What Runs on Port 1967
UDP port 1967 is the control port for Cisco IP Service Level Agreements (IP SLA) — a feature built into Cisco IOS routers that measures network performance by generating synthetic test traffic.
The port isn't registered with IANA. Cisco adopted it informally, and it spread through the networking world the way unofficial conventions often do: quietly, by becoming ubiquitous before anyone thought to formalize it.
How IP SLA Works
Networks don't fail dramatically. They degrade. Latency creeps up. Jitter interrupts voice calls. Packet loss accumulates just below the threshold where anyone notices until suddenly everyone notices.
IP SLA is Cisco's answer to this: generate controlled test traffic between routers, measure what happens to it, and alert you before users start complaining.
The process has two phases, and port 1967 controls the first one.
Phase 1 — The control handshake (UDP 1967): Before any test traffic flows, the source router sends a control message to UDP port 1967 on the target router (the "responder"). This message says: here's the protocol, here's the port I'll use, here's how long the test will run — are you ready?
If MD5 authentication is configured, the responder checks the checksum. If it matches, it sends back "OK" and opens its port for the specified duration.
Phase 2 — The measurement: With the responder listening, the source sends synthetic traffic — UDP packets, TCP connections, ICMP pings, even simulated VoIP jitter probes. The responder timestamps each packet and sends results back. The source calculates latency, jitter, packet loss, and round-trip time.
The control handshake on port 1967 is why these measurements can be so precise: both sides are synchronized before the first test packet leaves.
What This Port Means for Security
If you see unexpected traffic on UDP 1967, someone is either running legitimate Cisco IP SLA tests — or probing your network infrastructure. Cisco routers running IP SLA responders listen on this port, which means it can be a fingerprinting signal for network mapping.
If you're not using IP SLA, there's no reason for this port to be open. Firewall it.
If you are using IP SLA, consider enabling MD5 authentication. Without it, anyone who can reach your responder on UDP 1967 can potentially trigger test sessions on your router.
How to Check What's Listening
On a Cisco router:
On a Linux or macOS host:
On Windows:
With a port scanner (from another machine):
Note: UDP scanning is unreliable — an open UDP port doesn't always respond, so silence doesn't mean the port is closed.
The Registered Range
Port 1967 falls in the registered port range (1024–49151). These ports are meant to be formally claimed with IANA by applications and services, but enforcement is loose. Cisco IP SLA is a prominent example of a real, widely deployed protocol that never bothered with official registration. The port became a de facto standard through Cisco's market dominance.
Related Ports
- UDP 1966 — sometimes used for IP SLA test traffic (the probe port, distinct from the control port)
- UDP 2020 — used by some IP SLA jitter probes
- UDP/TCP 862 — TWAMP (Two-Way Active Measurement Protocol), the IETF's formally standardized answer to the same problem IP SLA solves
Frequently Asked Questions
Была ли эта страница полезной?