Port 2665: patrol-mq-nm — Watching the Message Queues

What This Port Does

Port 2665 is registered with IANA as patrol-mq-nm — the network management component of BMC PATROL for IBM MQ Series.¹

BMC PATROL is an enterprise operations management platform. This particular piece of it monitors IBM MQ (formerly WebSphere MQ, formerly MQSeries) — the message queuing middleware that sits at the heart of banks, airlines, healthcare systems, and large-scale enterprise infrastructure. When an ATM transaction needs to reach a mainframe, or a hospital's lab system needs to tell the pharmacy about a new order, there's a good chance IBM MQ is carrying that message.

Port 2665 is how the PATROL agent for that infrastructure communicates its health data — queue depths, queue manager status, connection counts, throughput — to the operations management layer above it.

The Port Range

Port 2665 lives in the registered port range (1024–49151). This range is administered by IANA — vendors and individuals can formally request assignments to avoid collisions. patrol-mq-nm has both TCP and UDP assignments here, registered by Portnoy Boxman.²

Unlike the well-known ports below 1024 (which require root/administrator privileges to bind), registered ports can be opened by any process. The registration is a coordination mechanism, not an enforcement one. Nothing stops another application from using port 2665 — the assignment just says "BMC claimed this."

What You'll Actually See on This Port

In the wild, port 2665 is quiet. It only appears on machines running PATROL agents specifically configured for IBM MQ monitoring — a niche deployment found in large enterprises.

SANS ISC logs occasional scanning activity targeting this port, but no elevated threat level or known CVEs are associated with it.³ Scanners probe registered ports opportunistically, looking for any open door. Finding an open 2665 would tell an attacker that a BMC PATROL MQ agent is present — useful reconnaissance for targeting enterprise infrastructure, but not a common attack vector itself.

Checking What's on This Port

If you see port 2665 open on a system and want to know what's using it:

On Linux/macOS:

sudo ss -tlnp | grep 2665
# or
sudo lsof -i :2665

On Windows:

netstat -aon | findstr :2665
tasklist | findstr <PID>

If nothing shows up and the port appears in firewall logs or network scans, it's likely probing from an external scanner rather than a local listener.

Why Unassigned (and Registered) Ports Matter

The registered range exists because the Internet needed coordination. Before IANA formalized the process, vendors picked ports arbitrarily and collisions were common. A registered port is a declaration: "this is ours, don't use it for something else."

Most of these registrations are forgotten history — products discontinued, companies acquired, protocols replaced. patrol-mq-nm is still active software (BMC continues to maintain PATROL for IBM MQ⁴), but it runs in a narrow slice of the enterprise world. The vast majority of networks will never see port 2665 used for its intended purpose.

That's typical. Of the ~48,000 registered ports, only a few hundred see meaningful real-world use. The rest are markers — "someone was here" — holding space against collisions that will never come.