Port 2067: DLSw — IBM Mainframes on the Internet's Terms

Port 2067 carries Data Link Switching (DLSw), a protocol designed to do something deeply pragmatic: take IBM's proprietary networking traffic and route it through TCP/IP infrastructure that was never built to handle it.

What Is DLSw?

In the 1980s and early 1990s, IBM mainframes didn't speak TCP/IP. They spoke SNA (Systems Network Architecture) — IBM's own networking protocol stack, built entirely on IBM's terms. SNA assumed a hierarchical network with a mainframe at the center. It had no concept of routing, no tolerance for dropped packets, and no interest in the open Internet.

But the Internet won. Enterprises found themselves with two parallel networks: the IP network that connected everything modern, and the SNA network that connected the mainframes nobody could afford to replace. The solution was a bridge — carry SNA traffic inside TCP/IP packets, invisibly, so the mainframes didn't have to know anything had changed.

That bridge is DLSw. It encapsulates SNA and NetBIOS frames inside TCP connections, tunneling legacy protocol traffic across IP networks. Port 2067 is the write port — where DLSw peers send data to each other. ¹

How DLSw Works

Two DLSw-capable routers establish a TCP connection to each other. When an IBM terminal or NetBIOS device sends a frame, the local router catches it, wraps it in a DLSw header, and ships it over TCP to the remote router, which unwraps it and delivers it as if nothing happened.

From the mainframe's perspective, it's talking directly to its terminal. From the IP network's perspective, it's just another TCP stream. The protocol speaks two languages fluently and pretends they're the same. ²

The Security Record

DLSw's Cisco implementation has two notable vulnerabilities:

CVE-2008-1152 — Crafted UDP packets to port 2067 could crash or memory-exhaust Cisco IOS devices running DLSw across versions 12.0 through 12.4. Remote attackers could trigger a device restart with a single malformed packet. ³

CVE-2014-7992 — The DLSw TCP implementation failed to properly initialize packet buffers. Session data could leak fragments of process memory — potentially including credentials — through port 2067 connections. ⁴

Both vulnerabilities were patched. But they're a reminder that protocols built in the 1990s carry the security assumptions of the 1990s.

Who Still Uses This?

Fewer people every year. DLSw was a bridge technology — genuinely useful during the transition from SNA-centric mainframe networking to pure TCP/IP. That transition is largely complete. Most enterprises that still run mainframes have migrated to TCP/IP-native protocols or retired the legacy systems entirely.

If you see port 2067 open, you're almost certainly looking at a Cisco router configured for DLSw, or legacy IBM infrastructure that predates the current decade.

Check What's Listening

# Linux/macOS — show what's using port 2067
ss -tlnp | grep 2067
lsof -i :2067

# Windows
netstat -ano | findstr :2067

Related Ports

• Port 2065 — DLSw read port (where DLSw peers receive data)
• Port 1799 — Alternative used by some DLSw implementations
• IP Protocol 91 — LSVD, also associated with DLSw-adjacent Cisco vulnerabilities