125

On the Windows platform, what native options to I have to check if a port (3306, for example) on my local machine (as in localhost), is being blocked?

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Boris Pavlović
  • 1,363
  • 2
  • 9
  • 8
  • 1
    Just to clarify, do you mean blocked, as in blocked by a firewall or gateway, or do you mean already in use by something else? – squillman Jun 16 '09 at 14:34
  • 1
    The [Audit My PC Firewall test](http://www.auditmypc.com/firewall-test.asp) allows you to test a specific port or a range of ports from an external source. – Peter Stuer Jun 16 '09 at 15:38

4 Answers4

122

Since you are on a Windows machine, these things can be done:

  • Execute the following command and look for a ":3306" listener (you did not mention UDP/TCP). This will confirm there is something running on the port.

    netstat -a -n

  • After this, if you are expecting incoming connections on this port and feel that the firewall may be blocking them, you could use start windows firewall logging and check the logs for dropped connections

    • Go to Windows Firewall, Advanced settings
    • Click on the Settings button next to "Local Area Connection"
    • Select "Log dropped packets"
    • Look at the log file location (if not present, define one)
    • Click OK
    • Now, when the connection attempt is made (assuming you know when this is done), look at the log file for a drop on port 3306.
    • If this is seen, you will want to add an exception for this port.

  • There is one more command to check the firewall state
    (Updated for Windows 7 users -- as referred by Nick below -- use netsh advfirewall firewall)

    netsh firewall show state

    • this will list the blocked ports as well as active listening ports with application associations

  • This command will dump the Windows firewall configuration detail

    netsh firewall show config

If you have an active block (incoming connections are being dropped by firewall) after you start logging, you should see that in the log.

If you are running an application/service that is listening on 3306, the firewall config should show it to be Enabled. If this is not seen, you have probably missed adding an exception with the firewall to allow this app/service.

Finally, port 3306 is typically used for MySQL. So, I presume you are running MySQL server on this windows machine. You should therefore see a listener for 3306 accepting incoming connections. If you do not see that, you need to work with your application (MySQL) to get that started first.

auspicious99
  • 111
  • 1
  • 9
nik
  • 7,100
  • 2
  • 25
  • 30
  • 3
    Starting with Windows Vista the "netsh firewall" command is deprecated. It recommends you use "netsh advfirewall firewall" instead and references article http://go.microsoft.com/fwlink/?linkid=121488 – Nick DeVore May 18 '11 at 15:31
  • 6
    To parse output at the command line, add `|find "3306"` to the command, e.g. `C:\Windows\System32>netstat -an |find "3306"` – Cees Timmerman Jul 05 '13 at 08:20
  • I can't find the settings button specified in step 2 of the second recommendation ... – Bassie Aug 22 '17 at 10:58
  • @Bassie, try https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/configure-the-windows-firewall-log – nik Aug 24 '17 at 06:23
  • @nik Thanks nik, I managd to find the checkbox, but now seeing that the log is empty after trying to access my service remotely (which always fails). I guess this just shows that the issue is not with dropped packets but must lie somewhere else – Bassie Aug 24 '17 at 08:49
  • @nik - whatever link you had given Bassie, it's 404 now. Thanks Microsoft! – GilesDMiddleton Jun 24 '23 at 08:04
36

Since PowerShell 4.0 you can use the command Test-NetConnection

If you want to test Port 3306 as in your example the command is

Test-NetConnection -ComputerName localhost -Port 3306

TechNet Test-NetConnection documentation

Marcel Janus
  • 1,115
  • 2
  • 14
  • 29
  • 2
    +1 for this. A really nice alternative that doesn't require an installation of anything on most modern windows machines. – DCaugs Jul 13 '18 at 17:13
32

NETSTAT will tell you if the port is listening but it will not tell you if the port is open to the outside world. What I mean by this is that NETSTAT may show that the 0.0.0.0 is LISTENING on port 3306 but a firewall may still be blocking that port which is preventing outside connections; so it isn't sufficient to rely on NETSTAT alone.

The best way to check if a port is blocked is to do a port scan from the client machine.

There are many ways to do a port scan but since you mentioned being on Windows then I will suggest the Microsoft command line utility PortQry and the Graphical version PortQryUI

To test all open ports:

portqry.exe -n #.#.#.#

To test a specific port:

portqry.exe -n #.#.#.# -e #

For example to test the Web interface of a router at 192.168.1.1:

portqry.exe -n 192.168.1.1 -e 80

Which returns:

TCP port 80 (http service): LISTENING

Where as testing on a local machine with no HTTPD running returns:

TCP port 80 (http service): NOT LISTENING

Using a PortScan utility you will get one of 3 results.

  • Listening means the server is listening on the specified port
  • Filtered means it received a TCP acknowledgement packet with the Reset flag set which likely indicates a firewall or software issue
  • Not Listening means it didn't receive a response at all

telnet is another command line option that is usually installed on the OS by default. This command line utility can be used a quick way to see if a port responds to a network request.

To use telnet you would simply issue the following command from a command prompt:

telnet localhost 3306

The command above should give you a quick indication if the port 3306 on the localhost is responding.

Michaelangel007
  • 103
  • 3
Tim Penner
  • 1,889
  • 14
  • 22
  • I download PortQryUI and I checked after i blocked and enabled the 445 port in both tcp and udp, it is showing same listening in tcp and not listening in udp. – Liam neesan Nov 06 '17 at 20:08
5

If you can telnet to the port from the local machine (using the external IP address), but not from another machine - then it is being blocked somewhere between.

Note that a firewall on your local machine could prevent even the first action.

Brent
  • 22,857
  • 19
  • 70
  • 102