Port 489 sits in the well-known ports range (0-1023), officially assigned by the Internet Assigned Numbers Authority (IANA) to a service called "nest-protocol."1 The contact listed is Gilles Gameiro. Beyond that, the trail goes cold.
What We Know
The official IANA registry lists port 489 for both TCP and UDP protocols under the service name "nest-protocol."1 This places it in the System/Well-known ports range, which requires IANA registration and is supposed to be reserved for established, standardized services.
But nest-protocol has no RFC. No public specification. No documentation that search engines can find. No visible implementations running in the wild.
What We Don't Know
What nest-protocol actually does. Who built it. When it was registered. Whether it was ever deployed. Whether it's still in use somewhere, quietly doing its job, or whether it died before it ever ran.
The name suggests some kind of nesting or hierarchical structure—maybe multicast scope nesting, maybe something else entirely. But without documentation, we're guessing.
The Well-Known Ports Range
Ports 0-1023 are the well-known ports, assigned by IANA for services that are (or were intended to be) widely used and standardized. Getting a port in this range means going through an official registration process.2
Most ports in this range have clear purposes: port 80 for HTTP, port 443 for HTTPS, port 22 for SSH. They're documented in RFCs, implemented in countless systems, and fundamental to how the Internet works.
Port 489 is different. It's registered, but invisible.
Phantom Protocols
The Internet's port registry is full of these ghosts. Officially assigned ports for protocols that:
- Were developed privately and never released publicly
- Were registered with good intentions but never implemented
- Ran in production for specific organizations but never standardized
- Died during development, leaving only a registry entry behind
Port 489 appears to be one of them. It has a name. It has an official assignment. But it left no other footprint.
Security Considerations
The obscurity of port 489 creates an interesting security situation. Because it's not associated with any known service, any traffic on this port is unusual and worth investigating.3
Some sources report that malware has used port 489 for command and control communication, precisely because it's an unexpected port that might not be monitored as closely as common services.3
If you see traffic on port 489, it's worth checking what's actually using it.
How to Check What's Listening
On Linux or macOS:
On Windows:
These commands will show you if anything is listening on port 489 and what process owns it.
Why Unassigned and Ghost Ports Matter
The port numbering system works because of scarcity. There are only 65,535 ports per protocol. The well-known range (0-1023) has just 1,024 slots, and they're supposed to be reserved for important, standardized services.
When a port is registered but the protocol vanishes, that port number is effectively lost. It can't be easily reassigned because something, somewhere, might still be using the original protocol. The registry has to assume the assignment is legitimate.
Port 489 is a reminder that the Internet's infrastructure isn't just running code—it's also archaeology. Every port number tells a story. Sometimes that story is "millions of HTTPS connections every second." Sometimes it's "someone registered this in 1995 and we never heard from them again."
Related Ports
- Port 487: saft (Simple Asynchronous File Transfer)1
- Port 488: gss-http (GSS HTTP)1
- Port 490: Unassigned
- Port 491: Unassigned
The ports around 489 include other obscure protocols. Some documented, some not. This region of the port space is a mix of active services and forgotten registrations.
Frequently Asked Questions
Was this page helpful?