Port 9995: Unassigned — The Unofficial NetFlow Port

Port 9995 doesn't appear in IANA's official registry. It has no RFC defining its purpose, no formal specification, no standards committee blessing. And yet it's carrying network flow data on enterprise networks around the world.

This is what happens when engineers need something to work.

What Port 9995 Actually Does

Port 9995 is commonly used for NetFlow and IPFIX traffic—protocols that monitor network flows by collecting metadata about every packet passing through routers and switches.¹ Nortel IPFIX-enabled devices particularly favor this port, sending flow data here instead of the more standard port 2055.²

Flow data tells you who talked to whom, when, for how long, and how much data moved. It's passive network monitoring: no agents, no intrusion, just routers reporting what they see. Network administrators use this data for traffic analysis, security monitoring, bandwidth planning, and troubleshooting performance issues.

Port 9995 handles UDP traffic—fire-and-forget datagrams carrying flow records from network devices to collectors.

The Registered Ports Range

Port 9995 lives in the registered ports range (1024-49151). This middle territory sits between the well-known ports (0-1023) reserved for standard services and the dynamic/ephemeral ports (49152-65535) used for temporary connections.

Registered ports are meant to be assigned by IANA upon request for specific services. Organizations submit applications, IANA reviews them, and if approved, the port gets an official assignment. Port 9995 never went through this process.

What it has instead is convention. Enough devices defaulted to 9995 for flow data that it became a de facto standard in certain vendor ecosystems. No paperwork, no RFC—just configuration files and deployment guides specifying "use port 9995."

Why Unassigned Ports Matter

The Internet runs on both official standards and unofficial agreements. Port 9995 represents the second category: infrastructure that works because people agreed to make it work, not because a standards body blessed it.

This flexibility matters. The registered range gives engineers room to deploy services without waiting for IANA approval. It enables vendor-specific implementations, private protocols, and rapid iteration. The tradeoff is potential conflicts: two different services might claim the same unassigned port, causing problems when they coexist on the same network.

Unassigned ports also attract malicious use. Port 9995 has been flagged in the past for trojan and virus communications.³ An open, listening port with no standard service makes an opportunistic target. This doesn't mean the port itself is dangerous—just that attackers have used it before.

Security Considerations

If you see traffic on port 9995, it's most likely legitimate flow data from network monitoring infrastructure. But verify:

Check what's listening:

# Linux/macOS
sudo lsof -i :9995
sudo netstat -tulpn | grep 9995

# Windows
netstat -ano | findstr :9995

Verify the source: Flow data should come from known routers and switches on your network, not external sources.

Monitor for anomalies: Unexpected traffic patterns, connections from unknown hosts, or unusual data volumes warrant investigation.

Because port 9995 lacks an official assignment, there's no standard behavior to compare against. You need to know what's supposed to be using it on your specific network.

How to Check What's Using This Port

On your system:

# See if anything is listening on port 9995
sudo lsof -i :9995

# Check active connections
sudo netstat -an | grep 9995

# Monitor traffic (Linux)
sudo tcpdump -i any port 9995

# Monitor traffic (macOS)
sudo tcpdump -i en0 port 9995

On your network, check your NetFlow or IPFIX collector configuration. If you're running network monitoring tools from SolarWinds, Plixer, ManageEngine, or similar vendors, check their port settings. Port 9995 might be configured as a listening port for flow data collectors.

The Bigger Picture

Port 9995 exists in the gap between specification and implementation. It's not unique in this—thousands of ports in the registered range carry unofficial traffic, serving real purposes without official recognition.

This matters because the Internet isn't just the protocols in RFCs. It's also the conventions that emerge when engineers solve problems, the defaults that ship in configuration files, the "we always use this port" knowledge passed down in deployment guides.

Port 9995 carries flow data because Nortel configured their devices that way and enough networks adopted the convention that it stuck. No standards process required. Just infrastructure quietly working.

The danger is forgetting what you're running. An unassigned port with unknown traffic is a security hole. An unassigned port carrying expected flow data from known devices is just Monday.

Know which one you have.