Port 2279: xmquery — IBM's Performance Monitoring Query Interface

What Port 2279 Is

Port 2279 sits in the registered ports range (1024-49151). These ports are assigned by IANA to specific services, though "assigned" doesn't always mean "widely used." Port 2279 is a good example: officially registered, genuinely functional in certain environments, and completely unknown outside of them.

IANA registered port 2279 under the service name xmquery, using both TCP and UDP.¹

What xmquery Does

xmquery is the network interface for xmtopas, a performance monitoring daemon that ships with IBM AIX — the Unix-based operating system that runs IBM Power Systems hardware.

xmtopas collects performance data from a running AIX system: CPU utilization, memory usage, paging space, disk I/O. xmquery is how other systems reach in to retrieve that data over a network. An administrator running centralized performance monitoring across a fleet of AIX systems would use xmquery to pull stats from each machine without logging in individually.²

The protocol is UDP-based, fitting for a monitoring feed that prioritizes speed over guaranteed delivery. IBM's documentation describes xmquery as defining three types of packets the xmtopas daemon sends: still_alive (heartbeat), data_feed (performance data), and except_rec (exception records).³

In practice, xmtopas is configured via /etc/inetd.conf:

xmquery dgram udp wait root /usr/bin/xmtopas xmtopas

Who Uses This Port

AIX system administrators running IBM's Performance Toolbox or centralized monitoring via topas -C (the network monitoring mode). If you're not in an IBM Power Systems environment, you will never encounter this port in normal operation.

What "Registered" Means Here

The registered range (ports 1024-49151) exists so that legitimate applications can claim a consistent, predictable port without coordinating in advance with every firewall and router on the Internet. Port 2279's registration means:

• IBM can document "connect to port 2279 for xmtopas data" without ambiguity
• Firewall administrators can write specific rules for it
• Port scanners can correctly identify it when they see it

It doesn't mean the port is common, or that you need to think about it unless you're running AIX.

Checking What's on This Port

If port 2279 shows up open on a system you're responsible for:

# Linux: see what process owns the port
ss -tulpn | grep 2279

# macOS
lsof -i :2279

# Windows
netstat -ano | findstr :2279

On an AIX system, an open 2279 is almost certainly xmtopas doing its job. On anything else, investigate — no common modern application uses this port, so unexpected activity here warrants a look.