Port 2055: NetFlow — The Port Nobody Owns but Everyone Uses

What This Port Does

Port 2055 carries NetFlow and IPFIX export data. When a router or switch has flow monitoring enabled, it silently compiles records of every conversation crossing its interfaces — source IP, destination IP, port, protocol, byte count, packet count, timestamps — and ships those records as UDP datagrams to a collector.

That collector is almost always listening on UDP port 2055.

The port is technically unassigned. IANA has no record of it. Cisco started using it as a default, network monitoring vendors followed, and now it is so common that most flow collectors listen here by default without requiring configuration.

What Is NetFlow?

NetFlow is the protocol routers use to answer one question: what is actually flowing through me?

Instead of capturing full packet contents (which would be both enormous and a privacy nightmare), NetFlow captures flow records — summaries of each conversation. A flow is defined by five values: source IP, destination IP, source port, destination port, and protocol. Everything matching that five-tuple gets counted as one flow.

Every few minutes — or when a flow ends — the router exports a record: this conversation happened, it moved this many bytes, it lasted this long. The collector on the other end aggregates these records into dashboards, alerts, and billing reports.

NetFlow was invented at Cisco in the mid-1990s by Darren Kerr and Barry Bruins. Cisco eventually published it as an informational RFC (RFC 3954) for version 9, which became the basis for IPFIX.¹

IPFIX: NetFlow Standardized

IPFIX (IP Flow Information Export) is what happens when the IETF takes a de facto standard and writes it up properly. Standardized in RFC 7011, IPFIX extends NetFlow's template-based approach and runs on both UDP and TCP.²

Port 2055 carries both. Most collectors accept whichever arrives.

Why This Port?

Nobody fully agrees. It wasn't assigned by IANA. It isn't documented in any RFC as the canonical NetFlow port. Cisco's documentation mentions 2055 as a common default, other vendors use 9995 or 9996, and some operators pick their own.

Port 2055 won because it was Cisco's default, and Cisco's gear was everywhere. Network monitoring tools that wanted to work out of the box pointed their collectors at 2055. The port became a convention that outlasted any formal decision.

Security Considerations

NetFlow data is sensitive. A flow record doesn't contain packet payloads — it contains metadata. But metadata is enough. An attacker with access to your flow records can map every internal host, identify servers, detect data exfiltration patterns, and watch for lateral movement. Flow collectors should be firewalled, not exposed to the public Internet.

UDP port 2055 should receive traffic only from your own network infrastructure. If you see unexpected traffic arriving on 2055 from external addresses, investigate.

How to Check What's Listening Here

# On Linux/macOS — show what's bound to UDP 2055
sudo ss -lunp sport = :2055

# Or with lsof
sudo lsof -i UDP:2055

# On Windows
netstat -an | findstr :2055

If a flow collector is running — NTA, ntopng, Elastic, Graylog, or a dedicated NetFlow appliance — you'll likely see it here.

Related Ports

• UDP 9995 / 9996 — Alternative NetFlow collector ports used by some vendors
• UDP 4739 — The IANA-assigned port for IPFIX (the official standard)³
• UDP 6343 — sFlow, a competing flow sampling protocol
• TCP/UDP 161 — SNMP, the other main network telemetry protocol (though much coarser)