Port 2575: HL7/MLLP — The Healthcare Handshake Nobody Officially Named

What This Port Does

Port 2575 sits in the registered port range (1024–49151) without an official IANA service assignment. In practice, it is the industry-standard port for HL7 v2 messages transported over MLLP (Minimal Lower Layer Protocol).

If you work in healthcare IT, you already know this port. If your hospital's lab system tells the EMR that a patient's blood work is back, that message almost certainly traveled over TCP port 2575.

What HL7 and MLLP Actually Are

HL7 (Health Level Seven) is a set of standards for exchanging healthcare data between software systems — labs, pharmacies, electronic medical records, billing systems. The "7" refers to the application layer of the OSI model. HL7 v2, created in 1989, remains dominant in hospital infrastructure worldwide despite being older than most of the nurses using it.¹

MLLP (Minimal Lower Layer Protocol) solves a mundane but critical problem: TCP/IP delivers a stream of bytes, not discrete messages. When a lab system sends a patient result, the receiving system needs to know where one message ends and the next begins. MLLP wraps each HL7 message in a simple framing envelope — a start-of-block byte (0x0B), the message, an end-of-block byte (0x1C), and a carriage return (0x0D).

That's the whole protocol. Three bytes of framing around structured healthcare text. It has been quietly carrying patient data for decades.²

Why Port 2575?

MLLP was never formally adopted as an official HL7 standard — it emerged from community convention and early vendor implementations. The HL7 working group eventually documented it, but by then the port was already baked into thousands of hospital interfaces.³

The result: IANA shows port 2575 as unassigned, but any HL7 integration engine will default to it. Mirth Connect, Rhapsody, Azure Health Data Services, Google Cloud Healthcare API — they all expect 2575.⁴

This is not unusual in networking. Practice often outpaces paperwork.

Security Considerations

An open HL7 listener on port 2575 with no authentication is a genuine risk. The protocol was designed for trusted internal networks, not the open Internet — it has no built-in authentication or encryption.

Any system that can reach an open port 2575 can send HL7 messages or read the responses. Patient admission records, lab results, medication orders. If you see 2575 open on a network-facing interface, that is worth investigating.⁵

Modern deployments tunnel HL7/MLLP over TLS or restrict it to isolated network segments.

What Range This Port Belongs To

Port 2575 falls in the registered port range (1024–49151). These ports:

• Require no elevated privileges to bind (unlike well-known ports below 1024)
• Can be registered with IANA by application vendors, but registration is optional
• Are used by countless applications, registered and unregistered alike

The registered range is where most application-layer protocols live. It is large enough that gaps like 2575 exist — ports everyone uses but nobody officially claimed.

How to Check What's Listening on This Port

On Linux/macOS:

# Show what process is listening on port 2575
ss -tlnp | grep 2575
# or
lsof -i :2575

On Windows:

netstat -ano | findstr :2575

With nmap (remote scan):

nmap -sV -p 2575 <target>

If you find something listening on 2575 and you're in a healthcare environment, it is almost certainly an HL7 interface engine. If you're not in a healthcare environment and something is listening on 2575, it is worth knowing what that something is.