Port 1985: HSRP — The Understudy Protocol

Port 1985 carries HSRP -- the Hot Standby Router Protocol. It's not assigned to HSRP in the IANA registry (the port officially has no owner), but Cisco has used it since the mid-1990s, and it's become the de facto home for one of networking's most quietly important ideas: router redundancy.

The Problem HSRP Solves

Every device on your network has a default gateway -- the router it sends traffic to when the destination isn't local. That gateway is a single IP address. And if the router behind that address dies, every device on the network loses its exit. Traffic just stops.

The naive fix is "get a second router." But then which one do your devices point to? You can't configure half your devices to use one gateway and half to use another -- or rather, you can, but now a failure takes down half your network instead of all of it.

HSRP's answer: make the two routers share one virtual IP address. Your devices configure a gateway that doesn't belong to either physical router. Behind that address, two routers run an election -- one active, one on standby. If the active router fails, the standby takes over the virtual address within seconds. Your devices never know anything changed.¹

How the Election Works

HSRP runs over UDP on port 1985. Routers in an HSRP group send hello packets to the multicast address 224.0.0.2 -- a message that reaches every router on the local segment, but goes no further (TTL is set to 1).²

The packets carry a priority value. The router with the highest priority becomes the Active router and owns the virtual IP. The next-highest becomes the Standby, watching. Everyone else waits.

Every three seconds, the Active router announces: "Still here." If the Standby doesn't hear this for ten seconds, it declares the Active router dead and takes over. The virtual IP address -- and its associated virtual MAC address -- move to the new Active router. From the perspective of every device on the network, nothing happened.³

What's Actually on Port 1985

The traffic on this port is router-to-router only. HSRP hello packets never leave the local network segment -- that TTL-1 multicast ensures it. A workstation would have no reason to listen on or send to port 1985.

If you see port 1985 traffic on a host (not a router), that's worth investigating. It's unusual enough that it warrants a look.

How to Check What's Using This Port

On any Unix-like system:

# Show what's listening on port 1985
ss -tulnp | grep 1985

# Or with netstat
netstat -an | grep 1985

# On a Cisco router, check HSRP state
show standby
show standby brief

On Windows:

netstat -ano | findstr :1985

The Registered Port Range

Port 1985 sits in the registered port range (1024--49151). This range is administered by IANA, which assigns ports to specific services upon request. But not every port in this range has an assignment -- 1985 doesn't -- and the range is large enough that protocols like HSRP can claim ports by convention rather than official registration.⁴

This is how a lot of the Internet actually works: official assignment matters less than consistent practice. HSRP has used port 1985 for decades. The port is, in practice, Cisco's -- just not on paper.

Why Unassigned Ports Matter

The gap between "assigned" and "used" is where a lot of real-world networking lives. HSRP, various game servers, internal enterprise tools, and legacy protocols all occupy unassigned registered ports. When you see traffic on an unassigned port, the question isn't "what's supposed to be here?" It's "what actually is?"

That distinction -- between the registry and reality -- is what network monitoring is for.