Port 2219: NetIQ NCAP — Enterprise Agent Chatter

What Runs on Port 2219

Port 2219 is assigned to the NetIQ Common Agent Protocol (NCAP) — a binary protocol used by NetIQ's enterprise IT management software to communicate with monitoring agents deployed across a network.

NetIQ builds infrastructure management tools: security monitoring, identity management, log aggregation. Their products install lightweight agents on servers and workstations, and those agents need a channel to phone home. NCAP is that channel. It carries real-time event delivery and RPC (Remote Procedure Call) services between client and server components in NetIQ's management framework. Connections can be optionally encrypted via SSL, negotiated during the initial handshake.¹

The registration is straightforward: Roger Huebner at NetIQ Corp filed with IANA on August 25, 2010, claiming both TCP and UDP on port 2219.² An earlier Internet-Draft from 2004 described the protocol specification, though it never became an RFC and has since expired.¹

Who Uses It

NetIQ customers — primarily large enterprises running NetIQ AppManager, Sentinel, or related products. If you're not in that world, you won't see this port in the wild. It belongs to a class of ports that exist invisibly, carrying traffic for specific commercial software ecosystems that most of the Internet never touches.

NetIQ itself was acquired by Micro Focus in 2014, and subsequently became part of OpenText. The software still exists; the port is still assigned.

The Registered Port Range

Port 2219 sits in the registered ports range: 1024 through 49151. This range exists between the well-known ports (0-1023), which are reserved for foundational Internet protocols, and the ephemeral ports (49152-65535), which operating systems assign dynamically for outgoing connections.

Anyone can request a registered port from IANA by submitting an application. IANA reviews it and, if the port is available and the request reasonable, assigns it. The assignment doesn't guarantee the service matters to the broader Internet — it just means someone asked and the number wasn't taken. The registered range has over 48,000 slots; a large fraction are claimed by enterprise software that most engineers will never encounter.

If You See This Port

If port 2219 shows up in your network traffic and you don't run NetIQ software, investigate it. Unexplained traffic on any registered port deserves scrutiny — it could be an unfamiliar service, misconfiguration, or something worth understanding.

To check what's listening on port 2219 on your machine:

macOS / Linux:

# Show processes listening on port 2219
ss -tlnp | grep 2219

# Or with lsof
lsof -i :2219

Windows:

# Show processes listening on port 2219
netstat -ano | findstr :2219

# Then look up the PID
tasklist | findstr <PID>

If nothing is listening, the port is closed and there's nothing to worry about.