TCP/Port Monitoring — Why It Matters (and How to Do It Right)
Most website owners start their monitoring journey with a simple HTTP check or a basic ping test. These are valuable, but they only tell you part of the story. Your website, application, or online business depends on many services running simultaneously -- web servers, databases, mail servers, caching layers, background job processors, and more. Each of these services listens on a specific TCP port, and if any one of them fails, your users will experience problems even if your homepage appears to load normally.
TCP/Port monitoring addresses this gap by checking whether specific network ports on your server are open and accepting connections. In this comprehensive guide, we explain exactly what TCP/Port monitoring is, how it works at the network level, when you should use it, and how to configure it properly with UptyBots to catch the failures that HTTP and ping checks miss.
What Is TCP/Port Monitoring?
TCP (Transmission Control Protocol) is the foundation of most internet communication. When a client (browser, application, or monitoring tool) wants to communicate with a service on a server, it initiates a TCP connection to a specific port number. The server must have a service listening on that port and ready to accept the connection.
TCP/Port monitoring works by attempting to complete a TCP handshake (the three-step SYN, SYN-ACK, ACK process) with a specific port on your server. If the handshake completes successfully, the port is open and the service is accepting connections. If the handshake fails -- because the port is closed, the service has crashed, or a firewall is blocking access -- the monitoring tool reports a failure.
This is a layer below HTTP monitoring. HTTP checks verify that a web application returns a proper response. TCP checks verify that the underlying network service is even reachable. You can think of it as checking whether the door to a building is open (TCP) versus checking whether the receptionist inside can help you (HTTP).
The TCP Three-Way Handshake
Understanding how TCP connections work helps you interpret monitoring results:
- SYN: The monitoring tool sends a synchronization packet to the target server on the specified port.
- SYN-ACK: If a service is listening on that port, the server responds with a synchronization-acknowledgment packet.
- ACK: The monitoring tool completes the handshake with an acknowledgment packet. The connection is now established.
If the service is not running or the port is blocked, the server will either send a RST (reset) packet -- indicating "connection refused" -- or simply not respond at all, causing a timeout. Both results indicate a problem, but they point to different root causes.
Common Ports and What They Mean
Every network service uses a designated port number. Here are the most commonly monitored ports and the services they represent:
| Port | Protocol | Service | Why Monitor It |
|---|---|---|---|
| 22 | TCP | SSH | Remote server access. If SSH is down, you may lose the ability to manage your server. |
| 25 | TCP | SMTP | Outbound email delivery. Critical for transactional email (order confirmations, password resets). |
| 53 | TCP/UDP | DNS | Domain name resolution. If your DNS server goes down, no one can find your website. |
| 80 | TCP | HTTP | Unencrypted web traffic. Many servers still listen on port 80 for HTTP-to-HTTPS redirects. |
| 443 | TCP | HTTPS | Encrypted web traffic. This is where most modern websites serve their content. |
| 465 / 587 | TCP | SMTPS / Submission | Encrypted email submission. Required for sending email through most modern mail servers. |
| 993 | TCP | IMAPS | Encrypted email retrieval. If your IMAP server is down, users cannot read their email. |
| 3306 | TCP | MySQL | Database access. If MySQL goes down, your application will fail even if the web server is running. |
| 5432 | TCP | PostgreSQL | Database access. Same as MySQL -- database failure breaks the application. |
| 6379 | TCP | Redis | Caching and message queue. If Redis goes down, cached data is lost and background jobs stop processing. |
| 27017 | TCP | MongoDB | NoSQL database access. Application data layer failure. |
| 8080 / 8443 | TCP | Alternative HTTP/HTTPS | Application servers, admin panels, or staging environments often use non-standard ports. |
Why TCP Monitoring Catches Failures That Ping and HTTP Miss
Ping (ICMP) monitoring only tells you that the server operating system is responsive at the network layer. It says nothing about individual services. A server can respond to ping while MySQL, Redis, and your mail server are all down. Read more about why ping monitoring alone is not enough.
HTTP monitoring checks whether your web server returns a valid response, but it does not monitor non-HTTP services. If your database server crashes, your HTTP check might still get a 200 OK from a cached page or a generic error page that does not trigger an alert. Meanwhile, new user registrations, orders, and API calls are all failing because the database is unreachable.
TCP/Port monitoring fills this critical gap:
- Detects partial outages: The web server is running, but the database (port 3306 or 5432) or cache (port 6379) is down. HTTP checks might still pass, but your application is effectively broken.
- Catches service crashes instantly: When a service crashes, the port closes immediately. TCP monitoring detects this within seconds, long before error rates in your application logs would trigger an alert.
- Validates firewall changes: After a security update, configuration change, or cloud migration, TCP checks confirm that all required ports are accessible. A single misconfigured firewall rule can silently block a critical port.
- Monitors non-HTTP services: Mail servers (SMTP), SSH, DNS, databases, and custom application protocols all operate on TCP ports that HTTP monitoring cannot check.
- Lightweight and fast: A TCP handshake check is extremely lightweight compared to a full HTTP request. It completes in milliseconds and puts minimal load on the target server.
TCP vs. HTTP Monitoring: When to Use Each
TCP and HTTP monitoring serve different purposes and are most effective when used together. For a detailed comparison, see our guide on HTTP vs TCP monitoring and why you need both. Here is a quick summary:
| Aspect | TCP/Port Monitoring | HTTP Monitoring |
|---|---|---|
| What it checks | Is the port open and accepting connections? | Does the web application return a valid response? |
| Protocol level | Transport layer (Layer 4) | Application layer (Layer 7) |
| Speed | Very fast (milliseconds) | Slower (depends on page load) |
| Can check non-HTTP services | Yes (databases, mail, SSH, etc.) | No (HTTP/HTTPS only) |
| Validates response content | No | Yes (status codes, body, headers) |
| Detects application-level bugs | No | Yes (500 errors, wrong content) |
| Best for | Infrastructure-level checks | Application-level checks |
Real-World Scenarios Where TCP Monitoring Saves the Day
Scenario 1: Database Crash Goes Unnoticed
A SaaS application runs PostgreSQL on port 5432. One night, the database process crashes due to a disk space issue. The web server (Nginx) is still running and serving cached pages. The HTTP monitoring check hits the homepage, gets a 200 OK, and reports everything as healthy. Meanwhile, no user can log in, sign up, or access their data because every database query fails.
With TCP monitoring on port 5432: The moment PostgreSQL stops listening on its port, the TCP check fails and an alert fires within seconds. The on-call engineer restarts the database and frees disk space before most users even notice.
Scenario 2: Firewall Update Blocks SMTP
An operations team applies a security patch that includes updated firewall rules. The new rules accidentally block outbound connections on port 587 (SMTP submission). The website continues to work perfectly, but all outgoing emails -- order confirmations, password reset links, notification emails -- silently fail.
With TCP monitoring on port 587: The check detects the blocked port immediately after the firewall update. The team corrects the firewall rule before customers start complaining about missing emails.
Scenario 3: Redis Goes Down During Peak Traffic
An e-commerce site uses Redis (port 6379) for session management and caching. During a flash sale, Redis runs out of memory and stops accepting connections. The website becomes extremely slow because every request now hits the database directly instead of the cache. Eventually, the database also becomes overloaded.
With TCP monitoring on port 6379: The alert fires the moment Redis stops responding. The team either restarts Redis with more memory or implements an emergency cache eviction policy before the cascade failure reaches the database.
Common Mistakes in TCP Port Monitoring
Mistake 1: Only Monitoring Port 80 and 443
Many administrators set up TCP checks only for web server ports and consider their monitoring complete. But your application likely depends on databases, caches, mail servers, and background processors that run on different ports. A comprehensive monitoring setup checks every port that a critical service listens on.
Mistake 2: Not Accounting for Internal-Only Services
Some services (like databases) intentionally listen only on localhost or internal network interfaces and are not reachable from outside the server. Trying to monitor these from an external monitoring service will always show them as "down." For internal-only services, you need either an internal monitoring agent or a different monitoring approach (like application-level health checks that verify database connectivity).
Mistake 3: Ignoring Connection Timing
A TCP port that is open but takes 5 seconds to complete the handshake indicates a problem. Just checking "open or closed" is not enough -- you should also track the connection time. A gradually increasing TCP connection time is an early warning sign of server overload, network congestion, or resource exhaustion.
Mistake 4: No Retry Before Alerting
A single failed TCP check can be caused by a momentary network hiccup, a brief service restart, or packet loss. Without retry logic, you will receive false positive alerts that erode trust in your monitoring system.
Mistake 5: Monitoring from a Single Location
A port might be reachable from one network but blocked from another due to firewall rules, routing issues, or ISP-level filtering. Use multi-location monitoring to confirm that your services are accessible from where your users actually are.
How to Set Up Effective TCP Port Monitoring
Follow this checklist to configure TCP monitoring that catches real problems without generating noise:
- Inventory your services: List every service your application depends on, along with its port number and the server it runs on.
- Identify externally reachable ports: Determine which services should be accessible from outside your network (web server, mail) versus those that are internal only (database, cache).
- Create a TCP monitor for each external service port: In UptyBots, add a Port monitor for each service, specifying the host and port number.
- Set appropriate timeout values: Most TCP handshakes complete in under 1 second. A timeout of 5-10 seconds is reasonable for most services.
- Enable retries: Configure at least one retry with a short delay before triggering an alert.
- Combine with other check types: TCP monitoring tells you the service is reachable. Add HTTP monitoring for web services, API monitoring for endpoints, and SSL monitoring for certificates to get complete visibility.
- Set up appropriate notification channels: Configure alerts via email, Telegram, or webhook so the right person is notified when a critical port goes down.
TCP Port Monitoring for Different Industries
E-Commerce
Monitor web server ports (443), database ports (3306/5432), cache ports (6379), and payment gateway connectivity. A failed database connection during checkout means lost revenue. Use the Downtime Cost Calculator to estimate the impact.
SaaS Platforms
Monitor all application infrastructure ports plus API endpoints. Your customers depend on your API being available. Combine TCP checks with API monitoring for comprehensive coverage.
Email Service Providers
SMTP (25, 465, 587), IMAP (993), and POP3 (995) ports are your core business. If any mail port goes down, your customers cannot send or receive email. TCP monitoring is non-negotiable for email infrastructure.
Gaming and Real-Time Applications
Game servers, WebSocket servers, and real-time communication platforms use custom ports. TCP monitoring ensures these specialized services remain accessible to players and users.
Combining TCP Monitoring with a Full Monitoring Strategy
TCP/Port monitoring is powerful, but it works best as part of a layered monitoring approach:
- Ping (ICMP): Basic server reachability. Fast but limited. See ICMP ping monitoring best practices.
- TCP/Port: Service-level reachability. Confirms specific services are accepting connections.
- HTTP: Application-level check. Verifies web responses are correct. Read about why simple HTTP checks do not always catch problems.
- API: Endpoint-level validation. Checks response content, not just status codes.
- SSL: Certificate validity and expiration tracking.
- Domain: Domain registration expiration alerts.
Together, these layers give you visibility from the network level all the way up to the application level. When an alert fires, you can immediately narrow down whether the problem is at the infrastructure layer (ping/TCP) or the application layer (HTTP/API).
See setup tutorials or get started with UptyBots monitoring today.