Port 15 is unassigned. But it wasn't always.
If you look at IANA's Service Name and Transport Protocol Port Number Registry today, the entry for port 15/tcp reads: "Unassigned [was netstat]."1 That parenthetical is a tombstone. Port 15 once carried a service, and the registry still remembers.
What Used to Run Here
In the early ARPANET, port 15 ran the netstat service. Not the netstat command you type into your terminal. A network service. You could open a TCP connection to port 15 on a remote host, and it would respond with its network status: active connections, routing tables, interface statistics.2
No authentication. No encryption. No access control of any kind. You asked, and the machine answered.
Port 15's sibling was port 11, the systat service (defined in RFC 866), which did the same thing but for logged-in users.3 Connect to port 11, get a list of who's on the system. Connect to port 15, get the network connection table. Together they formed a pair of diagnostic services from an era when knowing what a remote machine was doing was considered helpful, not dangerous.
On Unix systems, this was typically implemented through inetd, the Internet super-server. The configuration was straightforward: bind port 15 to the output of netstat -a. When someone connected, inetd would spawn the command and pipe the results back over the socket.4
Why It Was Killed
The netstat service was designed for a network of researchers who trusted each other. The ARPANET in the early 1980s had perhaps a few hundred hosts, operated by universities and government labs. Knowing the state of a remote machine's network connections was a debugging tool, not a weapon.
Then the Internet grew. And the information that port 15 freely handed out became a reconnaissance goldmine. Active connections reveal what services are running, what hosts are communicating, what the network topology looks like. An attacker connecting to port 15 could map out a target's entire network posture without ever attempting to break in.5
IANA eventually unassigned the port. Most Unix distributions stopped enabling the service decades ago. But the registry note persists: "[was netstat]."
The Name Confusion
The netstat service on port 15 and the netstat command-line tool share a name but serve fundamentally different purposes.
The service was outward-facing: a remote host telling strangers about its network state over TCP. It was killed because that information is dangerous in the wrong hands.
The command is inward-facing: you asking your own machine what connections it has. It remains one of the most widely used network diagnostic tools on every major operating system. On Linux, it's been largely replaced by ss (part of iproute2), but the name lives on.6
One was too trusting for the modern Internet. The other became indispensable.
The Well-Known Port Range
Port 15 sits in the well-known port range (0 through 1023), also called system ports. These are assigned by IANA through IETF Review or IESG Approval.7 On Unix-like systems, binding to a port in this range requires root privileges.
Not every well-known port has an active assignment. Some, like port 15, were assigned and later revoked. Others were never assigned at all. The range exists as reserved space for protocols important enough to earn a permanent, low-numbered address.
Security
Port 15 should not be open on any modern system. If you find something listening on port 15, investigate immediately. The legitimate netstat service has been dead for decades. Anything running there now is either a misconfiguration or something you did not ask for. The port has been associated with the B2 trojan in the past.5
How to Check if Port 15 is Open
Linux:
macOS:
Windows:
If anything is listening, find the process and determine why.
Frequently Asked Questions
Was this page helpful?