You should know about every process which is listening to a port
on your machine --- what it's called and why its listening.
netstat can be used on the machine (e.g., netstat -a | grep LIST) but this is based on the assumption that the the host has not been compromised (any decent intruder will trojan netstat in order to hide their presence).
A better approach is to scan for open ports from a second machine. This second machine must be able to "see through" any firewall --- alternatively, simple turn any such firewall temporarily. nmap is ideal for this. For example, to scan privileged ports on dog.sub.domain from cat.sub.domain:
cat> nmap -vv -sT -p 1--1023 dog.sub.domain
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host dog.sub.domain (130.88.???.???) appears to be up ... good.
Initiating Connect() Scan against dog.sub.domain (130.88.???.???)
Adding open port 25/tcp
Adding open port 787/tcp
Adding open port 111/tcp
Adding open port 587/tcp
Adding open port 22/tcp
Bumping up senddelay by 10000 (to 10000), due to excessive drops
The Connect() Scan took 30 seconds to scan 1023 ports.
Interesting ports on eric.umist.ac.uk (130.88.99.9):
(The 1018 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
25/tcp open smtp
111/tcp open sunrpc
587/tcp open submission
787/tcp open unknown
Nmap run completed -- 1 IP address (1 host up) scanned in 30 seconds
Commonly-used nmap options:
-v, -vv, -vvv verbose, very verbose...
-sT, -sU TCP scan, UDP scan
-p m-n range to scan (to scan all ports, omit this)
Armed with information such as that above, you should identify the daemon
responsible for each open port (e.g., by using lsof --- see
| ...cont's | next... |