Port 131 is assigned to cisco-tna, described in the IANA registry as "cisco TNATIVE."1 It is registered for both TCP and UDP. If you have never heard of it, that is because almost no one has used it in decades.
What Cisco TNATIVE Was
Port 131 belongs to a block of three consecutive Cisco port assignments:
| Port | Service Name | Description |
|---|---|---|
| 130 | cisco-fna | Cisco FNATIVE |
| 131 | cisco-tna | Cisco TNATIVE |
| 132 | cisco-sys | Cisco SYSMAINT |
These ports were registered during the late 1980s, when Cisco was building the routers that would become the backbone of the Internet.2 "TNATIVE" is understood to stand for "Terminal Native," a proprietary protocol used for terminal access and management of Cisco networking equipment. Its companion, FNATIVE (port 130), handled "Foreign Native" communication with non-native network environments, while SYSMAINT (port 132) served system maintenance and diagnostics.3
These were internal, proprietary protocols. Cisco never published RFCs for them. They predate the modern management standards that replaced them: SSH, SNMP, NETCONF, and Cisco's own later tools. Almost no public documentation of the protocols' technical details survives.
The Era of Claiming Ports
The assignment appears in RFC 1700, the "Assigned Numbers" document published by Joyce Reynolds and Jon Postel in October 1994, which cataloged port assignments that had accumulated over the preceding years.4 But these Cisco ports were registered well before 1994. They come from an era when the entire port registry could fit in a single document, and a company could claim three consecutive well-known ports for proprietary use without much friction.
Port 131 sits in the System Ports range (0 through 1023). These are the most restricted ports in the TCP/IP numbering system, assigned only through IETF Review or IESG Approval.5 On most Unix-like operating systems, binding to a port in this range requires root privileges. The fact that Cisco holds three of these prestigious low-numbered ports for protocols no one uses anymore says something about how early the company planted its flag in Internet infrastructure.
Security
Port 131 has been flagged in some security databases as historically associated with malware communication.6 This is not because Cisco TNATIVE itself was malicious. It is because abandoned ports make attractive targets. When a port is officially assigned but practically unused, malware authors sometimes piggyback on it, knowing the traffic may be overlooked. Firewalls may leave it open because it has an IANA assignment. Administrators may not question it because it has a legitimate-looking name.
If you see traffic on port 131 in a modern network, investigate. There is almost no legitimate reason for anything to be speaking Cisco TNATIVE in the current era.
How to Check What Is Listening on Port 131
Linux:
macOS:
Windows:
If something is listening on port 131 and you did not put it there, take it seriously.
Why Obsolete Ports Matter
The IANA port registry contains 65,535 entries, and a significant number of them are like port 131: assigned to protocols that have faded from use. These ghost assignments are not failures. They are evidence. Each one marks a moment when someone was building something they believed the network needed.
Cisco TNATIVE served its purpose. The routers it managed helped build the Internet we use today. The protocol is gone, but the port number remains in the registry, a small, permanent marker that says: Cisco was here early, and they were building.
Frequently Asked Questions
Was this page helpful?