Port 689: NMAP — The ghost in the registry

Port 689 carries one of the Internet's more amusing confusions. It's officially assigned to "NMAP"—but not the Nmap network scanner you're thinking of. This is a different, largely forgotten service that happened to share the same four letters.¹

What Runs on Port 689

According to the IANA registry, port 689 (both TCP and UDP) is assigned to "NMAP" by Peter Dennis Bartok.¹ But if you search for information about this service, you'll mostly find pages about the famous Nmap network scanning tool—which doesn't use port 689 at all.

The actual NMAP service that port 689 was assigned to has effectively disappeared. No modern software uses it. No current documentation describes what it did. The assignment remains in the registry, but the service is gone.

The Well-Known Port Range

Port 689 sits in the well-known ports range (0-1023), which is reserved for system services assigned by IANA. Getting a well-known port requires IANA approval and is meant for fundamental Internet services that need to be universally recognized.

Most well-known ports are occupied by services you use every day: HTTP on 80, HTTPS on 443, DNS on 53, SSH on 22. Port 689 is unusual because it has an official assignment that no longer corresponds to anything running in the wild.

The Name Collision

The confusion is understandable. When people search for "port 689 NMAP," they expect to find information about the Nmap Security Scanner—Gordon Lyon's legendary network discovery tool that's been scanning the Internet since 1997. But Nmap the scanner doesn't listen on port 689. It's a client tool that sends probes to other ports.

This creates a strange situation where security databases flag port 689 as associated with "nmap," leading administrators to think the scanning tool is involved, when really they're looking at the ghost of an unrelated service.

Security Considerations

Because port 689 has no active legitimate service, you generally shouldn't see traffic on it. Some things to know:

Malware has used this port. Like many obscure assigned ports, port 689 has been used by trojans and malware for command-and-control communication. Security databases flag it for this reason, not because of the official NMAP assignment.²

No legitimate service listens here. If you see something listening on port 689, investigate. It's not the Nmap scanner (which doesn't listen), and it's not the original NMAP service (which doesn't exist anymore).

Check what's listening:

# On Linux/macOS
sudo lsof -i :689
sudo netstat -tlnp | grep :689

# On Windows
netstat -ano | findstr :689

Why Unassigned (and Abandoned) Ports Matter

The Internet has 65,535 possible port numbers. IANA manages the well-known range (0-1023) carefully, but not every assignment ages well. Services get replaced, protocols become obsolete, companies disappear.

Port 689 is a reminder that the registry is a historical document as much as a functional one. Some assignments are active and essential. Others are archaeological artifacts—evidence that something once needed this door, even if nobody remembers what it was.

The port remains assigned because IANA doesn't routinely reclaim abandoned registrations. The original assignee might still technically own it, even if the service vanished decades ago.

Related Ports

• Port 136 - Another example of an assigned but largely unused well-known port
• Port 5000 - UPnP, commonly used but often confused with other services
• Registered ports (1024-49151) - Where most modern applications actually register services