Protocol support
aaa 4 auth 5 automotive 2 backplane 20 backup 2 building-automation 5 clear 72 database 17 deep 23 directory 2 discovery 30 email 4 encrypted 7 file 8 gaming 4 iot 14 legacy 10 light 68 media 2 messaging 13 mgmt 35 mobile-core 13 monitoring 7 multicast 5 naming 4 network 1 ot 45 passive 6 printing 8 proxy 2 remote-access 13 routing 2 security 6 siem 1 storage 6 time 2 tls 46 voip 13 vpn 9 web 14
291 of 291 protocols
Loading protocols…
acop — Atlas Copco Open ProtocolUsed by Power Focus and Power MACS tightening controllers in manufacturing assembly lines. Negotiates the protocol revision and retrieves controller identity, returning vendor, product family, firmware version, and tightening-station details.
Port: 4545
acpp — Apple AirPort Configuration ProtocolUsed by AirPort Utility to provision Apple AirPort base stations and Time Capsules. Sends a status request and returns the device model, firmware version, and configuration metadata.
activemq — Apache ActiveMQ OpenWireUsed by JMS clients to talk to ActiveMQ message brokers. Performs an OpenWire handshake and returns the broker version, host JVM and OS, and negotiated wire-format options.
Ports: 8161, 61616, 61617
adb — Android Debug BridgeUsed to debug, install, and control Android devices over the network (typically on rooted phones, TVs, and IoT devices). Probes for an open ADB endpoint and returns the device's access state and ADB banner.
Ports: 5037, 5555
ads — Beckhoff ADS/AMSUsed to communicate with TwinCAT runtimes on Beckhoff PLCs and industrial PCs (Automation Device Specification / Automation Message Specification). Issues a ReadDeviceInfo request and returns the device name, AMS NetID, and TwinCAT runtime version.
Port: 48898
airplayamqp — AMQP 0-9-1OASIS Advanced Message Queuing Protocol 0-9-1 used by RabbitMQ and other brokers for message-oriented middleware. Exchanges the protocol-header preamble and returns the negotiated AMQP version along with TLS and SASL requirements advertised by the broker.
Ports: 5671, 5672
anydeskRemote-desktop client and host detection. Inspects the TLS handshake and certificate to identify AnyDesk endpoints and returns the AnyDesk client identifier and certificate metadata.
Ports: 6568, 7070
atg — Automatic Tank GaugeUsed by fuel-station forecourt controllers. Issues an in-tank inventory command and returns site identification, console firmware, and per-tank product, volume, and alarm summaries.
Port: 10001
backupexec — Veritas Backup Exec AgentUsed by the backup server to coordinate jobs with protected hosts. Performs the agent handshake and returns the agent version and operating-system identification.
Port: 6106
bacnet — BACnet/IPUsed for HVAC, lighting, access control, and other building systems. Issues Who-Is and ReadProperty requests and returns the device instance, vendor, model, firmware, and a summary of objects and routing devices behind the gateway.
Ports: 46808, 47808, 47809, 47810, 47811, 47812, 47813, 47814, 47815, 47816, 47817, 47818, 47819, 47820, 47821, 47822, 47823, 47824, 48808
banner — Generic TCP BannerUsed when no protocol-specific matcher fires. Reads the first response bytes and returns the raw banner text for downstream fingerprinting.
bedrock — Minecraft BedrockGame-server query/discovery protocol used by the Minecraft Bedrock Edition. Sends an unconnected ping and returns the server MOTD, edition, version, current and maximum player counts, and game mode.
Port: 19132
bgp — Border Gateway ProtocolUsed between autonomous systems on the Internet and inside large networks. Attempts an OPEN exchange and returns the BGP version, advertised AS number, BGP identifier, and supported capabilities.
Port: 179
bitdefender-app — Bitdefender EndpointSecurity agent management channel. Probes the agent and returns the Bitdefender device identifier, hostname, model, and operating-system identification.
Port: 7519
bjnp — Canon BJNPUsed by Canon's network drivers. Sends a discovery probe and returns the device model, firmware, and printer/scanner capabilities.
Ports: 8611, 8612
brotherbrother-scanner — Brother Network DiscoveryPrinter/scanner network discovery protocol used by Brother devices. Sends a vendor-specific probe and returns the device model, serial, and printer/scanner capabilities.
Ports: 54921, 54922, 54923
bsap-ip — Emerson BSAP/IPUsed by Emerson ControlWave and Bristol RTUs in oil & gas SCADA (Bristol Standard Asynchronous Protocol over IP). Queries node identification and, when enabled, walks the BSAP local-address hierarchy to enumerate child RTUs, returning RTU identity, firmware, and topology summaries.
Ports: 1234, 1235
c12.22 — ANSI C12.22Used by electric-utility advanced-metering-infrastructure head-ends and relays. Issues an EPSEM identify command and returns ApTitle, manufacturer, device class, and (when enabled) reachable end-device ApTitles behind a relay.
Port: 1153
c37118 — IEEE C37.118 SynchrophasorUsed by Phasor Measurement Units and Phasor Data Concentrators on the electric grid. Requests CFG-2 and header frames and returns PMU/PDC identification, station and channel naming, and reporting rate.
Port: 4712
cacti — Cacti Network Monitoring Web UIHTTP/HTML fingerprinting of the Cacti open-source RRDtool-based network graphing and monitoring console.
cassandra — Apache Cassandra CQLUsed to query the Cassandra wide-column store. Performs a STARTUP/OPTIONS exchange and returns the cluster name, CQL version, and Cassandra release.
Ports: 9042, 9160
cdp — Cisco Discovery ProtocolUsed by Cisco devices to advertise themselves to neighbors at Layer 2. Passively decodes CDP frames and returns the device ID, software version, platform, capabilities, native VLAN, and management addresses advertised by the neighbor.
chargen — Character GeneratorLegacy diagnostic service (RFC 864). Records the response so amplification-capable hosts can be identified and returns the size and shape of the generated banner.
checkmk — Checkmk AgentUsed by the Checkmk server to collect host metrics. Reads the agent banner and returns the agent version, build date, host operating system, architecture, and configured hostname.
Port: 6556
chromecastcip — Common Industrial ProtocolUsed by Rockwell/Allen-Bradley and other vendors for PLC and I/O communication. Issues the List Identity and Get Attributes All requests and returns vendor, product code, revision, serial, product name, and device-type information for the controller and any backplane modules.
Port: 44818
cisco-phoneciscosmi — Cisco Smart InstallZero-touch deployment protocol, commonly abused for unauthenticated configuration access. Detects the Smart Install client and returns the role, image name, and configuration-server reachability indicators.
Port: 4786
citrixica — Citrix ICAUsed to deliver published apps and desktops from Citrix Virtual Apps and Desktops. Performs the ICA handshake and returns the server's protocol version and identification information.
Ports: 1494, 2598
cldap — Connectionless LDAPUsed by Active Directory clients to locate domain controllers via LDAP ping. Issues an LDAP-ping NetLogon request and returns the forest, domain, DC name, site, and DC capability flags.
Port: 389
click — Click Modular RouterControl socket exposed by hosts running the Click software router. Reads the control banner and returns the Click version and module-handler list summary.
Port: 7734
coapConstrained Application Protocol (RFC 7252) used by constrained devices and IoT deployments for resource-oriented messaging. Issues a GET on /.well-known/core and returns the resource list, supported content formats, and observed Block-wise transfer support.
Ports: 5683, 5684
cockpit — Cockpit Linux Web ConsoleHTTP fingerprinting of the Cockpit web-based server-management console (Red Hat) typically served over TLS on TCP/9090.
codesys — CODESYS V3 RuntimeUsed by IEC 61131-3 controllers from many OEMs (WAGO, Beckhoff, Schneider, Eaton, ...). Issues the runtime identification request and returns the runtime vendor, product, version, and target identification.
Ports: 1200, 1217, 2455, 11740
codesys2 — CODESYS V2 RuntimeUsed by controllers running the older 3S CODESYS V2 runtime. Performs the V2 login probe and returns the runtime version and target identification.
Ports: 1200, 2455
comtrolconfluence — Atlassian ConfluenceHTTP probe and fingerprinting of the Atlassian Confluence wiki/collaboration server, including version banners and edition detection.
consulPort: 8500
couchdbPort: 5984
crestron — Crestron DiscoveryUsed to locate Crestron control processors and AV equipment. Sends the discovery probe and returns the device hostname, model, and firmware version.
Port: 41794
crimsonv3 — Red Lion Crimson 3Used to configure and read data from Red Lion Graphite, DA-series, and other industrial HMIs and gateways. Queries the Crimson identification block and returns the device model, firmware, and project-name information.
Port: 789
crowdcspv4 — Allen-Bradley CSPv4 / PCCCUsed by legacy SLC 5/05 and MicroLogix PLCs for register access. Issues a PCCC identify request and returns the controller family, processor type, and series/revision string.
Port: 2222
cupsPort: 631
dahua-dhip — Dahua DHIPUsed by Dahua and OEM IP cameras and NVRs. Sends the DHIP probe and returns the device serial, model, firmware, and primary network configuration.
Port: 37810
daytimeLegacy diagnostic service (RFC 867) that returns the current date and time. Records the response to confirm the service and detect amplification-capable hosts.
Port: 13
db2 — IBM Db2Used by Db2 LUW and Db2 for z/OS clients. Performs a DRDA EXCSAT/ACCSEC exchange and returns the server product identifier, version, and platform.
Ports: 523, 50000, 50001, 60000
dcerpc — DCE/RPC Endpoint MapperUsed to enumerate RPC services on Windows hosts. Queries the endpoint mapper and returns a summary of registered RPC interfaces, their UUIDs, versions, and bindings.
Ports: 135, 593
detectprotonamedhcpUsed to lease IPv4 addresses and network configuration. Sends a DHCPDISCOVER and returns the offered server identifier, lease parameters, and any vendor-class identification revealed by the response.
Ports: 67, 68
dhipdiameter — Diameter (TCP)Authentication, authorization, and accounting protocol over TCP; the successor to RADIUS, widely used in mobile-core networks. Sends a Capabilities-Exchange-Request and returns the origin host, realm, vendor, product name, and supported applications.
Port: 3868
diametersctp — Diameter (SCTP)Used in mobile core (Diameter Edge Agent, DRA, HSS, PCRF). Sends a Capabilities-Exchange-Request and returns the origin host, realm, vendor, product name, and supported applications.
Port: 3868
dnp3Used in electric, water, and oil & gas SCADA between control centers (masters) and RTUs/IEDs (outstations). Performs an unsolicited link-layer test and an Object Group 0 read and returns the outstation address, vendor, model, firmware, and device-attributes summary.
Port: 20000
dnsUsed to resolve hostnames to addresses and other resource records. Issues version.bind, hostname.bind, and recursion-test queries and returns the resolver software identification, recursion availability, and observed CHAOS-class metadata.
Ports: 53, 5353, 5355
dockerPorts: 2375, 2376
doip — Diagnostics over IPUsed to reach in-vehicle ECUs (UDS/KWP) over Ethernet. Issues a Vehicle Identification Request and (when enabled) Entity Status, returning VIN, EID/GID, logical addresses, and reachable ECU summaries behind the gateway.
Port: 13400
dotnet-remoting — .NET RemotingUsed by legacy .NET Framework applications for cross-process and cross-host RPC. Triggers a remoting fault and returns the assembly-qualified type names and runtime-version strings disclosed in the response.
Port: 9090
drbdUsed to replicate block devices between Linux nodes for high availability. Reads the protocol magic and returns the DRBD version and replication-protocol family.
Port: 8787
drobo-nasd — Drobo NASdUsed by Drobo Dashboard to administer Drobo storage appliances. Sends the discovery probe and returns the appliance model, serial, and firmware version.
Port: 5000
dtlsUsed by WebRTC, CoAP, OpenVPN, and other UDP services. Performs a DTLS ClientHello and returns the negotiated version, cipher suite, and any presented certificate metadata.
Ports: 443, 3391, 4433, 5246, 5349, 5684
echoLegacy diagnostic service (RFC 862) that echoes received bytes. Records the response to confirm the service and to detect amplification-capable hosts.
Port: 7
elasticsearchPort: 9200
epmPort: 135
epmdepo — Trellix/McAfee ePolicy Orchestrator (ePO)HTTP probe of the Trellix (formerly McAfee) ePolicy Orchestrator endpoint security management console, extracting build/version metadata from the login page.
erlangdp — Erlang DistributionUsed between Erlang/Elixir nodes and exposed by EPMD. Sends the distribution-handshake name probe and returns the node name and supported flags.
Port: 4369
etcdPort: 2379
etcd2ethercatUsed for high-speed motion control and I/O on machine-control segments. Queries master/slave registers and returns the master vendor identification and a summary of slaves discovered on the segment.
Port: 34980
fgfmfirebird — Firebird SQLRelational database wire protocol. Performs the Firebird connection handshake and returns the server architecture, protocol version, and Firebird release.
Port: 3050
focas — Fanuc FOCASUsed to monitor and control Fanuc CNC machine tools and robots (Open CNC API Specification, FOCAS2/Ethernet). Issues the system-info call and returns the CNC series, version, machine number, and (when enabled) per-path machining data.
Port: 8193
fortigate-to-fortimanagerFortinet FGFM management protocol used by FortiManager to manage FortiGate firewalls. Inspects the FGFM TLS handshake and returns the FortiGate model, firmware, and serial number embedded in the certificate.
Port: 541
fox — Tridium Niagara FoxUsed by Niagara Framework JACE controllers and supervisors. Sends the Fox hello and returns the station name, host ID, Niagara version, OS, and TLS/auth capabilities.
Ports: 1911, 4911
ftpStandardized file-transfer protocol (RFC 959). Reads the FTP greeting and issues SYST/HELP/AUTH probes, returning the server software, system type, supported features, and TLS-availability indicators.
Ports: 21, 2121, 9090
gesrtp — GE SRTPUsed to communicate with GE/Emerson PACSystems, Series 90, and RX3i/RX7i PLCs. Issues a controller-identification request and returns the model, firmware, sweep state, and slot configuration.
Port: 18245
giop — GIOP / CORBA IIOPOMG General Inter-ORB Protocol (the wire format under CORBA IIOP). Sends a LocateRequest and returns the ORB vendor, version, and reply-status information.
Port: 535
git — Git Smart ProtocolUsed by git:// servers for clones, fetches, and pushes. Sends an upload-pack advertisement request and returns the advertised refs summary, server capabilities, and HEAD reference.
Port: 9418
git-http — Git Smart HTTP ServiceHTTP-transported git smart-protocol endpoints (git-upload-pack / git-receive-pack) advertised by hosting platforms such as GitLab, Gitea, Bitbucket, and bare git-http servers.
googlewifigpsdGPS daemon JSON-over-TCP protocol used to share location and timing data from connected GNSS receivers. Sends ?VERSION; and ?DEVICES; and returns the gpsd release, protocol revision, and connected device summary.
Port: 2947
gtpc — GTP-CCarries signaling between mobile-core nodes on the GTP control plane (SGSN/GGSN, MME/SGW/PGW). Sends an Echo Request and returns the GTP version, restart counter, and supported features.
Ports: 2123, 2152
gtpprime — GTP'Used to ship CDRs from mobile network elements to a Charging Gateway. Sends an Echo Request and returns the GTP' version and node identification.
Port: 3386
gtpu — GTP-UEncapsulates subscriber traffic between mobile-core nodes and base stations on the GTP user plane. Sends an Echo Request and returns the GTP-U version and observed extension-header support.
Port: 2152
gvcp — GigE Vision ControlUsed to discover, configure, and trigger industrial machine-vision cameras over Ethernet. Sends a Discovery_Cmd and returns the camera manufacturer, model, serial, firmware, MAC, and supported GVCP version.
Port: 3956
gvsp — GigE Vision StreamingUsed to transport image and chunk data from machine-vision cameras to host applications. Passively classifies stream packets and returns the streaming state, packet format, and block identifier.
Port: 20202
h323 — H.323ITU-T H.323 multimedia conferencing/VoIP signaling protocol. Sends a Setup probe and returns the gatekeeper/endpoint identification and supported codec/feature summary.
Port: 1720
hartip — HART-IPUsed to tunnel HART process-instrument traffic over TCP/UDP through gateways and multiplexers. Issues HART command 0 and returns the gateway identification, and (when enabled) walks sub-device indices via Cmd 84 to enumerate connected field instruments.
Port: 5094
hicp — HMS HICP/SHICPUsed to discover and configure Anybus and Netbiter industrial gateways. Sends the HICP discovery probe and returns the device hostname, MAC, IP configuration, and firmware revision.
Port: 3250
hiddiscoveryd — HID DiscoveryDUsed to locate HID VertX/Edge access-control panels and readers. Sends the discovery probe and returns the device model, firmware, and primary network configuration.
Port: 4070
hsms — SEMI HSMS / SECS-GEMCarries SECS-II/GEM messages for semiconductor fab equipment (SEMI E37 High-Speed SECS Message Services). Performs the HSMS Select handshake and an S1F1 Are-You-There, returning the equipment model identifier, software revision, and (when enabled) Equipment Constant subsystem summary.
Port: 5000
httpHypertext Transfer Protocol used by the World Wide Web and most modern APIs. Issues HEAD/GET probes and runs HTTP-specific extractors, returning server software, response codes and headers, page titles and generators, favicons, and any application fingerprints recognized by extractor rules.
Ports: 80, 3000, 4567, 5000, 5985, 8000, 8001, 8080, 8081, 8082, 8200, 8443, 8888, 9001, 9080, 9090, 9100
iax2Inter-Asterisk eXchange version 2 VoIP signaling and media protocol used between Asterisk PBXes. Sends a POKE and returns the responder's IAX2 version and PBX identification.
Port: 4569
icmp — ICMP Echo (Ping)IPv4/IPv6 ICMP Echo Request/Reply (RFC 792, RFC 4443) issued by the host-discovery probe to confirm host liveness, capture round-trip times, and observe TTL/Hop-Limit and IP TOS fields. Replies appear on a synthetic icmp service (port 0) and are distinct from the TCP/UDP echo service on port 7.
identIdentification Protocol (RFC 1413), a legacy user-identity lookup service. Sends an ident query against the connecting socket and returns the operating-system field and any user-identity string disclosed by the response.
Port: 113
idraciec104 — IEC 60870-5-104Used between SCADA control centers and RTUs/substation gateways, primarily in electric power and rail. Sends TESTFR (and, when enabled, STARTDT/General Interrogation) and returns the common ASDU address, originator address, and any device-identity ASDUs received.
Port: 2404
iec60870-5-104iec61850-mms — IEC 61850 MMSUsed by substation Intelligent Electronic Devices for monitoring, control, and reporting. Opens an MMS session and (when enabled) issues Identify, returning the IED vendor, model, firmware, and logical-device summary.
Port: 102
igel — IGEL DiscoveryUsed by the Universal Management Suite. Sends the IGEL discovery probe and returns the endpoint hostname, model, IGEL OS version, and UMS-management state.
Port: 30005
igel-discoveryPort: 30005
iis — Microsoft Internet Information Services (IIS)HTTP fingerprinting of Microsoft IIS web servers, including version banner extraction, default-page detection, and management endpoints.
ikeUsed to negotiate IPsec security associations. Sends IKEv1/IKEv2 SA proposals and vendor-ID probes and returns the negotiated proposal summary, supported transforms, and any vendor-ID strings that disclose the gateway implementation.
Ports: 500, 4500
imapUsed by mail clients to read messages from a server. Reads the IMAP greeting and runs CAPABILITY and ID commands, returning the server software, supported authentication mechanisms, and STARTTLS availability.
Ports: 143, 993
infinispan — Infinispan Hot RodUsed by Red Hat Data Grid and JBoss-family caches. Performs the Hot Rod ping and returns the server version, topology identifier, and supported protocol version.
Port: 11222
influxdbPort: 8086
intermapperHelpSystems InterMapper network monitoring agent/probe. Reads the InterMapper banner and returns the product name and version.
Port: 8181
ipmiUsed for out-of-band server management on BMCs (iLO, iDRAC, IMM). Performs an IPMI 2.0 RMCP+ Get Channel Authentication Capabilities exchange and, when credentials are configured, returns supported cipher suites, authentication algorithms, and the BMC vendor/firmware identification.
Port: 623
ippUsed by CUPS, AirPrint, and most modern network printers. Issues Get-Printer-Attributes and returns the printer make/model, location, firmware, supported document formats, and feature attributes.
Port: 631
ippbrowse — IPP BrowseUsed to advertise printers on a LAN. Passively decodes browse packets and returns the advertised queue URI, printer name, and CUPS server identification.
Port: 631
ipsecIP Security suite used to authenticate and encrypt IP packets, typically for site-to-site and remote-access VPNs. Sends ESP/AH and IKE liveness probes and returns the gateway responsiveness, NAT-T support, and any IKE-vendor strings disclosed.
Ports: 500, 4500
ircText-based group messaging protocol. Reads the IRC server greeting and runs a NICK/USER probe, returning the server software, version, and 005-numeric capability summary.
Ports: 6667, 6668, 6669, 6697, 7000, 7001
iscsiInternet Small Computer Systems Interface protocol used to expose block storage over IP. Sends a SendTargets request and returns the iSCSI Target Name list, target portals, and authentication-method summary.
Port: 3260
iua — IUA (SCTP)ISDN User Adaptation Layer (RFC 4233) over SCTP, used to backhaul ISDN signaling in SIGTRAN networks. Verifies the SCTP association and IUA payload protocol identifier and returns endpoint identification.
Port: 9900
java-object — Java Object SerializationDetection of raw Java Object Serialization streams (often indicating exposed RMI, JMX, or JBoss endpoints). Inspects the magic header and returns the serialization-protocol version and any class-name hints disclosed in the stream.
java-rmi — Java RMIRemote Method Invocation protocol used by Java applications. Performs the JRMP handshake and a registry list, returning the RMI-registry version and the names and stub classes of bound objects.
Port: 1099
javarmijdbc-hsqldb — HyperSQL JDBCJDBC database server protocol used by the HyperSQL (HSQLDB) engine. Performs the handshake and returns the engine version and database alias information disclosed by the server.
Port: 9001
jdwp — Java Debug Wire ProtocolUsed by IDEs and debuggers to control a JVM (no auth; trivial RCE if exposed). Performs the JDWP handshake and Version command, returning the JDK version, JVM vendor, and process description.
Ports: 3999, 5000, 5005, 8000, 8453, 8787, 8788, 9001, 18000
jetdirect — HP JetDirectRaw printing protocol on TCP/9100 (PJL banner port). Sends a PJL INFO ID/STATUS probe and returns the printer make/model, firmware, page count, and PJL device-attribute summary.
Ports: 9100, 9101, 9102
jira — Atlassian JiraHTTP probe and fingerprinting of the Atlassian Jira issue-tracking and project-management server, including version, build, and edition detection.
Ports: 80, 443, 8080
jms — JMS / JMX-RMI Port MapperService exposed by some Java application servers. Queries the port mapper and returns the bound JMX/JMS endpoint URLs and their target ports.
Port: 7676
kafka — Apache KafkaDistributed event-streaming wire protocol. Sends an ApiVersions request and returns the broker identifier, supported API versions, and (when an unauthenticated MetadataRequest is permitted) cluster and topic-name summaries.
Ports: 9092, 9093, 9094
kasa — TP-Link KasaUsed by Kasa plugs, bulbs, and switches. Sends the obfuscated SYS_INFO query and returns the device alias, model, firmware, hardware version, and MAC.
Port: 9999
kerberosUsed by Active Directory and many enterprise services. Sends an AS-REQ for a benign principal and returns the realm, KDC error code, and supported encryption types.
Ports: 88, 464, 749, 750
knxnet — KNXnet/IPUsed to tunnel and route KNX building-automation telegrams (lighting, HVAC, shading). Sends a SEARCH_REQUEST and returns the device serial, MAC, KNX individual address, supported services, and friendly name.
Port: 3671
l2t — L2TP (UDP 1701)Detection of Layer 2 Tunneling Protocol endpoints on UDP/1701. Sends an SCCRQ and returns the tunnel-establishment response and the firmware/vendor information advertised in the AVPs.
Ports: 1701, 2228
l2tpUsed to carry PPP sessions, commonly with IPsec for VPN. Sends an SCCRQ and returns the host name, vendor name, and firmware revision AVPs.
Port: 1701
landesk — Ivanti / LANDesk AgentEndpoint-management agent for Ivanti (formerly LANDesk). Reads the agent banner and returns the agent version and bound management server.
Port: 9595
langflowlantronix — Lantronix DiscoveryUsed to locate Lantronix serial-to-Ethernet device servers. Sends the discovery probe and returns the device model, firmware, MAC, and configured serial-port settings.
Port: 30718
ldapUsed by Active Directory and other directory services. Queries the rootDSE and returns the supported LDAP versions, naming contexts, supported controls, and any forest/domain identifiers exposed.
Ports: 389, 636, 3268, 3269
legacylexmark — Lexmark DiscoveryPrinter/MFP network discovery protocol used by Lexmark devices. Sends the discovery probe and returns the device model, serial, firmware, and printer/MFP capabilities.
Port: 10000
librechatPorts: 443, 3080
llmnrUsed by Windows hosts to resolve names on the local link when DNS is unavailable. Sends an LLMNR query and returns the responding hostname and IP version.
Port: 5355
lockdownd — Apple lockdowndUsed by iTunes/Finder and MDM tooling. Reads the lockdownd query response and returns the device class, product type, OS version, serial, and unique device identifier.
Port: 62078
lpdStandardized BSD line-printer protocol (RFC 1179). Queries queue status and returns the queue name and any printer make/model strings reported in the status text.
Port: 515
lsv2 — Heidenhain LSV/2Used by Heidenhain TNC CNC controls (TNC 640, iTNC 530, TNC 320). Queries control identification and returns the NC software type, version, and (when enabled) NC software-options bitmask.
Ports: 8000, 8001, 8002, 8003, 8004, 19000
lwm2m — OMA LwM2MUsed to manage constrained IoT devices over CoAP. Reads the /.well-known/core resource list and returns the supported objects, registered endpoint name, and binding mode.
Ports: 5683, 5783
m2pa — M2PA (SCTP)MTP2 Peer Adaptation Layer (RFC 4165) over SCTP used in SIGTRAN to carry SS7 MTP2 between signaling gateways. Verifies the SCTP association and M2PA payload protocol identifier and returns endpoint identification.
Port: 3565
m2ua — M2UA (SCTP)MTP2 User Adaptation Layer (RFC 3331) over SCTP used in SIGTRAN deployments. Verifies the SCTP association and M2UA payload protocol identifier and returns endpoint identification.
Port: 2904
m3ua — M3UA (SCTP)MTP3 User Adaptation Layer (RFC 4666) over SCTP, the most common SS7-over-IP transport. Verifies the SCTP association and M3UA payload protocol identifier and returns the routing-context and ASP-up state.
Port: 2905
managesieveUsed by mail clients to manage Sieve mail-filter scripts on the server. Reads the capabilities response and returns the implementation name, version, supported SASL mechanisms, and STARTTLS availability.
Ports: 2000, 4190
matchermatcher_clientmatcher_registrymbus-tcp — M-Bus over TCPEN 13757 Meter-Bus protocol tunneled over TCP, used by gateways aggregating utility meters (heat, water, gas, electric). Sends REQ_UD2 to the gateway and (when enabled) walks primary addresses 1-250 to enumerate connected meters, returning meter manufacturer, identification, version, and medium.
Ports: 8888, 8889
mcpmdnsMulticast DNS used by Bonjour, Avahi, and other zero-configuration networking stacks. Sends a service-enumeration query and returns the advertised service types, instance names, ports, hostnames, and TXT-record metadata.
Port: 5353
megaco — Megaco / H.248Used between softswitches and media gateways. Sends a Service Change probe and returns the MID and protocol-version response.
Ports: 2944, 2945
melsecq — Mitsubishi MELSEC-QUsed to communicate with MELSEC PLCs. Issues a CPU model-name read using SLMP 3E (and, when enabled, 4E) and returns the CPU type, model, and firmware version.
Ports: 5006, 5007
memcache — Memcached (binary)Binary wire protocol used by the Memcached distributed in-memory key-value cache. Issues a binary VERSION/STATS request and returns the daemon version, current connections, and items/bytes in cache.
Port: 11211
memcachedmgcpUsed between call agents and media gateways in VoIP networks (RFC 3435). Sends an AUEP probe and returns the gateway identifier and capability summary.
Ports: 2427, 2727
mikrotik-bandwidthmikrotikwinbox — MikroTik WinboxUsed by the Winbox utility to administer RouterOS devices. Sends the index-request and returns the RouterOS architecture, version, and bootloader identification.
Ports: 2000, 8291, 8728
milvusPort: 19530
minecraft — Minecraft JavaServer query/list-ping protocol used by Minecraft Java Edition. Sends a status-request and returns the server MOTD, version, protocol number, current and maximum player counts, and any sample player names disclosed.
Port: 25565
mms — ISO 9506 MMS (IEC 61850)Manufacturing Message Specification (ISO 9506) over RFC 1006/COTP, the application protocol used by IEC 61850 substation Intelligent Electronic Devices (IEDs). The probe issues an A-ASSOCIATE plus MMS Initiate-Request and parses the Initiate-Response for vendor identity, negotiated MMS version, and supported services.
Port: 102
modbus — Modbus/TCPUsed to read and write registers on PLCs, RTUs, drives, and meters. Issues a Read Device Identification (function 43/MEI 14) and returns the vendor, product code, revision, vendor URL, product name, and (when configured) extended identification objects.
Port: 502
mongodb — MongoDB Wire ProtocolDocument-database wire protocol used by MongoDB drivers. Sends an unauthenticated isMaster/hello and returns the server version, build environment, replica-set role, and observed authentication requirements.
Ports: 27017, 27018, 27019, 28017
mqttUsed by IoT devices and brokers. Sends a CONNECT and returns the broker's CONNACK response code, supported MQTT version, and any properties advertised by the broker.
Ports: 1883, 8883
mssql — Microsoft SQL Server (TDS)Used by SQL Server clients. Sends a TDS PRELOGIN and returns the server version, encryption requirement, and instance identification.
Ports: 1433, 1434
mtconnectUsed by CNC machine tools, robots, and additive-manufacturing systems to publish device state over an HTTP/XML REST API. Issues a GET /probe and returns the agent version, instance ID, sender host, and per-device manufacturer, model, serial number, and UUID.
Ports: 5000, 7878
muninUsed by the Munin master to poll plugins on hosts. Reads the node banner and returns the node hostname, Munin version, and configured plugin list summary.
Port: 4949
mysql — MySQL / MariaDBClassic client-server protocol. Reads the server-greeting packet and (when credentials are configured) authenticates, returning the server version, capability flags, supported authentication plugins, and TLS availability.
Ports: 3306, 33060
mysqlx — MySQL X ProtocolUsed by MySQL Shell and X DevAPI clients. Sends a CapabilitiesGet message and returns the supported X-Protocol capabilities and TLS requirements.
Port: 33060
natpmp — NAT-PMPUsed by clients to request port forwards from a NAT gateway (RFC 6886). Sends a public-address request and returns the gateway's external IPv4 address and protocol-version support.
Port: 5351
natsLightweight publish/subscribe and request/reply messaging system. Reads the NATS INFO message and returns the server identifier, version, host, port, and authorization/TLS requirements.
Ports: 4222, 6222, 8222
ndmpUsed by enterprise backup software to coordinate backups of NAS devices. Performs CONFIG_GET_HOST_INFO and returns the host name, OS, NDMP server vendor, product, and revision.
Port: 10000
neo4j — Neo4j BoltGraph-database wire protocol used by Neo4j drivers and clients. Performs the Bolt handshake and returns the negotiated Bolt version and server release.
Ports: 7473, 7474, 7687
netbiosPort: 137
netbios-dgmPort: 138
netbios-ns — NetBIOS Name ServiceUsed for legacy Windows name registration and resolution. Sends a NetBIOS node-status query and returns the registered names, node type, and any associated MAC address.
Ports: 137, 138
nfsUsed to share files across Unix-like systems (Sun RPC program 100003). Issues a NFS NULL ping and a MOUNT EXPORT call (via portmap) and returns the supported NFS versions and the list of exported filesystems and allowed clients.
Port: 2049
nrpe — Nagios NRPEUsed by Nagios/Icinga to run checks on remote hosts. Sends a _NRPE_CHECK probe and returns the NRPE protocol version and any version banner disclosed.
Port: 5666
ntpUsed to synchronize clocks across networks (RFC 5905). Sends mode-3 client and mode-6 control queries and returns the stratum, reference identifier, refid clock source, and (when enabled) implementation/version strings disclosed by mode-6 readvar.
Port: 123
omronfins — Omron FINSFactory Interface Network Service protocol used to communicate with Omron CJ/CS/NJ/NX PLCs and related automation devices. Issues a Controller Data Read (0501) and returns the controller model, firmware version, area data, and node identification.
Port: 9600
opcua — OPC UAUsed as a vendor-neutral industrial information-model and data-access standard. Performs a GetEndpoints request and returns the application URI, product URI, server-certificate metadata, and per-endpoint security policies and identity tokens.
Ports: 4840, 4843, 48050
openvpnUsed by the OpenVPN Community and Access Server products. Sends a tls-auth/hard-reset probe and returns the responsiveness and any OCC strings observed.
Port: 1194
oracle — Oracle TNSUsed by Oracle Database listeners. Sends a TNS Connect with VERSION command and returns the listener version, instance name, and supported services.
Ports: 1521, 1522, 1525, 2483, 2484
oracledb — Oracle Database (TNS)Simple TNS-listener detection probe for Oracle Database. Reads the TNS error response and returns the listener version string and any disclosed product-version metadata.
Ports: 1521, 1522, 1525
orion — SolarWinds Orion PlatformHTTP fingerprinting of the SolarWinds Orion network management platform web console (NPM, NCM, NTA, etc.).
panxmlapi — Palo Alto Networks PAN-OS XML APIAuthenticated PAN-OS XML API queries (system info, ARP/MAC/neighbor caches, interfaces) issued against Palo Alto Networks firewalls and Panorama. Used by the runZero scanner with a user-supplied API key to enumerate adjacent assets and device facts.
pca — Symantec pcAnywhereRemote-access protocol. Sends the pcAnywhere status probe and returns the host name and product/version disclosed in the response.
Port: 5632
pcworx — Phoenix Contact PCWorxUsed to program and interact with ILC-series and other Phoenix Contact controllers. Queries controller identification and returns the controller model, firmware, and PLC-name string.
Port: 1962
pega — Pega PlatformHTTP fingerprinting of the Pega low-code business process management platform web tier.
pfcpUsed in 5G/LTE mobile cores between control-plane and user-plane functions. Sends a PFCP Heartbeat Request and returns the recovery time stamp and supported feature flags.
Port: 8805
pop3Used by mail clients to retrieve messages from a server (Post Office Protocol version 3). Reads the POP3 greeting and runs CAPA, returning the server software banner, supported capabilities, and STARTTLS availability.
Ports: 110, 995
postgres — PostgreSQLFrontend/backend database protocol. Performs an SSLRequest and a StartupMessage and returns the server version, supported authentication methods, and TLS availability.
Ports: 5432, 5433, 6432
postgresqlpowerlink — Ethernet POWERLINKUsed for deterministic motion control and I/O. Passively decodes POWERLINK frames and returns the managing-node identifier and observed CN node-IDs and states.
pptpMicrosoft Point-to-Point Tunneling Protocol legacy VPN. Sends a Start-Control-Connection-Request and returns the protocol version, vendor, firmware revision, and host name.
Port: 1723
proconos — Phoenix Contact ProConOSUsed by various OEM controllers. Queries runtime identification and returns the runtime version and target identification.
Port: 20547
profinetUsed for cyclic and acyclic real-time communication with PROFINET I/O devices and PLCs. Performs a Read Identification request and returns the device vendor, order number, serial, software/hardware revision, and (when enabled) discovered slot/subslot module list.
Ports: 34962, 34963, 34964
profinet-dcp — PROFINET DCPDiscovery and basic Configuration Protocol used at Layer 2 to identify and assign names/IPs to PROFINET stations. Passively decodes DCP Identify announcements and returns the station name, vendor identifier, role, and IP configuration.
prosoftpsdisco — PlayStation DiscoveryUsed by Remote Play and similar tooling. Sends the SRCH probe and returns the console identifier, host type, system version, and running-title metadata.
Ports: 987, 9302
pulsar — Apache PulsarDistributed messaging and streaming wire protocol. Sends a CONNECT command and returns the broker version, protocol version, and authentication-method requirements.
Ports: 6650, 6651
pwa_manifestqdrantPorts: 6333, 6334
qotd — Quote of the DayLegacy diagnostic service (RFC 865). Records the response to confirm the service and detect amplification-capable hosts.
Port: 17
qualys — Qualys Cloud Agent / Scanner ApplianceHTTP fingerprinting of Qualys vulnerability-management appliance and cloud-agent management interfaces.
radiusUsed for AAA in Wi-Fi, VPN, and network-access control. Sends an Access-Request with an invalid principal and returns the server's response code, supported authentication types, and any vendor-specific attributes disclosed.
Ports: 1645, 1646, 1812, 1813
raritan-csc — Raritan CommandCenterSecure Gateway management appliance. Reads the CSC banner and returns the appliance product name, version, and serial.
rdpMicrosoft Remote Desktop Protocol used by Windows Remote Desktop Services. Performs an X.224 Connection-Request and returns the supported security protocols, NLA requirement, and (when TLS is offered) certificate-derived hostname/version metadata.
Ports: 3389, 3390
redisIn-memory data-structure store and message broker. Issues PING/INFO/AUTH probes and returns the Redis version, role, mode, and authentication or protected-mode requirements.
Ports: 6379, 16379, 26379
rexecBSD Remote Execution protocol (legacy, transmits credentials in cleartext). Detects an rexec listener and returns the responsiveness and any host-identification banner observed.
Port: 512
riakPort: 8098
riak-httpripDistance-vector IGP. Sends a RIP Request and returns the RIP version and any advertised routes disclosed by the responder.
Port: 520
roomalert — AVTECH Room AlertEnvironmental monitoring appliance. Reads the device banner and returns the model, firmware version, MAC, and IP configuration.
Port: 9999
rpcbind — ONC RPC / rpcbindUsed to discover Sun RPC programs (NFS, NIS, ...). Queries the portmap dump and returns the registered program list with versions, protocols, and ports.
Port: 111
rsync — rsync (SSH-tunneled)Detection of the file-synchronization protocol exposed by rsync over SSH or rsh transports. Reads the greeting and returns the protocol version.
Port: 873
rsyncd — rsync daemonStandalone rsync daemon (rsync://) listening on TCP/873. Reads the daemon greeting and lists modules, returning the rsync version, available module names, and module comments.
Port: 873
rtmpAdobe Real-Time Messaging Protocol used to stream audio, video, and data between Flash players and media servers. Performs the RTMP handshake and returns the server version and connect-response object.
Port: 1935
rtps — OMG RTPS / DDSReal-Time Publish-Subscribe wire protocol from the Object Management Group; underlies DDS in robotics, ROS 2, and industrial IoT. Sends an SPDP participant announcement and returns the GUID, vendor identifier, protocol version, participant name, and discovered topics.
Ports: 7400, 7401, 7410, 7411
rtspUsed by IP cameras, NVRs, and media servers to control streams. Issues an OPTIONS request and returns the server software, supported methods, and any session-description metadata disclosed by DESCRIBE.
Ports: 554, 8554
s7comm — Siemens S7CommUsed to program and exchange data with SIMATIC S7-300, S7-400, S7-1200, and S7-1500 PLCs. Issues SZL identification reads and returns the module name, plant identification, copyright, serial, module type, hardware/firmware version, and (when enabled) backplane rack/slot module list.
Port: 102
sadp — Hikvision SADPUsed to discover Hikvision and OEM IP cameras and NVRs. Sends a SADP Inquiry and returns the device serial, model, firmware, MAC, IP configuration, and activation state.
Port: 37020
sccp — Cisco SCCP / SkinnyUsed by Cisco IP phones registering with CallManager/Unified Communications Manager. Sends a Register message and returns the call-manager response and station identification.
Ports: 2000, 2443
securemote — Check Point SecuRemoteVPN topology discovery service. Sends the topology query and returns the gateway name, version, and any community/certificate metadata disclosed in the response.
Port: 264
sercos-iii — SERCOS IIIUsed for drives, servos, and I/O in machine tools and packaging machinery. Passively decodes SERCOS III frames and returns the master/slave addressing and observed phase information.
servicetag — Sun Service TagUsed to inventory Sun/Oracle hardware and software. Sends the discovery probe and returns the registered product instance, instance URN, and version.
Port: 6481
sgsap — SGsAP (SCTP)SGs interface (3GPP TS 29.118) over SCTP between MME and MSC for SMS over SGs and CSFB. Verifies the SCTP association and SGsAP payload protocol identifier and returns endpoint identification.
Port: 29118
sipUsed to establish voice, video, and messaging sessions. Sends an OPTIONS request and returns the response code, server/user-agent strings, allowed methods, and any contact and via metadata disclosed.
Ports: 5060, 5061
slpUsed to discover services on a LAN (RFC 2608); commonly exposed by VMware ESXi and printers. Sends an attribute and service-type request and returns the SLP version, advertised services, and per-service attribute summary.
Port: 427
smb — SMB / CIFSFile-sharing and IPC protocol used by Windows and Samba. Negotiates SMB1/2/3 and reads tree/share metadata, returning the dialect, signing/encryption requirements, server OS, NetBIOS/computer name, domain, and (when permitted) the list of shares.
Ports: 139, 445
smb1smb3smppShort Message Peer-to-Peer protocol used between SMS clients and SMSCs. Sends a bind_transceiver probe and returns the SMSC system identifier and SMPP version.
Port: 2775
smtpUsed to transfer email between servers and from clients to relays. Reads the SMTP greeting and runs EHLO, returning the server software, supported extensions, STARTTLS availability, and supported authentication mechanisms.
Ports: 25, 465, 587, 2525
snmpUsed to monitor and configure network devices and servers. Walks system.* and selected enterprise OIDs over SNMPv1/v2c (and SNMPv3 when configured) and returns sysDescr, sysObjectID, sysName, location, contact, and a vendor/device-type fingerprint derived from the response.
Ports: 161, 162, 10161, 10162
snppUsed to deliver pages to paging gateways (RFC 1861). Reads the SNPP greeting and returns the gateway banner and supported-command summary.
Port: 444
sockssocks4SOCKS version 4 proxy protocol. Attempts a CONNECT and returns the proxy responsiveness and any disclosed reply codes.
Ports: 1080, 1081
socks5SOCKS version 5 proxy protocol (RFC 1928). Negotiates auth methods and returns the supported authentication methods and proxy reachability.
Ports: 1080, 1081, 9050, 9150
solrPort: 8983
some-ip — AUTOSAR SOME/IPUsed between automotive ECUs on in-vehicle Ethernet for service discovery and RPC (AUTOSAR Scalable service-Oriented MiddlewarE over IP). Sends a SOME/IP-SD FindService and returns the advertised service IDs, instance IDs, major versions, and endpoint configuration.
Ports: 30490, 30491
sonarqubePort: 9000
sonicwall-sgms — SonicWall GMS AgentUsed to manage SonicWall firewalls. Reads the SGMS banner and returns the agent product name and version.
Port: 3023
spiceUsed for KVM virtual machines and virtual desktops. Performs the SPICE link handshake and returns the server protocol version and any TLS-certificate metadata.
Port: 5930
splunk — Splunk Enterprise / Universal Forwarder Web UIHTTP fingerprinting of the Splunk web management interface (splunkd / Splunk Web), extracting product, edition, and version information.
spotify-connectssdpUsed by UPnP devices to advertise services. Sends an M-SEARCH and returns the advertised service types, USN, server string, and Location URLs of the responding devices.
Port: 1900
sshSecure Shell remote-access and tunneling protocol. Reads the SSH banner, runs a KEX-init exchange, and (when credentials are configured) authenticates, returning the server software string, supported KEX/host-key/cipher/MAC algorithms, host keys and fingerprints, and accepted authentication methods.
Ports: 22, 2222, 22222
sstpMicrosoft Secure Socket Tunneling Protocol VPN. Detects an SSTP listener and returns the server's SSTP-version response.
Port: 443
steam — Steam Server DiscoveryValve Steam game-server discovery / A2S query protocol. Sends an A2S_INFO and returns the server name, game, map, version, current and maximum player counts, and bot count.
Port: 27036
stunSession Traversal Utilities for NAT (RFC 5389) used for NAT discovery in WebRTC and VoIP. Sends a binding request and returns the SOFTWARE attribute, observed XOR-MAPPED-ADDRESS, and any FINGERPRINT-validated server identification.
Ports: 3478, 3479, 5349, 5350
sua — SUA (SCTP)SCCP User Adaptation Layer (RFC 3868) over SCTP, used to carry SS7 SCCP signaling over IP. Verifies the SCTP association and SUA payload protocol identifier and returns endpoint identification.
Ports: 2904, 14001
sunrpcsvn — SubversionApache Subversion svn:// version-control protocol. Reads the SVN greeting and returns the server version, supported capabilities, and repository UUID/root URL when disclosed.
Port: 3690
sybase — Sybase / SAP ASE (TDS 5.0)Database protocol. Sends a TDS login probe and returns the server version, character set, language, and TDS-version negotiation result.
Port: 5000
syslogUsed to forward log messages between hosts and collectors. Detects an open syslog listener and returns the responsiveness and any TLS-certificate metadata when syslog-over-TLS is in use.
Ports: 514, 6514
tcptcpmuxTCP Port Service Multiplexer (RFC 1078), a legacy diagnostic service. Queries the registered service list and returns the disclosed names.
teamviewerRemote-access application detection. Sends the TeamViewer version probe and returns the TeamViewer client version and partner identifier observed in the response.
Port: 5938
telnetRemote-terminal protocol (RFC 854); transmits credentials in cleartext. Reads the negotiation banner and any login prompts, returning the device hostname, OS or product banner, and supported telnet options.
Ports: 23, 992, 2323
tenable-agent-idtftpUsed for boot images, firmware, and config transfer (RFC 1350). Sends a benign read request and returns the responsiveness and any error-code metadata that discloses the server implementation.
Port: 69
timeLegacy 32-bit time-of-day service (RFC 868). Reads the response to confirm the service and detect amplification-capable hosts.
Port: 37
tls — TLS / SSLTransport Layer Security; the encrypted-transport substrate for HTTPS and most modern Internet protocols. Performs a TLS handshake and returns the negotiated version and cipher suite, supported versions and extensions, and the full server-certificate chain with subject, issuer, SANs, validity, and key metadata.
Ports: 443, 5986, 6443, 8443, 9443
tristation — Triconex TriStationUsed to program and configure Tricon and Trident Safety Instrumented Systems controllers. Passively decodes TriStation frames and returns the controller identification observed.
Port: 1502
turnTraversal Using Relays around NAT (RFC 5766) used as a media relay for WebRTC and VoIP. Sends an Allocate request and returns the SOFTWARE attribute, supported authentication, and relay-allocation behavior.
Ports: 3478, 3479, 5349, 5350
ubnt — Ubiquiti DiscoveryUsed by UISP/UNMS and the Ubiquiti Discovery Tool. Sends the discovery probe and returns the device hostname, model, firmware, MAC, and IP configuration.
Port: 10001
unitronics — Unitronics PCOMUsed to communicate with Unitronics Vision and Samba/UniStream PLC+HMI controllers. Queries the controller identification and returns the model, firmware, hardware revision, and PLC name.
Port: 20256
upnpuscanvaultPort: 8200
vmauthd — VMware vmauthdAuthentication daemon listening on VMware ESXi and Workstation hosts. Reads the vmauthd greeting and returns the protocol version and host product fingerprint.
Port: 902
vmware — VMware vSphere SOAPAPI fingerprinting (vCenter / ESXi). Fetches /sdk and returns the product name, vendor, full version and build, API type, OS type, and certificate thumbprint.
Port: 443
vnc — VNC / RFBVirtual Network Computing (RFB) remote-desktop protocol. Reads the protocol-version handshake and returns the RFB version, supported security types, and any disclosed vendor banner.
Ports: 5800, 5900, 5901, 5902, 5903
wbsm — IBM Web-Based System ManagerUsed to administer AIX systems. Reads the WBSM banner and returns the server product and version information.
Port: 9090
webminUnix-administration web UI discovery. Inspects the Webmin HTTP response and returns the product name, version, and login-page configuration.
Port: 10000
wireguardModern in-kernel VPN protocol. Sends a benign handshake-initiation probe and returns the responsiveness and any rate-limited replies that confirm a WireGuard endpoint.
Port: 51820
wiznet — WIZnet DiscoveryUsed by WIZnet serial-to-Ethernet modules and embedded TCP/IP chips. Sends the discovery probe and returns the device model, firmware, MAC, and configured network parameters.
Ports: 5000, 50001
wsdPort: 3702
wsmanx11 — X11 / X Window SystemX Window System protocol used by Unix graphical desktops; if exposed, allows remote display capture and input injection. Performs an X11 connection-setup probe and returns the X.Org/XFree86 vendor string, protocol-major version, and the access state of the server.
Ports: 6000, 6001, 6002, 6003, 6004, 6005, 6006, 6007, 6008, 6009, 6010, 6011, 6012, 6013, 6014, 6015
x2ap — X2AP (SCTP)X2 Application Protocol (3GPP TS 36.423) over SCTP used between LTE eNodeBs. Verifies the SCTP association and X2AP payload protocol identifier and returns endpoint identification.
Port: 36422
xdmcpUsed by X Window System login managers (xdm, gdm, kdm). Sends an XDMCP query and returns the responding manager's hostname and supported authentication types.
Port: 177
xmppExtensible Messaging and Presence Protocol used by chat servers (Jabber, Openfire, ejabberd). Sends a stream-start request and returns the server software banner, supported XMPP version, and STARTTLS / SASL feature summary.
Ports: 5222, 5223, 5269
zabbix — Zabbix AgentUsed by the Zabbix server to collect host metrics. Sends an agent.version request and returns the agent version, host metadata, and any system.uname response disclosed.
Ports: 10050, 10051
zabbix-agentzebra — Zebra DiscoveryNetwork discovery protocol used by Zebra Technologies printers and barcode printers. Sends the discovery probe and returns the device hostname, model, firmware, IP configuration, and printer status.
Port: 6101
zookeeper — Apache ZooKeeperCoordination service wire protocol. Sends a four-letter (ruok/srvr/conf) command and returns the access state, mode (leader/follower/standalone), node count, and ZooKeeper version when the command is permitted.
Ports: 2181, 2888, 3888
zyxel — Zyxel Device Web ManagementHTTP probe of Zyxel switches/routers (e.g. GS1200 series) that exposes a system_data.js endpoint advertising model, firmware version, MAC, hostname, and IP configuration.
Additional protocols
ajpardarpcephcitrixcognexcommon-socket-connectioncompanion-linkdigieero-ebideerogwerldpfingerfinsgangliahostmetahttp2httpsics-traceiec61850-gooseiec61850-svikev2ipp-browsejabberlldpmattermeshcopmountdmssql-replicanetisnetop-remote-controlopcdapanasonictvprinteridquicrloginsctptunsentinelsmb2subversionthinprintuscansvsdpvxlanwaveuwdbrpc