Port 3011: Unassigned — Citrix MEP Territory

Port 3011 does not appear in the IANA registry with an official service assignment. But unassigned doesn't mean unused.

What Range This Port Belongs To

Port 3011 falls in the registered port range (1024–49151). These ports are managed by IANA — vendors can apply to have a service formally assigned here — but thousands of numbers remain officially unclaimed. That doesn't stop software from using them anyway.

The registered range sits between the well-known ports (0–1023, reserved for foundational protocols like HTTP, SSH, and DNS) and the ephemeral ports (49152–65535, used temporarily by operating systems for outbound connections). Registered ports are the middle territory: structured enough that conflicts are relatively rare, open enough that unofficial use is common.

The Unofficial Story: Citrix NetScaler MEP

In enterprise networks running Citrix NetScaler (now called Citrix ADC), port 3011 carries MEP: the Metric Exchange Protocol.¹

MEP is how NetScaler appliances at different sites talk to each other for Global Server Load Balancing (GSLB). When you have data centers in New York and London both serving the same application, GSLB decides which city a user's request should go to. To make that decision intelligently, the appliances need to know each other's health: how many connections each is handling, current bandwidth, which virtual servers are up or down.

That's MEP. It runs continuously between GSLB peers, exchanging site metrics so each appliance can route new users toward the healthier site.²

Port 3011 carries unencrypted MEP. Port 3009 carries the encrypted version. By default, MEP has historically operated in plaintext — which means anyone positioned between two NetScaler appliances could read the load balancing metrics flowing between them. Not catastrophic, but worth knowing.

Citrix's troubleshooting documentation suggests capturing port 3011 traffic directly when diagnosing GSLB problems:

nstcpdump.sh port 3011

Port 3011 is also referenced in Citrix HA (High Availability) contexts, alongside port 3010, for synchronization between paired appliances within the same data center.³

What to Do If You See Port 3011

If port 3011 shows up listening on a machine you control, the most likely explanations are:

1. Citrix NetScaler / Citrix ADC is installed and configured for GSLB
2. An application chose this port informally (common for development servers and internal tools)
3. Something less welcome — historically, certain malware has used unassigned registered ports to avoid pattern-matching firewalls

To identify what's actually listening:

# macOS / Linux
sudo lsof -i :3011

# Linux alternative
sudo ss -tlnp | grep 3011

# Windows
netstat -ano | findstr :3011

The process name in the output will tell you the truth immediately.

Why Unassigned Ports Matter

The port numbering system only works because of rough coordination. When a port is formally assigned, firewalls can make rules about it, administrators know what to expect, and documentation exists. When ports go unassigned, they become contested territory — a place where legitimate software, internal tools, and occasionally malicious programs all converge, each making an informal claim.

Port 3011 is a good example: no official owner, but a clear and widely deployed use case in enterprise infrastructure. Millions of requests have been load-balanced across data centers based on metrics flowing through this port. It just never got the paperwork filed.

Related Ports