports (49152–65535)
This top band is never assigned to a fixed service. Instead, the operating system hands these ports out temporarily. When your browser connects to a website, it grabs a free port from this range as the return address for that one connection, then releases it when the connection closes.
These are the ephemeral ports, and it’s completely normal to see dozens of them open at once. They’re outbound connections in progress, not services waiting for traffic. macOS uses 49152–65535 for this by default, matching the IANA recommendation (Linux historically uses a lower starting point, around 32768).
Why the ranges matter in practice
When you’re scanning your own machine and trying to make sense of what you see, the range is a fast first filter:
- A low port (under 1024) in the
LISTENstate is almost always a recognizable system or server service. - A mid port (1024–49151) listening is usually a development tool or a registered application.
- A high port (49152+) is almost always a temporary outbound connection, not something you started or need to worry about.
That mental model saves you from chasing “mystery” ports that are just your browser doing its job.
See every port grouped by what it is
Portie shows all your open ports in one live view and labels each with its protocol, owning process, and state, so you can instantly tell a real listening service from a passing ephemeral connection. It refreshes every 3 seconds, no commands required.
Local monitoring is free. The $8.99 one-time unlock adds one-click process control and remote port scanning. Download Portie to see your ports sorted and explained.