Port 3130: Squid ICP — Where Caches Ask Each Other for Help

Port 3130 has no official owner. IANA never assigned a service to it. But in practice, anyone running a Squid web cache cluster knows exactly what it is: the default port for ICP—the Internet Cache Protocol.

What This Port Does in Practice

ICP is the protocol Squid uses to ask sibling caches a simple question: do you have this already?

In a hierarchical or mesh proxy arrangement, a cache that receives a request doesn't immediately go to the origin server. Instead, it sends a UDP query to its neighbors on port 3130: "Has anyone cached example.com/image.jpg?" The neighbors respond—HIT or MISS—in milliseconds. Only on a miss does the cache go out to the Internet to fetch it.

This matters at scale. ISPs and large organizations running multiple Squid instances use ICP to reduce redundant external fetches across their cache hierarchy. Port 3130 is the UDP channel that makes this coordination possible.¹

Squid's HTTP proxy itself listens on port 3128. Port 3130 is the back-channel—the inter-cache nervous system that keeps a Squid cluster working as a single coherent unit rather than a collection of independent caches that each fetch everything themselves.

The Range It Belongs To

Port 3130 falls in the registered ports range: 1024–49151.

Registered ports are intended for applications that have formally registered their use with IANA. Unlike well-known ports (0–1023), they don't require elevated privileges to bind. Unlike ephemeral ports (49152–65535), they're considered stable enough for servers to listen on persistently.

Port 3130 is a registered port that nobody officially registered—Squid just picked it and the convention stuck.

ICP: The Protocol Behind the Port

ICP was designed for exactly one job: fast, lightweight cache coordination. The protocol is defined in RFC 2186 (the specification) and RFC 2187 (application and usage examples).²³

A few things worth knowing about ICP:

• UDP only. ICP queries are fire-and-forget. Speed matters more than reliability—if a neighbor doesn't respond in time, the cache falls back to fetching from origin.
• Same socket for send and receive. A Squid cache must open port 3130 even if it only wants to ask questions, not answer them. ICP uses a single bidirectional socket.
• Not encrypted. ICP was designed in the mid-1990s for trusted internal networks. It carries no authentication or encryption, which is why you won't see it on the open Internet.

ICP has largely been succeeded by HTCP (Hyper Text Caching Protocol) and Cache Digests in modern deployments, but ICP on port 3130 remains the default in Squid installations that haven't explicitly disabled it.⁴

How to Check What's Listening on This Port

On Linux/macOS:

# Check if anything is listening
ss -ulnp | grep 3130
# or
netstat -ulnp | grep 3130

# On macOS
lsof -i UDP:3130

On Windows:

netstat -ano | findstr :3130

If you see Squid listening on UDP 3130, that's expected—it's ICP. If you see something unexpected, that warrants investigation.

Why Unassigned Ports Matter

The port registry exists because chaos is the alternative. Without it, two applications would routinely pick the same port, services would conflict, and firewall rules would be guesswork.

Port 3130 illustrates an important wrinkle: convention without registration. Squid didn't register 3130, but by becoming the dominant open-source web cache, it effectively reserved the port through adoption. Every firewall rule that opens 3130 for ICP is documentation that the registry doesn't formally contain.

This happens constantly. Popular software claims ports. Other software avoids those ports out of practical courtesy. The registry reflects intent; real-world usage reflects reality. For a network operator, both matter.