Port 3195: ncu-1 — Registered but Quiet

What Port 3195 Is

Port 3195 sits in the registered port range — the band of ports from 1024 to 49151 that the Internet Assigned Numbers Authority (IANA) manages for named services. IANA assigned it the service name ncu-1, described as "Network Control Unit," on both TCP and UDP.

In practice, no widely-deployed software claims this registration. The assignment exists in IANA's registry, but there's no public RFC defining the protocol, no open-source implementation, and no documentation explaining what "Network Control Unit" was meant to do. It's a named port that never grew a community.

What Has Actually Run Here

The most documented traffic on port 3195 comes from Backdoor:IRC/Whisper, a family of IRC-based remote access trojans. Variants of this malware connected infected machines to attacker-controlled IRC channels on port 3195/tcp, allowing remote command execution — the classic IRC botnet pattern from the mid-2000s era.

This is a recurring dynamic in the port ecosystem: malware authors pick registered-but-dormant ports because they're less likely to be immediately flagged by naive firewall rules. A port with a registered name looks more legitimate than an obviously random high-numbered port. The registration provides a thin layer of camouflage.¹

What the Registered Range Means

Ports 1024–49151 occupy a middle ground between the well-known ports (0–1023), which require root/administrator privileges to open on most operating systems, and the ephemeral ports (49152–65535), which operating systems hand out temporarily for outbound connections.

Any software can bind to a registered port without elevated privileges. IANA maintains the registry as a coordination mechanism — a way to reduce the chance that two unrelated applications accidentally collide on the same port. But registration doesn't imply adoption, and adoption doesn't require registration. Many widely-used services run on unregistered ports; many registered ports sit empty.

How to Check What's on This Port

If you see traffic on port 3195 and want to know the source:

On Linux/macOS:

# Show what process is listening on port 3195
ss -tlnp | grep 3195

# Or with lsof
lsof -i :3195

On Windows:

netstat -ano | findstr :3195

Then cross-reference the PID against your process list. If nothing legitimate owns it and you're seeing inbound connections, treat it with suspicion — the historical association with remote access malware is reason enough to investigate.