Port 1986: licensedaemon — Cisco's License Bookkeeper

What Port 1986 Is

Port 1986 sits in the registered ports range (1024-49151). These ports are assigned by IANA to specific services, though enforcement is loose — any application can technically bind to any port, and most operating systems don't restrict registered ports the way they restrict well-known ports (0-1023).

IANA registered port 1986 to licensedaemon, Cisco's license management service, on both TCP and UDP.¹ This daemon handles license tracking and enforcement for Cisco software products. It's the kind of infrastructure that runs silently in the background of enterprise networks, doing paperwork so that humans don't have to.

If you're running Cisco software that requires license management, port 1986 may be legitimately active on your network. If you're not, it shouldn't be.

The Malware Problem

Port 1986 has a secondary history that's less respectable. Security researchers have documented two pieces of malware using it:

• W32.Versie.A: A worm that spreads through mapped network drives, opens a backdoor, and can download additional malicious payloads (documented by Symantec in 2007)²
• Akosch4: A trojan that used the port for unauthorized remote access¹

This is common for registered ports in the middle range — they're obscure enough that they don't attract immediate suspicion, but known enough to appear in firewall rules and intrusion detection signatures. Malware authors exploit that gap.

What Range This Belongs To

Registered ports (1024-49151) are IANA's middle tier. Below them are the well-known ports (0-1023), which require root/administrator privileges to bind on most systems. Above them are the ephemeral ports (49152-65535), which operating systems assign temporarily for outgoing connections.

Registered ports require no special privileges to bind on most systems. IANA maintains a registry so that services don't collide, but the registry is advisory, not enforced. Port 1986 is a quiet example: legitimately assigned to Cisco's licensing daemon, occasionally squatted on by malware, and unknown to most people who manage networks.

How to Check What's Listening on Port 1986

On Linux or macOS:

ss -tlnp | grep 1986
# or
lsof -i :1986

On Windows:

netstat -ano | findstr :1986

The process ID in the output lets you look up the actual application. If you're not running Cisco licensing software and something is listening on port 1986, that's worth investigating.

Why Unassigned-in-Practice Ports Matter

The registered port range contains thousands of ports that are assigned on paper but never appear on most networks. They exist in a kind of limbo: too specific to be universally deployed, too real to be dismissed. For network defenders, they're a useful signal — traffic on port 1986 is either Cisco license management or it's something that needs explaining.

The port system works because most services actually do bind to their registered ports. The alternative — where every application picks a random port — would make firewalls, intrusion detection, and network monitoring nearly impossible. Even the quiet, unglamorous ports like 1986 hold up that structure.