What This Port Is Supposed To Be
Port 1002 is officially registered with IANA as ms-ils — Microsoft Internet Locator Service. 1 It was designed in the mid-1990s to support Microsoft NetMeeting, a videoconferencing and collaboration tool. ILS directory servers listened on this port for incoming client queries, allowing people to find each other on the network for real-time communication. 2
That was 1996. NetMeeting is now completely forgotten.
What It Actually Does
The official assignment is almost irrelevant now. In modern networks, port 1002 is most commonly occupied by one of three things:
Opsware Agent (Cogbot): If you're working in an enterprise IT environment, port 1002 likely belongs to the Opsware Agent, also known as Cogbot. HP Server Automation (formerly Opsware, acquired by HPE) uses this port for managed servers to receive instructions from the Opsware Core. 3 It handles command execution, inventory scanning, and infrastructure automation. This is the most common real-world use.
Microsoft Internet Connection Sharing: If you've enabled ICS on a Windows machine, port 1002 opens—but with a twist. The port appears active even though it doesn't show up in standard netstat output, suggesting it operates through non-standard Windows mechanisms. 4 This has made port 1002 a security concern because it's open when ICS is running but not obviously visible.
Cisco Discovery Protocol: Some Cisco networking equipment uses port 1002 for CDP, their proprietary protocol for sharing information between network devices. 5
The Mismatch Problem
This is what happens when a port assignment becomes obsolete: it remains officially registered long after anyone cares. IANA has no mechanism to "retire" ports, so port 1002 is still listed as belonging to ms-ils. Vendors and network teams, unable to claim an officially assigned port, have quietly occupied it anyway.
The result is a port where the official definition and actual usage are completely different.
How To Check What's Using Port 1002
On Linux/macOS:
On Windows:
For a remote machine:
Why This Matters
Port 1002 demonstrates a systemic problem with the Internet's port system: official assignments don't always reflect reality. A port can be "assigned" to a service that no one uses, while vendors quietly claim it for their own tools. There's no enforcement mechanism, no way to reclaim dead assignments, and no central visibility into what's actually listening on the network.
This creates security blind spots. If a security audit looks at port 1002 and sees "ms-ils" in the official registry, they might miss that it's actually running Opsware Agent or an ICS service. The system works on trust and convention—which means sometimes it doesn't work at all.
The port isn't dangerous because of what it does. It's dangerous because of what people assume it's not doing.
Was this page helpful?