Port 151: HEMS — The Protocol That Stepped Aside

What Port 151 Does

Port 151 is assigned to HEMS, the High-Level Entity Management System. Both TCP and UDP. HEMS was a protocol for monitoring and controlling network devices: routers, gateways, hosts, anything connected to the Internet that needed to report its health.¹

You will almost certainly never see traffic on port 151. HEMS is a historical protocol. It was replaced before most of today's Internet existed. But the story of how it was replaced is one of the most quietly noble moments in the history of network standards.

How HEMS Worked

HEMS divided network management into two activities: monitoring and control.¹

Monitoring meant extracting data from the network to observe its behavior. Control meant taking actions to change that behavior in real time. A query processor sat on each managed device, interpreting requests from management applications. Applications would send instructions about objects to examine or change, and the processor would locate and operate on those objects.¹

The objects were self-describing, encoded using ASN.1 (Abstract Syntax Notation One), which meant a management application could understand what it was looking at without being pre-programmed for every device type.² This was genuinely forward-thinking in 1987, when most network equipment came from a handful of vendors who each spoke their own proprietary management language.

HEMS expected three types of management to dominate: status monitoring (periodic health checks), firefighting (diagnosing problems in progress), and event reporting (devices announcing that something noteworthy happened).¹ If that sounds like every monitoring system you've ever used, it's because HEMS described the template.

The History

By the mid-1980s, the Internet had a management crisis. The number of vendors building network equipment had grown far beyond the small group that originally built the ARPANET. Each vendor had proprietary monitoring tools. There was no standard way to ask a router "are you okay?" and get an answer that any management console could understand.¹

Three groups set out to solve this problem simultaneously:

1. HEMS (High-Level Entity Management System), developed by Craig Partridge at BBN and Glenn Trewitt at Stanford¹
2. SGMP (Simple Gateway Monitoring Protocol), which would evolve into SNMP³
3. CMIS/CMIP, the OSI framework backed by international standards bodies³

Partridge and Trewitt published the HEMS suite in October 1987: RFC 1021 (the system overview), RFC 1022 (the protocol, delightfully abbreviated HEMP), RFC 1023 (the monitoring and control language), and RFC 1024 (the variable definitions).¹⁴ Trewitt updated the monitoring language in RFC 1076 a year later.⁵

HEMS was thorough. Its variable definitions, the catalog of everything you might want to monitor on a network device, were the most complete of any competing proposal. The HEMS team had done the painstaking work of enumerating what mattered.

The Sacrifice

Here is where port 151's story becomes remarkable.

By late 1987, the Internet Activities Board needed to choose a path. Three competing proposals, each with committed working groups, each with legitimate technical merit. The kind of situation that can paralyze a standards body for years.

Craig Partridge made a decision. He volunteered to withdraw the HEMS proposal entirely if it would help the Internet community agree on a single network management standard.⁶ He chose consensus over victory.

The IAB accepted this act of statesmanship. They recommended that the remaining two efforts, SNMP and CMIP, adopt the MIB (Management Information Base) definitions that the HEMS team had so carefully developed.⁶ The protocol was retired. Its understanding of what networks need survived.

SNMP won. It was simpler, easier to implement on the limited hardware of the era, and backed by engineers who viewed the OSI approach as "both unimplementable in the computing platforms of the time as well as potentially unworkable."³ SNMP was approved as an "interim" protocol. That interim has lasted nearly four decades.

Security Considerations

HEMS itself included authentication facilities for verifying messages and the ability to encrypt messages to protect sensitive information.⁴ This was ahead of its time. SNMP v1, the protocol that replaced HEMS, sent community strings (effectively passwords) in plaintext. SNMP didn't get proper encryption until SNMPv3 in 1998, over a decade later.³

Port 151 should not be open on modern systems. No production software uses HEMS. If you see traffic on port 151, investigate immediately. It's either a misconfiguration or something pretending to be something it isn't.

How to Check What's Listening on Port 151

Linux:

sudo ss -tlnp | grep :151
sudo lsof -i :151

macOS:

sudo lsof -i :151
netstat -an | grep '\.151 '

Windows:

netstat -an | findstr :151

If anything is listening on port 151, you should determine what process owns it. On a properly configured system, this port should be closed.

Related Ports

Port 151 sits in a neighborhood of early network management and database protocols:

• Port 150 (SQL-NET): Oracle database networking
• Port 152 (BFTP): Background File Transfer Program
• Port 153 (SGMP): Simple Gateway Monitoring Protocol, the direct ancestor of SNMP
• Port 161 (SNMP): The protocol that inherited HEMS's mission
• Port 162 (SNMP Trap): SNMP's event notification channel

The proximity of port 151 (HEMS) and port 153 (SGMP) is a quiet footnote. Two doors apart in the port registry, two rival proposals for the same problem, assigned ports within months of each other. Only one survived.