High-Yield Ports and Protocols Table

Key Takeaways

Port items on N10-009 test the service, its transport (TCP vs UDP), the secure alternative, and the troubleshooting implication, not raw memorization.
Know administrative, web, name-resolution, email, file-transfer, directory, time, and monitoring ports cold because they recur in scenario stems.
TCP is connection-oriented (handshake, ordered delivery); UDP is low-overhead and used for DNS queries, DHCP, NTP, SNMP, TFTP, and streaming.
Secure replacements such as SSH (22), HTTPS (443), SFTP (22), SNMPv3, LDAPS (636), and IMAPS (993)/POP3S (995) are frequent correct answers.
When a service fails, work the order: DNS resolution, Layer 3 reachability, port filtering, service status, then authentication.

Last updated: June 2026

High-Yield Ports and Protocols

The CompTIA Network+ N10-009 exam (up to 90 questions in 90 minutes, passing score 720 on a 100–900 scale) expects you to recognize a service from its port, pick the safer alternative, and use port behavior to drive troubleshooting. Objective 1.4 explicitly lists ports and protocols, and they reappear inside Security and Troubleshooting items. Do not memorize the table as isolated trivia—tie each port to a symptom and a transport.

Transport matters. TCP (Transmission Control Protocol) is connection-oriented: it performs the three-way handshake (SYN, SYN-ACK, ACK), guarantees ordered delivery, and retransmits lost segments. UDP (User Datagram Protocol) is connectionless and lightweight, so it carries DNS queries, DHCP, NTP, SNMP, TFTP, and real-time voice/video where retransmission would add harmful delay.

Core Reference Table

Service	Port	Transport	What it does	Exam cue
FTP data	20	TCP	File-transfer data channel	Legacy clear-text transfer
FTP control	21	TCP	File-transfer commands	Use SFTP or FTPS when secure
SSH	22	TCP	Secure shell and tunneling	Secure admin access
SFTP	22	TCP	File transfer over SSH	Secure FTP replacement
Telnet	23	TCP	Clear-text remote shell	Never for secure admin
SMTP	25	TCP	Server-to-server mail	Outbound relay/filtering
DNS	53	UDP/TCP	Name resolution; zone transfers	UDP for queries, TCP for zone transfer
DHCP server/client	67/68	UDP	IPv4 address assignment	APIPA = DHCP failure
TFTP	69	UDP	Trivial file transfer	Device boot/config, no security
HTTP	80	TCP	Unencrypted web	Redirect to HTTPS
Kerberos	88	UDP/TCP	Authentication tickets	Time-sensitive (NTP dependency)
NTP	123	UDP	Time sync	Certs, logs, Kerberos depend on it
SNMP	161	UDP	Monitoring queries	Prefer SNMPv3
SNMP trap	162	UDP	Device-initiated alert	Device-to-manager alert
LDAP	389	TCP/UDP	Directory queries	No TLS by default
HTTPS	443	TCP	Encrypted web/API	Secure mgmt page
SMB	445	TCP	Windows file/printer share	Lateral-movement target
Syslog	514	UDP/TCP	Log forwarding	Centralized logging
LDAPS	636	TCP	LDAP over TLS	Secure directory
IMAPS	993	TCP	Secure mailbox retrieval	Leaves mail on server
POP3S	995	TCP	Secure mailbox retrieval	Downloads mail
SQL (MS)	1433	TCP	Microsoft SQL Server	DB connectivity
RDP	3389	TCP/UDP	Remote desktop	Restrict exposure
SIP	5060/5061	TCP/UDP	VoIP signaling	5061 commonly TLS

Troubleshooting With Ports

Symptom	Useful check
Name fails before connecting	DNS on 53, resolver config, records
Resolves but browser times out	TCP 443 reachability, firewall logs, service status
Device has APIPA (169.254.x.x)	DHCP path, relay, scope, VLAN, UDP 67/68
Secure switch admin fails	SSH on 22, management ACL, AAA
File share unavailable	SMB 445, name resolution, share permissions
No device metrics in monitoring	SNMP version, community/credentials, ACL, UDP 161
Clocks drift, certs/logs misbehave	NTP on UDP 123, stratum source

Secure Alternatives

Telnet → SSH (encrypted remote administration)
FTP → SFTP or FTPS (protects credentials and file contents)
HTTP login → HTTPS (protects sessions and credentials)
SNMPv1/v2c → SNMPv3 (adds authentication and privacy)
LDAP → LDAPS or LDAP with StartTLS (protects directory traffic)

Worked Scenario: Email Client Cannot Receive Mail

A user reports that Outlook can send but not receive. The send path uses SMTP, so outbound on port 25 (or the submission port) is healthy. Receiving uses either IMAP or POP3. Modern, secure clients should retrieve mail over IMAPS (993) or POP3S (995), both encrypted with TLS. If the client was configured for legacy plaintext IMAP (143) or POP3 (110) and the mail provider disabled clear-text retrieval, the symptom is exactly "send works, receive fails." The fix is to reconfigure the account to the secure retrieval port, which also explains why N10-009 pairs each clear-text port with its TLS counterpart.

Notice the diagnostic logic: identify the function (receive), map it to candidate protocols (IMAP/POP3), then check whether the secure or insecure variant is required by policy.

Why Time and Authentication Ports Recur

Two ports show up far more often than their obscurity suggests. NTP (UDP 123) underpins certificate validation, log correlation, and Kerberos. If clocks drift more than five minutes, Kerberos (UDP/TCP 88) rejects tickets and certificate checks may fail, producing login errors that look unrelated to time. RADIUS centralizes authentication for VPN, 802.1X wired ports, and Wi-Fi; a failed RADIUS path makes every downstream service appear broken even though the underlying network is fine.

When a stem describes widespread authentication failures after a server change, suspect NTP or the AAA server before blaming individual application ports.

Common Traps

Assuming DNS is UDP only; TCP 53 is used for zone transfers and oversized responses.
Confusing SSH and SFTP because both ride TCP 22.
Treating a closed port as proof that routing is broken.
Exposing RDP (3389) broadly instead of restricting source networks or using a jump host.
Forgetting that application authentication can fail even when the port is reachable.
Choosing Telnet or FTP when the stem says "secure" management or transfer.

Test Your Knowledge

Which port is most commonly associated with SSH and SFTP?

22/TCP

23/TCP

53/UDP

161/UDP

Test Your Knowledge

A client shows a 169.254.x.x address. Which service path should be checked first?

RDP using TCP 3389

DHCP using UDP 67 and 68

SMTP using TCP 25

SNMP traps using UDP 162

Test Your KnowledgeMulti-Select

Which are secure or more secure replacements for legacy clear-text options? Select three.

Select all that apply

SSH instead of Telnet

SFTP instead of FTP

HTTPS instead of HTTP for login pages

Telnet instead of SSH

FTP instead of SFTP

Up Next

Wi-Fi, Cabling, Connectors, and Transceivers Quick Table

Continue learning

CompTIA Network+

1Introduction & Exam Overview

2Domain 1: Networking Concepts (23%)

3Domain 1: Media, Connectors, Transceivers, and Network Architectures

4Domain 1: IP Addressing and Subnetting Mastery

5Domain 2: Network Implementation - Routing

6Domain 2: Network Implementation - Switching

7Domain 2: Network Implementation - Wireless and Physical Implementation

8Domain 2: Network Implementation - Services Implementation

9Domain 3 Part A: Network Operations Documentation and Governance

10Domain 3 Part B: Monitoring, Remote Access, and Resilience

11Domain 4: Logical Security and Secure Access (14%)

12Domain 4: Segmentation, Risk, and Network Attacks (14%)

13Domain 4: Security Controls and Hardening (14%)

14Domain 5: Troubleshooting Methodology and Tools (24%)

15Domain 5: Physical, Interface, and Wireless Troubleshooting (24%)

16Domain 5: Network Services, Switching, Routing, and Performance Troubleshooting (24%)

17Performance-Based Question Labs

18High-Yield Reference and Final Study Plan

19Final Synthesis: Strategy, Remediation, and Readiness