Port 395: NetScout Control Protocol — The Monitor's Command Channel

Port 395 is assigned to the NetScout Control Protocol (netcp), the command and control channel for NetScout's network monitoring infrastructure. Every time a NetScout system coordinates monitoring across distributed probes, analyzes traffic patterns, or responds to performance issues, that communication flows through port 395.

What Runs Here

NetScout Control Protocol operates on both TCP and UDP port 395. This is the coordination layer for network monitoring systems—the protocol that lets monitoring probes communicate with central management systems, synchronize data collection, and respond to control commands.

NetScout Systems specializes in deep packet inspection, network performance monitoring, and DDoS mitigation. The control protocol on port 395 is how these distributed monitoring systems talk to each other. It's infrastructure watching infrastructure.

Why It Matters

Port 395 sits in the well-known range (0-1023), reserved for fundamental Internet services. Network monitoring earned this designation because it's not optional—you can't manage what you can't measure. NetScout's technology monitors traffic across enterprise networks, service providers, and major Internet exchanges. The control protocol needed a stable, recognized port number.

The company that created this protocol was founded in 1984 as Frontier Software.¹ In 1992, they built the first RMON-based Ethernet probe—pioneering technology for remote network monitoring.¹ That innovation required a control protocol, and port 395 became its permanent address.

The Monitoring Problem

Before standardized network monitoring, troubleshooting was archaeology. Something broke, you looked at logs, you guessed. NetScout's approach was different: continuous observation with deep packet inspection. Watch everything, measure everything, know when something changes.

But distributed monitoring creates a coordination problem. Probes scattered across a network need to synchronize, report findings, and respond to commands. Port 395 is that coordination channel—the nervous system of the monitoring system.

Security Considerations

Port 395 should only accept connections from authorized NetScout components within your network. This is control plane traffic for monitoring infrastructure. If an attacker gains access to your NetScout control protocol, they can manipulate what you see about your network—or don't see.

Best practices:

• Restrict port 395 to management networks
• Use firewall rules to limit connections to known NetScout systems
• Monitor for unexpected traffic on this port
• Keep NetScout software updated with security patches

To check what's listening on port 395:

# Linux/Mac
sudo lsof -i :395
sudo netstat -tulpn | grep :395

# Windows
netstat -ano | findstr :395

The Well-Known Range

Port 395 exists in the well-known ports range (0-1023), assigned by IANA through formal procedures.² These ports require IETF Review or IESG Approval—they're reserved for services that matter to Internet infrastructure.

Approximately 76% of well-known ports are currently assigned.² The rest remain unassigned, waiting for protocols important enough to deserve permanent addresses. Network monitoring qualified because you can't maintain networks without visibility into what's happening on them.

Related Ports

Other network monitoring and management protocols in the well-known range:

• Port 161-162: SNMP (Simple Network Management Protocol)
• Port 514: Syslog
• Port 199: SMUX (SNMP Unix Multiplexer)

NetScout itself has grown through acquisitions—absorbing Network General's Sniffer products, Arbor Networks (DDoS mitigation), and Fluke Networks (wireless monitoring).¹ Each brought their own protocols and port assignments, but port 395 remains the core control channel.

What This Port Carries

Every command to start monitoring, every synchronization message between probes, every status report from distributed sensors—it flows through port 395. This is the command channel for systems that watch the Internet's health.

The strangeness: we built a nervous system for networks, and that nervous system needs its own nervous system. Port 395 is where the monitors talk to each other about what they're monitoring. Infrastructure watching infrastructure, coordinated through a single well-known port.