The Port Number Range (0-65535)

Two bytes. Sixteen bits. Every port number in every packet crossing the Internet fits in this space—a constraint baked into TCP and UDP in the 1970s that determines the boundaries of the entire port system.

Sixteen bits means 2^16 possible values: exactly 65,536 ports, numbered 0 through 65,535. Not approximately. Not "up to." Exactly that many, forever.

Why Sixteen Bits?

The protocol designers faced a tradeoff. More bits would mean more ports but larger packet headers—overhead carried by every packet, billions of times per second. Fewer bits would mean smaller headers but potentially running out of ports as networking grew.

Sixteen bits was the bet. In the 1970s, 65,536 seemed more than enough. Today, with a single server handling thousands of simultaneous connections, the limit feels closer than anyone imagined.

But the decision is frozen. Every router, firewall, and operating system on Earth expects port numbers to be exactly sixteen bits. Changing it would require replacing TCP and UDP themselves—a transition measured in decades, if it ever happens at all.

The Three Ranges

Not all 65,536 ports are equal. The Internet Assigned Numbers Authority (IANA) divides them into three ranges, each with different rules.

Well-Known Ports: 0–1023

These are the reserved ports. HTTP lives at 80. HTTPS at 443. SSH at 22. DNS at 53. SMTP at 25. The assignments are official, documented in IANA's registry, and universally recognized.

On Unix-like systems, binding to these ports requires root privileges. This isn't arbitrary—it's a question of authority.

Think about what it means to run a service on port 80. You're not claiming to be a web server. You're claiming to be the web server for this IP address. Anyone connecting to port 80 expects to reach the legitimate website. The privilege requirement ensures only someone with administrative control can make that claim.

Obtaining an official well-known port requires formal standardization—typically an RFC. You don't just ask; you prove your protocol deserves a permanent place in the first thousand.

Registered Ports: 1024–49151

The conventional ports. MySQL uses 3306. PostgreSQL uses 5432. MongoDB uses 27017. These assignments are registered with IANA through a lighter process—submit a form, explain your service, avoid conflicts.

No special privileges required to bind here. Any user can start a service on port 3306, which is why you'll sometimes find MySQL colliding with a developer's side project that grabbed the same port by accident.

The registrations prevent chaos. Without them, every database vendor might default to the same port, and every installation would require manual reconfiguration. The conventions save millions of hours of troubleshooting.

Dynamic Ports: 49152–65535

The ephemeral range. When your browser connects to a website, your operating system picks a source port from this range—52847, 61293, whatever's available. The port exists only for the duration of that connection, then returns to the pool.

No official assignments here. No registrations. If you're building an internal tool that will never leave your organization, pick a port in this range and you won't collide with anything official.

The term "ephemeral" captures the key point: these ports are borrowed, not owned. Your operating system manages the lending, ensuring no two active connections share the same source port.

The Registry

IANA maintains the Service Name and Transport Protocol Port Number Registry¹—the authoritative list of which port means what. It's publicly accessible, regularly updated, and useful when you're staring at network traffic wondering why something is connecting to port 6379 (Redis).

The registry prevents port number chaos. Without central coordination, assignments would conflict constantly. With it, administrators worldwide can configure firewalls, read packet captures, and diagnose problems using a shared vocabulary.

What This Means in Practice

The privilege boundary at 1024 is a security decision. If you need to run a web server without root, you have two choices: use a port above 1023 (like 8080) and make users type it, or run a privileged reverse proxy that forwards from 80 to your unprivileged service. Most production deployments choose the second.

Port conflicts are diagnostic clues. If your application fails with "address already in use," something else claimed that port first. On port 5432? Check for PostgreSQL. Port 3000? Probably a Node.js dev server someone forgot to stop.

Firewalls often treat ranges differently. Many security policies block everything except well-known ports for outbound traffic—a crude but effective way to prevent malware from phoning home on unusual ports.

Unexpected traffic on well-known ports is a red flag. Connections to port 23 (Telnet) on a system where Telnet is disabled? Something is wrong. Well-known ports carry well-known expectations.

Sources