Port 1991: stun-p2 — Cisco's Serial Tunnel, Priority 2

What This Port Is

Port 1991 sits in the registered ports range (1024–49151). These ports are assigned by IANA to specific applications and services, but "registered" doesn't mean "in widespread use." Many registered ports belong to niche enterprise protocols or technologies that have since faded.

IANA assigned port 1991 to stun-p2 — Cisco STUN Priority 2.¹

What Cisco STUN Actually Is

This STUN is not the NAT-traversal protocol you may know from VoIP and WebRTC (that STUN is defined in RFC 5389²). The naming collision is genuine and mildly maddening.

Cisco STUN stands for Serial Tunnel — a technology that lets legacy serial devices (think: older IBM SNA equipment, SDLC devices, industrial controllers) communicate across an IP network. Instead of replacing the serial devices, STUN wraps their traffic in TCP/IP packets and ships them across a network that neither device knows about.

Cisco reserved a cluster of ports for STUN, one per priority level:

The "Priority 2" label is an artifact of Cisco's internal naming, not a meaningful hierarchy you need to memorize.

Serial Tunnel was relevant in the 1990s and early 2000s, when enterprises were migrating IBM mainframe infrastructure to IP networks without replacing every piece of hardware. It's largely obsolete today — those migrations finished long ago.

The Other History

Security databases list port 1991 as historically associated with PitFall, a backdoor trojan from the early Windows malware era.³ Like most trojans of that period, PitFall would open a listening port on an infected machine to accept remote commands.

This doesn't mean anything listening on port 1991 today is malicious. Trojans claimed whatever ports they could. Port 1991's appearance in security lists is a historical footnote, not a current threat signal.

If you see unexpected traffic on port 1991, investigate it. But don't assume the worst — verify first.

How to Check What's Using This Port

Linux/macOS:

# Show which process is listening on port 1991
sudo ss -tlnp | grep 1991

# Or with lsof
sudo lsof -i :1991

Windows:

# Show listening ports with process IDs
netstat -ano | findstr :1991

# Match the PID to a process name
tasklist | findstr <PID>

macOS (Activity Monitor alternative):

sudo lsof -iTCP:1991 -sTCP:LISTEN

Why Unassigned and Legacy Ports Matter

The registered ports range exists because applications need stable, predictable addresses. When Cisco registered STUN's ports in the 1990s, it meant any firewall, router, or network tool could recognize Cisco STUN traffic by port number without inspecting the packets themselves.

That predictability cuts both ways. Trojans like PitFall also chose specific ports to operate on — partly for their own consistency, partly because well-known ports were more likely to be open in firewalls.

Today, port 1991 is mostly quiet. You're unlikely to encounter Cisco STUN in the wild unless you're maintaining genuinely ancient infrastructure. But it has a name, a history, and a reason it exists — which is more than most numbers in the registered range can claim.