Port 2065 is assigned to Data Link Switching (DLSw), specifically its read port. This isn't a blank page — it's just old enough that most tools treat it as obscure.
What DLSw Is
In the 1990s, IBM mainframes ran on SNA (Systems Network Architecture) — a protocol stack IBM invented in 1974 that had nothing to do with TCP/IP. SNA was hierarchical, deterministic, and completely at odds with the packet-switched Internet. Token Ring networks carried SNA traffic just fine. IP networks did not.
The problem: by the early 1990s, IP was winning. Organizations had IBM mainframes they couldn't replace and IP infrastructure they were building everywhere. They needed a bridge.
DLSw was that bridge. It tunneled SNA and NetBIOS traffic inside TCP connections between Cisco routers — a technique called "switch-to-switch" encapsulation. Each router acted as a local termination point for the legacy protocol, then sent the payload across the IP network to a peer router on the other side, which handed it back to the mainframe in its native format.
IBM and vendors standardized it in RFC 1434 in 1993. RFC 1795 followed in 1995, defining the switch-to-switch protocol (SSP) and assigning the port numbers: 2065 for reading, 2067 for writing.1
How the Ports Work
DLSw uses a two-port TCP model. A DLSw router opens:
- Port 2065 to receive data (the read port)
- Port 2067 to send data (the write port)
Cisco's DLSw+ implementation — its proprietary extension of the standard — defaults to TCP port 2065 for all traffic, collapsing both roles into one connection in practice.2
The port was registered with IANA as dlsrpn (Data Link Switch Read Port Number) and dlswpn (Data Link Switch Write Port Number) for 2065 and 2067 respectively.3
Who Still Uses It
Very few people, and that's the point. DLSw solved a specific decade: the 1990s window when IBM mainframes had to coexist with IP networks but before those mainframes were modernized, emulated, or retired. By the 2000s, most organizations had moved on.
What remains: legacy installations in financial institutions, government systems, and manufacturing environments where mainframe connectivity still matters and nobody has touched the Cisco configuration in twenty years. These systems run. They're just invisible.
Security Considerations
The SANS Internet Storm Center tracks regular scanning on port 2065.4 This is worth noting: DLSw endpoints are old. Systems running DLSw are rarely in active maintenance cycles. An organization running DLSw in 2025 is probably running the same Cisco IOS version they configured in 2003.
If you see traffic on port 2065 on a modern system, it's almost certainly not DLSw. It's either:
- A misconfigured service that chose this port arbitrarily
- Malware or a remote access tool using an obscure port to avoid detection
- A port scanner probing for anything that responds
Checking What's on This Port
To see if anything is listening on port 2065 on your system:
Linux/macOS:
Windows:
If something is listening and you don't recognize it, check the process ID against your running processes. DLSw is not something you'd run accidentally — if you don't know you're running it, you're not.
The Registered Port Range
Port 2065 sits in the registered ports range (1024–49151). IANA maintains this range for services that have gone through a registration process — they're not system-controlled like the well-known ports below 1024, but they're not random either. An application can use any registered port without root privileges, but using a registered port for an unrelated purpose is considered rude at minimum and a security concern at worst.
Frequently Asked Questions
¿Fue útil esta página?