Protocol support
aaa 4 ai 5 auth 5 automotive 2 backplane 20 backup 2 building-automation 5 camera 1 clear 60 database 18 deep 24 directory 2 discovery 55 email 4 encrypted 9 file 9 gaming 4 integration 1 iot 35 legacy 11 light 80 media 2 messaging 15 mgmt 75 mobile-core 13 monitoring 8 multicast 10 naming 4 network 1 ot 54 passive 15 printing 10 proxy 2 remote-access 16 routing 2 security 6 siem 1 storage 8 time 2 tls 50 voip 14 vpn 10 web 22
328 of 328 protocols
Loading protocols…
acop — Atlas Copco Open ProtocolAtlas Copco Open Protocol is a tightening-controller protocol used by Power Focus and Power MACS controllers on manufacturing assembly lines. Negotiates the protocol revision and queries controller identity, returning the supplier code, controller name, controller serial and software version, tool software version, and cell and channel identifiers.
Port: 4545
acpp — Apple AirPort Configuration ProtocolApple AirPort Configuration Protocol is the management protocol used by AirPort Utility to provision Apple AirPort base stations and Time Capsules. Connects to the ACPP listener and records the raw banner returned by the device.
activemq — Apache ActiveMQ OpenWireApache ActiveMQ OpenWire is the native binary wire protocol used by JMS clients to talk to ActiveMQ message brokers. Performs an OpenWire handshake and returns the broker version, host JVM and OS, and negotiated wire-format options.
Ports: 8161, 61616, 61617
adb — Android Debug BridgeAndroid Debug Bridge is a developer protocol used to debug, install, and control Android devices over the network (typically on rooted phones, TVs, and IoT devices). Probes for an open ADB endpoint and returns the device's access state and ADB banner.
Ports: 5037, 5555
ads — Beckhoff ADS/AMSBeckhoff ADS/AMS is the Automation Device Specification / Automation Message Specification protocol used to communicate with TwinCAT runtimes on Beckhoff PLCs and industrial PCs. Issues a ReadDeviceInfo request and returns the device name, AMS NetID, and TwinCAT runtime version.
Port: 48898
airplay — Apple AirPlayAirPlay is Apple's wireless streaming protocol used by iOS, macOS, and Apple TV devices to mirror displays and stream audio/video. Detected from the _airplay._tcp and _raop._tcp mDNS records and HTTP banners advertised by AirPlay receivers.
ajp — Apache JServ Protocol (AJP)Apache JServ Protocol (AJP) is a binary protocol used by reverse-proxy front-ends (Apache httpd mod_proxy_ajp, nginx, IIS) to bridge HTTP requests to a back-end Tomcat or JBoss application server, typically on TCP/8009. runZero attributes services as AJP from external integration data (Shodan) and from banner / port hints; no active AJP probe is sent.
amqp — AMQP 0-9-1AMQP 0-9-1 is the Advanced Message Queuing Protocol used by RabbitMQ and other brokers for message-oriented middleware. Exchanges the protocol-header preamble and returns the negotiated AMQP version, broker product and version, runtime platform, cluster name, advertised SASL mechanisms, and TLS requirement.
Ports: 5671, 5672
anydeskAnyDesk is a proprietary TLS-wrapped remote-desktop protocol used by the AnyDesk client and host software on Windows, macOS, Linux, Android, and iOS endpoints. Performs a TLS handshake on the AnyDesk listener and inspects the peer certificate to fingerprint the service, returning the certificate subject, issuer, and a self-signed flag.
Ports: 6568, 7070
ard — Apple Remote DesktopApple Remote Desktop is a discovery protocol used by macOS systems to advertise themselves to Apple Remote Desktop administrators on UDP/3283. runZero sends the ARD discovery request, validates the response type, and returns the advertised hostname and Apple machine model from the reply.
Port: 3283
arp — Address Resolution ProtocolAddress Resolution Protocol is a Layer-2 protocol used to resolve IPv4 addresses to Ethernet MAC addresses on the local broadcast segment. runZero sends ARP requests for each target on the local network to discover live hosts, captures the MAC address from each reply for asset attribution and OUI-based vendor identification, and passively records ARP traffic observed during the scan.
atg — Automatic Tank GaugeAutomatic Tank Gauge is a Veeder-Root serial protocol tunneled over TCP (commonly port 10001) used by ATG consoles such as the TLS-3xx and TLS-4xx series found in fuel-station forecourts. Issues the I20100 in-tank inventory and I90200 system-revision commands and returns the station name, console software and module revisions, tank count, and per-tank product names.
Port: 10001
backupexec — Veritas Backup Exec AgentVeritas Backup Exec Agent is the host-side service used by the Backup Exec server to coordinate jobs with protected hosts. Identifies the agent from its TCP banner and tags the asset as Veritas Backup Exec.
Port: 6106
bacnet — BACnet/IPBACnet/IP is a building-automation protocol used for HVAC, lighting, access control, and other building systems. Issues Who-Is and ReadProperty requests and returns the device instance, vendor, model, firmware, and a summary of objects and routing devices behind the gateway.
Ports: 46808, 47808, 47809, 47810, 47811, 47812, 47813, 47814, 47815, 47816, 47817, 47818, 47819, 47820, 47821, 47822, 47823, 47824, 48808
banner — Generic TCP BannerGeneric TCP Banner is a fallback collector used when no protocol-specific matcher fires. Reads the first response bytes and returns the raw banner text for downstream fingerprinting.
bedrock — Minecraft BedrockMinecraft Bedrock is the game-server query and discovery protocol used by Minecraft Bedrock Edition clients. Sends an Unconnected Ping and returns the server uptime, GUID, and the raw advertisement payload (MOTD and version fields).
Port: 19132
bgp — Border Gateway ProtocolBorder Gateway Protocol is the inter-domain routing protocol used between autonomous systems on the Internet and inside large networks. Attempts an OPEN exchange and returns the BGP version, advertised AS number, BGP identifier, and supported capabilities.
Port: 179
bitdefender-app — Bitdefender EndpointBitdefender Endpoint is a proprietary check-in channel exposed by Bitdefender, NETGEAR Armor, and ThreatTrack mobile-security and VPN agents on Android and iOS endpoints. runZero passively matches the agent's JSON app_id payload from observed banners and reports the Bitdefender vendor along with the application identifier and software version of each detected product.
Port: 7519
bjnp — Canon BJNPCanon BJNP is a vendor-specific printing and scanning protocol used by Canon's network drivers. Sends a BJNP discovery probe and returns the device type (printer or scanner), MAC address, and IPv4/IPv6 address advertised in the reply.
Ports: 8611, 8612
brother — Brother Network DiscoveryBrother Network Discovery is a UDP-based broadcast protocol used by Brother printers and multi-function devices to announce themselves and respond to driver/management discovery probes. runZero parses the response to recover the printer model, firmware revision, and serial number.
brother-scanner — Brother Network DiscoveryBrother Network Discovery is the scanner protocol used by Brother network devices. Identifies the service from its +OK 200 / -NG 401 reply and tags the asset as a Brother scanner.
Ports: 54921, 54922, 54923
bsap-ip — Emerson BSAP/IPEmerson BSAP/IP is the Bristol Standard Asynchronous Protocol over IP used by Emerson ControlWave and Bristol RTUs in oil & gas SCADA. Queries node identification and, when enabled, walks the BSAP local-address hierarchy to enumerate child RTUs, returning RTU identity, firmware, and topology summaries.
Ports: 1234, 1235
c12.22 — ANSI C12.22ANSI C12.22 is the metering-network transport used by electric-utility advanced-metering-infrastructure head-ends and relays. Issues an EPSEM Identification request and returns the device serial number, ED class, and C12.22 standard version.
Port: 1153
c37118 — IEEE C37.118 SynchrophasorIEEE C37.118 Synchrophasor is the streaming protocol used by Phasor Measurement Units and Phasor Data Concentrators on the electric grid. Requests CFG-2 and header frames and returns PMU/PDC identification, station and channel naming, and reporting rate.
Port: 4712
cacti — Cacti Network Monitoring Web UICacti Network Monitoring Web UI is the open-source RRDtool-based network graphing and monitoring console deployed by network and IT operations teams. The HTTP extractor matches the Cacti login page title, parses the embedded versionInfo string, and returns the cacti.version attribute and Cacti software identification.
cassandra — Apache Cassandra CQLApache Cassandra CQL is the native client protocol used to query the Cassandra wide-column store. Performs a STARTUP/OPTIONS exchange and returns the cluster name, CQL version, and Cassandra release.
Ports: 9042, 9160
cdp — Cisco Discovery ProtocolCisco Discovery Protocol is a Layer-2 announcement protocol used by Cisco devices to advertise themselves to neighbors. Passively decodes CDP frames and returns the device ID, software version, platform, capabilities, native VLAN, and management addresses advertised by the neighbor.
cephCeph is a cluster-internal messenger protocol used by Ceph distributed storage daemons (mon, mgr, osd, mds) to communicate. runZero identifies Ceph services from the "ceph v" banner returned on connection and tags the asset as a Ceph storage node.
chargen — Character GeneratorCharacter Generator is a legacy diagnostic service (RFC 864) that emits a stream of printable characters. Records the response banner to confirm the service.
checkmk — Checkmk AgentCheckmk Agent is the host-side metric exporter used by the Checkmk server to collect host metrics. Reads the agent banner and returns the agent version, build date, host operating system, architecture, and configured hostname.
Port: 6556
chromecast — Google ChromecastChromecast is the Google Cast device discovery and control protocol used by Chromecast, Google TV, Google Nest Hub, and Cast-enabled speakers. Detected via the _googlecast._tcp mDNS record and the device's HTTP /setup/eureka_info endpoint, which exposes the device name, model, build, and timezone.
cip — Common Industrial ProtocolCommon Industrial Protocol is an industrial automation protocol used by Rockwell/Allen-Bradley and other vendors for PLC and I/O communication. Issues the List Identity and Get Attributes All requests and returns vendor, product code, revision, serial, product name, and device-type information for the controller and any backplane modules.
Port: 44818
cisco-phone — Cisco IP Phone Web InterfaceCisco IP Phone Web Interface is the embedded HTTP server exposed by Cisco SPA, 7900-series, 8800-series, and Unified IP Phones. runZero attributes services as cisco-phone from Recog banner matches and uses the response to recover the model, firmware version, MAC address, and call-manager configuration.
ciscosmi — Cisco Smart InstallCisco Smart Install is a zero-touch deployment protocol commonly abused for unauthenticated configuration access. Sends the Smart Install probe, tags the asset as Cisco IOS, and records the raw response payload.
Port: 4786
citrix — Citrix ICA BrowserCitrix ICA Browser is a UDP/1604 service used by Citrix XenApp and Virtual Apps and Desktops clients to locate published applications and server farms. runZero sends an ICA Browser request and parses the reply to return the server-farm name and the list of advertised published applications.
Port: 1604
citrixica — Citrix ICACitrix ICA is the remote-presentation protocol used to deliver published apps and desktops from Citrix Virtual Apps and Desktops. Detects the ICA banner signature on the listener, tags the asset as Citrix Virtual Apps, and records the response banner and a short hex prefix.
Ports: 1494, 2598
cldap — Connectionless LDAPConnectionless LDAP is a UDP-based directory protocol used to query directory servers without setting up a TCP connection. Issues a rootDSE search and returns the LDAP attributes parsed from the reply (vendor name and version, supported controls, extensions, capabilities, and SASL mechanisms).
Port: 389
click — Click Modular RouterClick Modular Router is the control socket exposed by hosts running the Click software router. Identifies the service from the Click::ControlSocket banner and tags the asset accordingly.
Port: 7734
coapCoAP is the Constrained Application Protocol (RFC 7252) used by constrained devices and IoT deployments for resource-oriented messaging. Issues a GET on /.well-known/core and returns the CoAP version, message type, response code, options, content format, and the resource list or payload from the reply.
Ports: 5683, 5684
cockpit — Cockpit Linux Web ConsoleCockpit Linux Web Console is the web-based Linux server-management console shipped with Red Hat, Fedora, CentOS Stream, and Debian, typically served over TLS on TCP/9090. The HTTP extractor matches the embedded environment JSON in the login page and returns the host name, OS pretty name, and OS variant identifiers.
codesys — CODESYS V3 RuntimeCODESYS V3 Runtime is the IEC 61131-3 controller runtime used by many OEMs (WAGO, Beckhoff, Schneider, Eaton, ...). Issues the runtime identification request and returns the runtime vendor, product, version, and target identification.
Ports: 1200, 1217, 2455, 11740
codesys2 — CODESYS V2 RuntimeCODESYS V2 Runtime is the older 3S CODESYS V2 controller runtime used by industrial controllers from many OEMs. Performs the V2 login probe and returns the runtime version and target identification.
Ports: 1200, 2455
cognex — Cognex In-SightCognex In-Sight is an operator-access service exposed by Cognex In-Sight industrial machine-vision cameras for configuration and monitoring on factory networks. runZero identifies In-Sight cameras from the proprietary banner returned on connection and tags the asset as a Cognex vision system.
common-socket-connection — Raritan Common Socket ConnectionRaritan Common Socket Connection is a proprietary management transport used by Raritan KVM-over-IP switches, Dominion serial consoles, and rack PDUs, typically on TCP/5000. runZero identifies CSC services from the Raritan banner returned on connection and tags the asset as a Raritan management device.
companion-link — Apple CompanionLinkApple CompanionLink is a discovery and pairing service used by Apple devices (iOS, macOS, tvOS, HomePod) to negotiate AirPlay, HomeKit, and Continuity sessions with paired peers, advertised via _companion-link._tcp on Bonjour. runZero attributes the service from the mDNS / port hint and reports the asset as Apple CompanionLink.
comtrol — Comtrol Device DiscoveryComtrol Device Discovery is the broadcast protocol used by Comtrol/Pepperl+Fuchs RocketLinx switches and DeviceMaster serial servers to advertise their presence on the network. runZero parses the response to recover the model name, hardware/firmware revision, MAC address, IP configuration, and serial number.
confluence — Atlassian ConfluenceAtlassian Confluence is a wiki and team-collaboration server available in Server, Data Center, and Cloud editions. The HTTP probe fetches Confluence login, dashboard, and version endpoints and returns the product name, edition, and build number.
consul — HashiCorp ConsulConsul is HashiCorp's service-mesh and key/value store. Detected on the Consul HTTP API (TCP/8500), where the /v1/status/leader and /v1/agent/self endpoints disclose the datacenter, node name, build version, and Raft leader of the cluster.
Port: 8500
couchdb — Apache CouchDBCouchDB is the Apache document-oriented database fronted by an HTTP/JSON API. Detected from the welcome document at /, which discloses the CouchDB version, vendor name, UUID, and -- on misconfigured deployments -- whether the admin party is enabled.
Port: 5984
crestron — Crestron DiscoveryCrestron Discovery is a vendor protocol used to locate Crestron control processors and AV equipment. Sends the discovery probe and returns the device hostname, model, and firmware version.
Port: 41794
crimsonv3 — Red Lion Crimson 3Red Lion Crimson 3 is a configuration and runtime protocol used to read data from Red Lion Graphite, DA-series, and other industrial HMIs and gateways. Reads the manufacturer (register 0x012b) and model (register 0x012a) registers and returns those strings.
Port: 789
crowd — Atlassian CrowdAtlassian Crowd is a centralized SSO and identity-management product. runZero attributes services as Crowd from Recog matches against the application's HTTP banners and login pages, recovering the product version and build information.
cspv4 — Allen-Bradley CSPv4 / PCCCAllen-Bradley CSPv4 / PCCC is a legacy controller protocol used by SLC 5/05 and MicroLogix PLCs for register access. Issues a PCCC identify request and returns the controller family, processor type, and series/revision string.
Port: 2222
cups — Common Unix Printing SystemCUPS is the Common Unix Printing System administrative web interface. runZero matches the CUPS HTTP banner and the IPP server header, returning the cupsd version and host operating system.
Port: 631
dahua-dhip — Dahua DHIPDahua DHIP is a proprietary discovery and management protocol used by Dahua and OEM-rebranded IP cameras and NVRs (Amcrest, Lorex, and similar). Sends the single-byte DHIP discovery probe and returns the device serial, machine name, vendor, firmware version, MAC, and IPv4/IPv6 configuration.
Port: 37810
daytimeDaytime is a legacy diagnostic service (RFC 867) that returns the current date and time. Records the response banner, parses the timestamp, and infers an OS hint from the format.
Port: 13
db2 — IBM Db2IBM Db2 is a relational database protocol used by Db2 LUW and Db2 for z/OS clients. Performs a DRDA EXCSAT/ACCSEC exchange and returns the server product identifier, version, and platform.
Ports: 523, 50000, 50001, 60000
dcerpc — DCE/RPC Endpoint MapperDCE/RPC Endpoint Mapper is the RPC locator used to enumerate RPC services on Windows hosts. Queries the endpoint mapper and returns a summary of registered RPC interfaces, their UUIDs, versions, and bindings.
Ports: 135, 593
dhcpDHCP is the Dynamic Host Configuration Protocol used to lease IPv4 addresses and network configuration. Sends a DHCPDISCOVER and returns the offered server identifier, lease parameters, and any vendor-class identification revealed by the response.
Ports: 67, 68
diameter — Diameter (TCP)Diameter (TCP) is an authentication, authorization, and accounting protocol over TCP; the successor to RADIUS, widely used in mobile-core networks. Sends a Capabilities-Exchange-Request and returns the origin host, realm, vendor, product name, and supported applications.
Port: 3868
diametersctp — Diameter (SCTP)Diameter (SCTP) is the Diameter (RFC 6733) AAA protocol carried over SCTP, used between mobile-core elements (Diameter Edge Agent, DRA, HSS, PCRF, MME). Sends a Capabilities-Exchange-Request and returns the origin host, realm, vendor, product name, and supported applications.
Port: 3868
digi — Digi ADDPDigi ADDP is the Advanced Device Discovery Protocol used by Digi International serial servers, cellular gateways (TransPort, IX, EX), and embedded modules to advertise themselves on the local network. runZero sends DIGI, DVKT, and DGDP discovery requests on UDP/2362 and parses the TLV reply to return the device MAC, IP, model, firmware version, and hardware revision.
Port: 2362
dnp3DNP3 is Distributed Network Protocol 3 (IEEE 1815) used in electric, water, and oil & gas SCADA between control centers (masters) and RTUs/IEDs (outstations). Performs an unsolicited link-layer test and an Object Group 0 read and returns the outstation address, vendor, model, firmware, and device-attributes summary.
Port: 20000
dnsDNS is the Domain Name System used to resolve hostnames to addresses and other resource records. Issues version.bind, hostname.bind, and recursion-test queries and returns the resolver software identification, recursion availability, and observed CHAOS-class metadata.
Ports: 53, 5353, 5355
docker — Docker Engine APIDocker Engine API is the HTTP control plane exposed by dockerd. runZero queries /version and /info on unauthenticated daemons (typically TCP/2375 or 2376) to recover the engine version, API version, kernel version, operating system, architecture, and container runtime.
Ports: 2375, 2376
doip — Diagnostics over IPDiagnostics over IP is an automotive diagnostics protocol used to reach in-vehicle ECUs (UDS/KWP) over Ethernet. Issues a Vehicle Identification Request and (when enabled) Entity Status, returning VIN, EID/GID, logical addresses, and reachable ECU summaries behind the gateway.
Port: 13400
dotnet-remoting — .NET Remoting.NET Remoting is a Microsoft RPC framework used by legacy .NET Framework applications for cross-process and cross-host RPC. Identifies the service from the .NET Remoting binary-protocol prefix in the connection banner and saves the raw banner.
Port: 9090
drbdDRBD is the Distributed Replicated Block Device protocol used to replicate block devices between Linux nodes for high availability. Identifies the service from the connection-error banner observed on TCP/8787 and saves the raw banner.
Port: 8787
drobo-nasd — Drobo NASdDrobo NASd is the management daemon used by Drobo Dashboard to administer Drobo storage appliances. Identifies the daemon from the DRINASD banner returned on TCP/5000 and saves the raw banner.
Port: 5000
dtlsDTLS is Datagram Transport Layer Security (RFC 6347/9147), the UDP/SCTP variant of TLS, used by WebRTC, CoAP, OpenVPN, EAP-TTLS, and other datagram services. Performs a DTLS ClientHello and returns the negotiated version, cipher suite, and any presented certificate metadata.
Ports: 443, 3391, 4433, 5246, 5349, 5684, 12346, 12366, 12386, 12406, 12426
echoEcho is a legacy diagnostic service (RFC 862) that echoes received bytes. Records the response to confirm the service and to detect amplification-capable hosts.
Port: 7
eero-ebid — eero EBIDeero EBID is a proprietary discovery protocol used by Amazon eero mesh Wi-Fi access points to advertise the extender beacon identifier between mesh nodes on the local segment. runZero attributes the service from the EBID hint and applies eero-specific fingerprinting to identify the asset as an eero mesh extender.
eerogw — eero Gatewayeero Gateway is a proprietary discovery protocol used by Amazon eero mesh gateways to advertise themselves to companion mobile applications on the local network. runZero attributes the service from the eero gateway hint and applies eero-specific fingerprinting to identify the asset as an eero gateway node.
elasticsearchElasticsearch is the Elastic search/analytics engine. runZero queries the root HTTP endpoint to recover the cluster name, node name, Elasticsearch version, Lucene version, and build hash.
Port: 9200
epm — DCE/RPC Endpoint Mapper ServiceEPM is the surface name used by runZero for services attributed to the Microsoft DCE/RPC Endpoint Mapper following Recog/banner-based fingerprinting. The lower-level wire protocol is decoded as dcerpc; this label captures hosts where only fingerprint evidence (banners, version strings) was available.
Port: 135
epmd — Erlang Port Mapper DaemonEPMD is the Erlang Port Mapper Daemon used by Erlang and Elixir distributed nodes (including RabbitMQ and CouchDB) to advertise registered node names and the dynamic ports they listen on. runZero issues the NAMES_REQ to enumerate registered nodes and their listening ports.
Port: 4369
epo — Trellix/McAfee ePolicy Orchestrator (ePO)Trellix/McAfee ePolicy Orchestrator (ePO) is the central management console for Trellix (formerly McAfee) endpoint-security agents. The HTTP probe fetches the ePO login page and returns the product name, build number, and version metadata exposed in the page markup.
erlangdp — Erlang DistributionErlang Distribution is the inter-node messaging protocol used between Erlang and Elixir nodes. Queries EPMD for registered node names and (when nodes are discovered) performs a distribution handshake on the first node, returning the EPMD names list, node name and hostname, distribution version, supported flags, and handshake status.
Port: 4369
erldp — Erlang Distribution ProtocolErlang Distribution Protocol is the distribution protocol used between Erlang and Elixir VM nodes for inter-node messaging (also commonly referred to as ErlDP). runZero matches the Erlang distribution handshake on the wire and reports the protocol alongside the active erlangdp scanner so port-scan results are tagged consistently with EPMD-discovered nodes.
etcd — etcd v3 APIetcd is the distributed key-value store used by Kubernetes and other CoreOS-derived projects. Detected via the v3 HTTP/gRPC API (typically TCP/2379), where /version reports the etcd-server and etcd-cluster versions.
Port: 2379
etcd2 — etcd v2 APIetcd2 is the legacy v2 HTTP API exposed by older etcd deployments. Detected via /v2/stats/self and /version, which expose the cluster name, member ID, and etcd version on unauthenticated installations.
Ports: 2379, 4001
ethercatEtherCAT (Ethernet for Control Automation Technology, IEC 61158) fieldbus used for high-speed motion control and distributed I/O on machine-control and CNC segments. Queries master and slave registers and returns the master vendor identification and a summary of slaves discovered on the segment.
Port: 34980
fgfm — FortiGate to FortiManagerFGFM is the proprietary TLS-wrapped management protocol used by Fortinet FortiGate firewalls to register with and receive configuration from a FortiManager. Detected by the FGFM TLS server certificate and banner; runZero records the device serial number and model where exposed.
Port: 541
fingerFinger is a legacy user-information service (RFC 1288) historically exposed on TCP/79, today seen mostly on Cisco IOS devices and embedded printers. runZero reads the Finger banner returned on connection and extracts the printer model (HP JetDirect-style) or Cisco IOS identification, and reports the service for legacy-protocol exposure tracking.
fins — Omron FINSOmron FINS is the Factory Interface Network Service used by Omron CJ, CS, NJ, and NX PLCs and related automation devices on factory floors. runZero records FINS-derived asset attributes (controller model, firmware) emitted by the active omronfins scanner and uses the FINS protocol identifier when categorizing assets and assigning OT asset functions.
Port: 9600
firebird — Firebird SQLFirebird SQL is the relational database wire protocol used by the Firebird open-source database engine. Performs the Firebird connection handshake and returns the server architecture, protocol version, and Firebird release.
Port: 3050
focas — Fanuc FOCASFanuc FOCAS is an Ethernet protocol used to monitor and control Fanuc CNC machine tools and robots (Open CNC API Specification, FOCAS2/Ethernet). Issues the system-info call and returns the CNC series, version, machine number, and (when enabled) per-path machining data.
Port: 8193
fortigate-to-fortimanagerFortiGate-to-FortiManager is the Fortinet FGFM management protocol used by FortiManager to manage FortiGate firewalls. Inspects the FGFM TLS handshake and returns the FortiGate model, firmware, and serial number embedded in the certificate.
Port: 541
fox — Tridium Niagara FoxTridium Niagara Fox is the building-automation control protocol used by Niagara Framework JACE controllers and supervisors. Sends the Fox hello and returns the Fox version, station name, host ID, host name, OS name and version, JVM name and version, brand identifier, and authentication agent.
Ports: 1911, 4911
ftpFTP is the standardized file-transfer protocol (RFC 959). Reads the FTP greeting and issues SYST/HELP/AUTH probes, returning the server software, system type, supported features, and TLS-availability indicators.
Ports: 21, 2121, 9090
gangliaGanglia is a distributed monitoring system commonly deployed on HPC clusters and Linux server farms. runZero identifies Ganglia services from the GANGLIA_XML document returned by gmond/gmetad and captures the banner so cluster identification and host metrics are available for inventory.
gesrtp — GE SRTPGE SRTP is the Service Request Transport Protocol used to communicate with GE/Emerson PACSystems, Series 90, and RX3i/RX7i PLCs. Issues a controller-identification request and returns the model, firmware, sweep state, and slot configuration.
Port: 18245
giop — GIOP / CORBA IIOPGIOP / CORBA IIOP is the OMG General Inter-ORB Protocol (the wire format under CORBA IIOP). Identifies the service from the GIOP magic in the connection banner.
Port: 535
git — Git Smart ProtocolGit Smart Protocol is the native transport used by git:// servers for clones, fetches, and pushes. Sends an upload-pack advertisement request and returns the advertised refs summary, server capabilities, and HEAD reference.
Port: 9418
git-http — Git Smart HTTP ServiceGit Smart HTTP Service is the Git smart-HTTP transport (git-upload-pack and git-receive-pack endpoints) used by GitLab, Gitea, Bitbucket, cgit, and bare git-http servers for clones, fetches, and pushes. The HTTP extractor matches the _gitlab_session cookie and parses the manifest body, returning the git-http protocol attribution and the GitLab manifest hash.
googlewifi — Google Wifi / Nest WifiGoogle Wifi is the local management API exposed by Google Wifi and Nest Wifi mesh access points. Detected via mDNS (_googlecast._tcp) and the local HTTP setup endpoints, which reveal the device's hardware model, build version, and mesh role.
gpsdGPSD is the GPS daemon JSON-over-TCP protocol used to share location and timing data from connected GNSS receivers. Sends a ?WATCH request and identifies the service from the GPSD banner returned in the response.
Port: 2947
gtpc — GTP-CGTP-C is the GPRS Tunneling Protocol control plane that carries signaling between mobile-core nodes (SGSN/GGSN, MME/SGW/PGW). Sends an Echo Request and returns the GTP version, restart counter, and supported features.
Ports: 2123, 2152
gtpprime — GTP'GTP' is the GTP charging variant used to ship CDRs from mobile network elements to a Charging Gateway. Sends an Echo Request and returns the GTP' version and node identification.
Port: 3386
gtpu — GTP-UGTP-U is the GPRS Tunneling Protocol user plane that encapsulates subscriber traffic between mobile-core nodes and base stations. Sends an Echo Request and returns the GTP-U version and observed extension-header support.
Port: 2152
gvcp — GigE Vision ControlGigE Vision Control is the AIA GVCP protocol used to discover, configure, and trigger industrial machine-vision cameras over Ethernet. Sends a Discovery_Cmd and returns the camera manufacturer, model, serial, firmware, MAC, and supported GVCP version.
Port: 3956
gvsp — GigE Vision StreamingGigE Vision Streaming is the AIA GVSP protocol used to transport image and chunk data from machine-vision cameras to host applications. Passively classifies stream packets and returns the streaming state, packet format, and block identifier.
Port: 20202
h323 — H.323H.323 is the ITU-T multimedia conferencing/VoIP signaling protocol. Sends a Setup probe and returns the gatekeeper/endpoint identification and supported codec/feature summary.
Port: 1720
hartip — HART-IPHART-IP is an industrial protocol used to tunnel HART process-instrument traffic over TCP/UDP through gateways and multiplexers. Issues HART command 0 and returns the gateway identification, and (when enabled) walks sub-device indices via Cmd 84 to enumerate connected field instruments.
Port: 5094
hicp — HMS HICP/SHICPHMS HICP/SHICP is the HMS Industrial Networks discovery protocol used to discover and configure Anybus and Netbiter industrial gateways. Sends the HICP discovery probe and returns the device hostname, MAC, IP configuration, and firmware revision.
Port: 3250
hiddiscoveryd — HID DiscoveryDHID DiscoveryD is the discovery service used to locate HID VertX/Edge access-control panels and readers. Sends the discovery probe and returns the device model, firmware, and primary network configuration.
Port: 4070
hikvision — Hikvision IP Camera/NVR WebHikvision IP Camera/NVR Web is the HTTP management interface for Hikvision (and OEM) IP cameras and recorders. Identifies the product family from the WWW-Authenticate realm and pins the firmware version using either the embedded ?version= query strings on the login page assets, or the Last-Modified header on /doc/page/login.asp combined with a known build-date table.
hostmeta — Web Host MetadataWeb Host Metadata is the document defined by RFC 6415 and exposed at /.well-known/host-meta or host-meta.json, commonly used by federated-identity, WebFinger, and ActivityPub deployments. runZero sets the hostmeta protocol on the asset when the active HTTP probe successfully retrieves the document and surfaces the discovered links for inventory.
hsms — SEMI HSMS / SECS-GEMSEMI HSMS / SECS-GEM is the High-Speed SECS Message Services transport that carries SECS-II/GEM messages for semiconductor fab equipment (SEMI E37). Performs the HSMS Select handshake and an S1F1 Are-You-There, returning the equipment model identifier, software revision, and (when enabled) Equipment Constant subsystem summary.
Port: 5000
httpHTTP is the Hypertext Transfer Protocol used by the World Wide Web and most modern APIs. Issues HEAD/GET probes and runs HTTP-specific extractors, returning server software, response codes and headers, page titles and generators, favicons, and any application fingerprints recognized by extractor rules.
Ports: 80, 3000, 4567, 5000, 5985, 8000, 8001, 8080, 8081, 8082, 8200, 8443, 8888, 9001, 9080, 9090, 9100
http2 — HTTP/2HTTP/2 is a binary, multiplexed framing protocol for HTTP (RFC 7540), negotiated via TLS ALPN or the HTTP/2 cleartext upgrade. runZero negotiates HTTP/2 when offered and feeds the response into the standard HTTP analyzer so headers, server identification, and TLS attributes are captured.
httpsHTTPS is HTTP carried over TLS, the dominant transport for web applications, REST APIs, and management UIs. Implemented in runZero as the standard HTTP scanner over a TLS connection; the protocol is reported as https (rather than http) whenever the connection negotiates TLS or the port hint is flagged as TLS-only, and the full TLS handshake metadata (certificate, ciphers, fingerprints) is recorded alongside the HTTP response.
iax2IAX2 is the Inter-Asterisk eXchange version 2 VoIP signaling and media protocol used between Asterisk PBXes. Sends a POKE and returns the responder's IAX2 version and PBX identification.
Port: 4569
icmp — ICMP Echo (Ping)ICMP Echo (Ping) is the IPv4/IPv6 ICMP Echo Request/Reply exchange (RFC 792, RFC 4443) issued by the host-discovery probe to confirm host liveness, capture round-trip times, and observe TTL/Hop-Limit and IP TOS fields.
ics-trace — ICS Passive TraceICS Passive Trace is a synthetic protocol used internally to record evidence from passive analysis of ICS/OT traffic when active OT probing is disabled. runZero attributes the asset under ics-trace and emits the protocol identifiers and attributes observed in the passive trace.
identIdent is the Identification Protocol (RFC 1413), a legacy user-identity lookup service. Sends an ident query against the connecting socket and returns the operating-system field and any user-identity string disclosed by the response.
Port: 113
idrac — Dell iDRACiDRAC is the Dell Integrated Dell Remote Access Controller out-of-band management interface. runZero attributes services as iDRAC from the SSH/HTTPS banners, redfish endpoints, and TLS certificates issued for the controller, recovering the firmware version and service tag.
iec104 — IEC 60870-5-104IEC 60870-5-104 is a SCADA telecontrol protocol used between control centers and RTUs/substation gateways, primarily in electric power and rail. Sends TESTFR (and, when enabled, STARTDT/General Interrogation) and returns the common ASDU address, originator address, and any device-identity ASDUs received.
Port: 2404
iec61850-goose — IEC 61850 GOOSEIEC 61850 GOOSE is the Generic Object Oriented Substation Event Layer-2 multicast protocol (EtherType 0x88B8) used by substation IEDs for peer-to-peer trip and status signaling. runZero passively decodes GOOSE frames, attributes the publisher MAC as an IEC 61850 IED, and records the GoCB reference and dataset.
iec61850-mms — IEC 61850 MMSIEC 61850 MMS is the Manufacturing Message Specification mapping used by substation Intelligent Electronic Devices for monitoring, control, and reporting. Opens an MMS session and (when enabled) issues Identify, returning the IED vendor, model, firmware, and logical-device summary.
Port: 102
iec61850-sv — IEC 61850 Sampled ValuesIEC 61850 Sampled Values is the Layer-2 multicast protocol (EtherType 0x88BA) used by substation merging units to publish synchronized current and voltage measurements to protection and control IEDs. runZero passively decodes SV frames, attributes the publisher MAC as a merging unit, and records the SvCB reference and dataset.
igel — IGEL DiscoveryIGEL Discovery is the discovery protocol used by IGEL OS thin clients to advertise themselves to the IGEL Universal Management Suite (UMS), deployed in VDI and remote-desktop environments. Sends the IGEL discovery probe and returns the endpoint hostname, hardware model, IGEL OS version, MAC, and the UMS-server registration state.
Port: 30005
igel-discovery — IGEL UMS DiscoveryIGEL UMS Discovery is the UDP broadcast used by IGEL OS thin clients to locate their Universal Management Suite server. Distinct from the igel management protocol decoded over TCP, this entry captures discovery-only sightings on UDP/30005.
Port: 30005
iis — Microsoft Internet Information Services (IIS)Microsoft Internet Information Services (IIS) is the HTTP server bundled with Windows Server, commonly hosting ASP.NET, Outlook Web Access, and SharePoint. The HTTP fingerprinter inspects Server and X-Powered-By headers and default landing pages and returns the IIS version and ASP.NET version hints.
ikeIKE is the Internet Key Exchange protocol used to negotiate IPsec security associations. Sends IKEv1/IKEv2 SA proposals and vendor-ID probes and returns the negotiated proposal summary, supported transforms, and any vendor-ID strings that disclose the gateway implementation.
Ports: 500, 4500
ikev2IKEv2 is the Internet Key Exchange version 2 protocol (RFC 7296) used by IPsec VPN gateways on UDP/500 and UDP/4500. runZero sends an IKE_SA_INIT request and parses the responder SPI, accepted transform set, and any vendor-ID payloads that disclose the gateway implementation.
Ports: 500, 4500
imapIMAP is the Internet Message Access Protocol used by mail clients to read messages from a server. Reads the IMAP greeting and runs CAPABILITY and ID commands, returning the server software, supported authentication mechanisms, and STARTTLS availability.
Ports: 143, 993
infinispan — Infinispan Hot RodInfinispan Hot Rod is a binary client/server protocol used by Red Hat Data Grid and JBoss-family caches. Performs the Hot Rod ping and returns the server version, topology identifier, and supported protocol version.
Port: 11222
influxdbInfluxDB is the time-series database from InfluxData. runZero queries /ping and /health on the HTTP API to recover the server build, X-Influxdb-Version header, and on permissive deployments the list of available databases.
Port: 8086
intermapperInterMapper is the probe interface exposed by Fortra (formerly HelpSystems) InterMapper network-monitoring agents installed on monitored servers and appliances to report status to a central InterMapper server. Reads the InterMapper service banner and returns the product name and agent version.
Port: 8181
ipmiIPMI is the Intelligent Platform Management Interface used for out-of-band server management on BMCs (iLO, iDRAC, IMM). Performs an IPMI 2.0 RMCP+ Get Channel Authentication Capabilities exchange and, when credentials are configured, returns supported cipher suites, authentication algorithms, and the BMC vendor/firmware identification.
Port: 623
ippIPP is the Internet Printing Protocol used by CUPS, AirPrint, and most modern network printers. Issues Get-Printer-Attributes and returns the printer make/model, location, firmware, supported document formats, and feature attributes.
Port: 631
ipp-browse — IPP BrowseIPP Browse is the legacy CUPS browse protocol used by macOS and Linux print servers to advertise IPP print queues to the local segment via UDP/631 broadcasts. runZero passively decodes browse packets and active responses and returns the advertised queue URI, printer name, and CUPS server identification, attributing the asset as a print server.
Port: 631
ippbrowse — IPP BrowseIPP Browse is the legacy CUPS browse protocol used by Unix print servers to advertise IPP print queues via UDP/631 broadcasts. Passively decodes browse packets and returns the advertised queue URI, printer name, and CUPS server identification.
Port: 631
ipsecIPsec is the IP Security suite used to authenticate and encrypt IP packets, typically for site-to-site and remote-access VPNs. Sends ESP/AH and IKE liveness probes and returns the gateway responsiveness, NAT-T support, and any IKE-vendor strings disclosed.
Ports: 500, 4500
ircIRC is the Internet Relay Chat protocol, a text-based group messaging protocol. Reads the IRC server greeting and runs a NICK/USER probe, returning the server software, version, and 005-numeric capability summary.
Ports: 6667, 6668, 6669, 6697, 7000, 7001
iscsiiSCSI is the Internet Small Computer Systems Interface protocol used to expose block storage over IP. Sends a SendTargets request and returns the iSCSI Target Name list, target portals, and authentication-method summary.
Port: 3260
iua — IUA (SCTP)IUA (SCTP) is the ISDN User Adaptation Layer (RFC 4233) carried over SCTP, used to backhaul ISDN signaling in SIGTRAN networks. Verifies the SCTP association and IUA payload protocol identifier and returns endpoint identification.
Port: 9900
jabberJabber is the legacy product name for XMPP, still used by Cisco Jabber, ejabberd, Openfire, and similar chat/presence servers. runZero identifies Jabber services from the <stream:stream> or jabber.org-namespaced response returned on connection and tags the asset alongside the active xmpp scanner results.
java-object — Java Object SerializationJava Object Serialization is the binary stream format produced by java.io.ObjectOutputStream, often indicating exposed RMI, JMX, or JBoss endpoints when seen on the wire. Inspects the magic header and returns the serialization-protocol version and any class-name hints disclosed in the stream.
java-rmi — Java RMIJava RMI is the Remote Method Invocation protocol used by Java applications. Performs the JRMP handshake and a registry list, returning the RMI-registry version and the names and stub classes of bound objects.
Port: 1099
jdbc-hsqldb — HyperSQL JDBCHyperSQL JDBC is the JDBC database server protocol used by the HyperSQL (HSQLDB) engine. Identifies the service from the 'HSQLDB JDBC Network Listener' banner returned on connection.
Port: 9001
jdwp — Java Debug Wire ProtocolJava Debug Wire Protocol is the unauthenticated JVM debugging transport used by IDEs and debuggers to control a JVM. Performs the JDWP handshake and Version command, returning the JDK version, JVM vendor, and process description.
Ports: 3999, 5000, 5005, 8000, 8453, 8787, 8788, 9001, 18000
jetdirect — HP JetDirectHP JetDirect is the raw printing protocol on TCP/9100 (PJL banner port). Sends a PJL INFO ID/STATUS probe and returns the printer make/model, firmware, page count, and PJL device-attribute summary.
Ports: 9100, 9101, 9102
jira — Atlassian JiraAtlassian Jira is an issue-tracking and project-management server available in Server, Data Center, and Cloud editions. The HTTP probe fetches Jira login, dashboard, and REST endpoints and returns the product name, edition, and build number.
Ports: 80, 443, 8080
jms — JMS / JMX-RMI Port MapperJMS / JMX-RMI Port Mapper is the OpenMQ/GlassFish imqbroker port-mapper service that publishes the names, transports, and ports of bound JMS and JMX-RMI endpoints (default TCP/7676). Queries the port mapper and returns the broker version and the bound endpoint names, transports, and ports.
Port: 7676
kafka — Apache KafkaApache Kafka is a distributed event-streaming wire protocol. Sends an ApiVersions request and returns the broker identifier, supported API versions, and (when an unauthenticated MetadataRequest is permitted) cluster and topic-name summaries.
Ports: 9092, 9093, 9094
kasa — TP-Link KasaTP-Link Kasa is the smart-home control protocol used by Kasa plugs, bulbs, and switches. Sends the obfuscated SYS_INFO query and returns the device alias, model, firmware, hardware version, and MAC.
Port: 9999
kerberosKerberos is the network authentication protocol used by Active Directory and many enterprise services. Sends an AS-REQ for a benign principal and returns the realm, KDC error code, and supported encryption types.
Ports: 88, 464, 749, 750
knxnet — KNXnet/IPKNXnet/IP is the IP-tunneling encapsulation used to tunnel and route KNX building-automation telegrams (lighting, HVAC, shading). Sends a SEARCH_REQUEST and returns the device serial, MAC, KNX individual address, supported services, and friendly name.
Port: 3671
l2t — L2TP (UDP 1701)L2TP (UDP 1701) is the Layer 2 Tunneling Protocol on UDP/1701, used by VPN concentrators and remote-access gateways (often paired with IPsec) to tunnel PPP sessions. Sends an L2TP SCCRQ and returns the host name, vendor name, and firmware revision AVPs disclosed by the responder.
Ports: 1701, 2228
l2tpL2TP is the Layer 2 Tunneling Protocol used to carry PPP sessions, commonly with IPsec for VPN. Sends an SCCRQ and returns the host name, vendor name, and firmware revision AVPs.
Port: 1701
landesk — Ivanti / LANDesk AgentIvanti / LANDesk Agent is the endpoint-management agent for Ivanti (formerly LANDesk). Reads the agent banner and returns the agent version and bound management server.
Port: 9595
langflowLangflow is an open-source visual builder for LLM-powered applications. runZero attributes services as Langflow from Recog matches against the application's HTTP responses and OpenAPI document, recovering the application version.
lantronix — Lantronix DiscoveryLantronix Discovery is the discovery protocol used to locate Lantronix serial-to-Ethernet device servers. Sends the discovery probe and returns the device model, firmware, MAC, and configured serial-port settings.
Port: 30718
ldapLDAP is the Lightweight Directory Access Protocol (RFC 4511) used by Active Directory, OpenLDAP, 389 Directory Server, and other directory services for authentication and identity lookups. Queries the rootDSE and returns the supported LDAP versions, naming contexts, supported controls, and any forest or domain identifiers exposed.
Ports: 389, 636, 3268, 3269
lexmark — Lexmark DiscoveryLexmark Discovery is the printer/MFP network discovery protocol used by Lexmark devices. Sends the discovery probe and returns the device model, serial, firmware, and printer/MFP capabilities.
Port: 10000
librechatLibreChat is an open-source self-hosted LLM chat front-end. runZero attributes services as LibreChat from Recog matches against the web UI banners and configuration endpoints.
Ports: 443, 3080
lldp — Link Layer Discovery ProtocolLink Layer Discovery Protocol is the IEEE 802.1AB Layer-2 discovery protocol used by switches, routers, IP phones, and hypervisors to advertise themselves to neighbors. runZero passively decodes LLDP frames seen during the scan and returns the chassis ID, port ID, system name, system description, capabilities, and management addresses of each neighbor.
llmnrLLMNR is Link-Local Multicast Name Resolution (RFC 4795) used by Windows hosts to resolve single-label names on the local link when DNS is unavailable. Sends an LLMNR query and returns the responding hostname and the IP version of the answering host.
Port: 5355
lockdownd — Apple lockdowndApple lockdownd pairing service exposed on TCP/62078 by iPhone, iPad, and iPod touch devices and used by iTunes, Finder, Apple Configurator, and MDM tooling. Reads the lockdownd query response and returns the device class, product type, iOS or iPadOS version, serial number, and unique device identifier (UDID).
Port: 62078
lpdLPD is the standardized BSD line-printer protocol (RFC 1179). Sends a Receive-Job command and returns the raw printer banner from the daemon for downstream make and model fingerprinting.
Port: 515
lsv2 — Heidenhain LSV/2Heidenhain LSV/2 is a control protocol used by Heidenhain TNC CNC controls (TNC 640, iTNC 530, TNC 320). Queries control identification and returns the NC software type, version, and (when enabled) NC software-options bitmask.
Ports: 8000, 8001, 8002, 8003, 8004, 19000
lwm2m — OMA LwM2MOMA LwM2M is the OMA Lightweight M2M device-management protocol layered on CoAP and used to manage constrained IoT endpoints, sensors, and cellular modules. Sends a CoAP GET for /.well-known/core and returns whether the LwM2M registration directory and bootstrap-server resources are advertised along with a server-implementation hint.
Ports: 5683, 5783
m2pa — M2PA (SCTP)M2PA (SCTP) is the MTP2 Peer Adaptation Layer (RFC 4165) over SCTP used in SIGTRAN to carry SS7 MTP2 between signaling gateways. Establishes an SCTP association, verifies the M2PA payload protocol identifier, and returns the M2PA message class, message type, link state, and any error code or info string in the reply.
Port: 3565
m2ua — M2UA (SCTP)M2UA (SCTP) is the MTP2 User Adaptation Layer (RFC 3331) over SCTP used in SIGTRAN deployments. Establishes an SCTP association, verifies the M2UA payload protocol identifier, and returns the M2UA message class, message type, and any error code or info string in the reply.
Port: 2904
m3ua — M3UA (SCTP)M3UA (SCTP) is the MTP3 User Adaptation Layer (RFC 4666) over SCTP, the most common SS7-over-IP transport. Establishes an SCTP association, verifies the M3UA payload protocol identifier, and returns the M3UA message class, message type, and any error code or info string in the reply.
Port: 2905
managesieveManageSieve is a protocol used by mail clients to manage Sieve mail-filter scripts on the server. Reads the capabilities response and returns the implementation name, version, supported SASL mechanisms, and STARTTLS availability.
Ports: 2000, 4190
matterMatter is the Connectivity Standards Alliance smart-home application protocol used by Matter-certified devices over Wi-Fi and Thread. runZero identifies Matter devices from _matter._tcp mDNS records, parses the VP and DT TXT fields, and resolves them against the bundled Matter vendor table to return the vendor name, product name, and device type.
mbus-tcp — M-Bus over TCPM-Bus over TCP is the EN 13757 Meter-Bus protocol tunneled over TCP, used by gateways aggregating utility meters (heat, water, gas, electric). Sends REQ_UD2 to the gateway and (when enabled) walks primary addresses 1-250 to enumerate connected meters, returning meter manufacturer, identification, version, and medium.
Ports: 8888, 8889
mcp — Model Context ProtocolModel Context Protocol (MCP) is Anthropic's JSON-RPC protocol used by AI agents to connect to external tools and data sources. runZero attributes services as MCP from Recog matches against the server's HTTP/SSE handshake and the initialize response, which exposes the server name, version, and advertised capabilities.
mdnsmDNS is Multicast DNS used by Bonjour, Avahi, and other zero-configuration networking stacks. Sends a service-enumeration query and returns the advertised service types, instance names, ports, hostnames, and TXT-record metadata.
Port: 5353
megaco — Megaco / H.248Megaco / H.248 is a media gateway control protocol (RFC 3525) used between softswitches and media gateways in carrier and enterprise VoIP networks. Sends a ServiceChange probe and returns the media-gateway identifier (MID) and the negotiated H.248 protocol version.
Ports: 2944, 2945
melsecq — Mitsubishi MELSEC-QMitsubishi MELSEC-Q is a protocol used to communicate with Mitsubishi MELSEC PLCs. Issues a CPU model-name read using SLMP 3E (and, when enabled, 4E) and returns the CPU model name and CPU type code along with the matching MELSEC product CPE.
Ports: 5006, 5007
memcache — Memcached (binary)Memcached (binary) is the binary wire protocol used by the Memcached distributed in-memory key-value cache. Issues a binary VERSION/STATS request and returns the daemon version, current connections, and items/bytes in cache.
Port: 11211
memcachedMemcached is a high-performance in-memory key/value cache. runZero issues the version, stats, and stats settings commands to recover the daemon version, uptime, current connections, item count, and configured memory limits. Misconfigured UDP-exposed servers are also flagged as DDoS-amplification reflectors.
Port: 11211
meshcop — Thread Mesh CommissioningThread Mesh Commissioning is the Mesh Commissioning Protocol used by Thread border routers (Apple HomePod, Google Nest Hub, eero, Nordic OTBR) to advertise commissioning endpoints to companion mobile apps. runZero attributes the asset as a Thread border router from the meshcop hint and surfaces the advertised network name, extended PAN ID, and vendor identification.
mgcpMGCP is the Media Gateway Control Protocol (RFC 3435) used between call agents and media gateways in VoIP networks. Sends an AUEP probe and returns the response code along with any endpoint identifiers and packages disclosed in the reply.
Ports: 2427, 2727
mikrotik-bandwidth — MikroTik Bandwidth Test ServerMikroTik Bandwidth Test Server is the proprietary throughput-testing service exposed by MikroTik RouterOS devices. runZero detects the listener via its banner; presence indicates the device is reachable for line-rate tests, which can be abused for amplification.
Port: 2000
mikrotikwinbox — MikroTik WinboxMikroTik Winbox is the protocol used by the Winbox utility to administer RouterOS devices. Sends the index-request and returns the RouterOS architecture, version, and bootloader identification.
Ports: 2000, 8291, 8728
milvus — Milvus Vector DatabaseMilvus is an open-source vector database used by retrieval-augmented LLM applications. runZero attributes services as Milvus from Recog matches against the gRPC and HTTP endpoints and the management UI banners.
Port: 19530
minecraft — Minecraft JavaMinecraft Java is the server query/list-ping protocol used by Minecraft Java Edition. Sends a status-request and returns the server MOTD, version, protocol number, current and maximum player counts, and any sample player names disclosed.
Port: 25565
mms — ISO 9506 MMS (IEC 61850)ISO 9506 MMS (IEC 61850) is the Manufacturing Message Specification over RFC 1006/COTP, the application protocol used by IEC 61850 substation Intelligent Electronic Devices (IEDs). The probe issues an A-ASSOCIATE plus MMS Initiate-Request and parses the Initiate-Response for vendor identity, negotiated MMS version, and supported services.
Port: 102
modbus — Modbus/TCPModbus/TCP is a protocol used to read and write registers on PLCs, RTUs, drives, and meters. Issues a Read Device Identification (function 43/MEI 14) and returns the vendor, product code, revision, vendor URL, product name, and (when configured) extended identification objects.
Port: 502
mongodb — MongoDB Wire ProtocolMongoDB Wire Protocol is the document-database wire protocol used by MongoDB drivers. Sends an unauthenticated isMaster/hello and returns the server version, build environment, replica-set role, and observed authentication requirements.
Ports: 27017, 27018, 27019, 28017
mountd — NFS mountdNFS mountd is the companion daemon to NFS that authorizes mount requests and enumerates exports, registered through rpcbind on Unix file servers and NAS appliances. runZero locates mountd through rpcbind, sends an EXPORT (procedure 5) call for each advertised version, and returns the exported directory list and per-export host or netgroup access lists.
mqttMQTT is a lightweight publish/subscribe messaging protocol used by IoT devices and brokers. Sends a CONNECT and returns the broker's CONNACK response code, supported MQTT version, and any properties advertised by the broker.
Ports: 1883, 8883
mssql — Microsoft SQL Server (TDS)Microsoft SQL Server (TDS) is the Tabular Data Stream protocol used by Microsoft SQL Server and Sybase ASE database engines for client-server query traffic. Sends a TDS PRELOGIN and returns the server version, encryption requirement, and named-instance identification.
Ports: 1433, 1434
mssql-replica — Microsoft SQL Server ReplicaMicrosoft SQL Server Replica is the Always-On availability-group and database-mirroring endpoint that exchanges replica traffic on TCP/5022 separately from the user TDS endpoint on TCP/1433. runZero hints TCP/5022 as mssql-replica during the MSSQL probe and tags the asset as a SQL Server replica endpoint when the standard TDS handshake is not offered.
mtconnectMTConnect is a protocol used by CNC machine tools, robots, and additive-manufacturing systems to publish device state over an HTTP/XML REST API. Issues a GET /probe and returns the agent version, instance ID, sender host, and per-device manufacturer, model, serial number, and UUID.
Ports: 5000, 7878
muninMunin is the protocol used by the Munin master to poll plugins on hosts. Reads the node banner and returns the node hostname, Munin version, and configured plugin list summary.
Port: 4949
mysql — MySQL / MariaDBMySQL / MariaDB is the binary client-server wire protocol used by MySQL, MariaDB, and Percona Server database engines. Reads the server-greeting packet and (when credentials are configured) authenticates, returning the server version, capability flags, supported authentication plugins, and TLS availability.
Ports: 3306, 33060
mysqlx — MySQL X ProtocolMySQL X Protocol is a Protocol-Buffer-based wire protocol exposed by MySQL Server (default TCP/33060) for MySQL Shell and X DevAPI document-store and CRUD clients. Sends a CapabilitiesGet message and returns the supported X-Protocol capabilities and TLS requirements.
Port: 33060
natpmp — NAT-PMPNAT-PMP is a protocol used by clients to request port forwards from a NAT gateway (RFC 6886). Sends a public-address request and returns the gateway's external IPv4 address, response code, and seconds-since-epoch counter.
Port: 5351
natsNATS is a lightweight publish/subscribe and request/reply messaging system. Reads the NATS INFO message and returns the server identifier, version, host, port, and authorization/TLS requirements.
Ports: 4222, 6222, 8222
ndmpNDMP is the Network Data Management Protocol used by enterprise backup software to coordinate backups of NAS devices. Opens a CONNECT_OPEN session and returns the NDMP protocol version reported by the server along with the connection status and any reason text.
Port: 10000
neo4j — Neo4j BoltNeo4j Bolt is the graph-database wire protocol used by Neo4j drivers and clients. Performs the Bolt handshake and returns the negotiated Bolt version and server release.
Ports: 7473, 7474, 7687
netbios — NetBIOS Session ServiceNetBIOS Session Service is the TCP/139 transport used by the legacy NetBIOS-over-TCP framing of SMB. runZero records the session-service banner alongside the NetBIOS name and workstation/server resource records reported by the host. The application-layer SMB protocol is decoded separately.
Port: 137
netbios-dgm — NetBIOS Datagram ServiceNetBIOS Datagram Service is the UDP/138 broadcast/datagram side of NetBIOS-over-TCP. runZero observes datagrams to recover the NetBIOS computer and workgroup names announced by Windows hosts and SMB servers.
Port: 138
netbios-ns — NetBIOS Name ServiceNetBIOS Name Service is a protocol used for legacy Windows name registration and resolution. Sends a NetBIOS node-status query and returns the registered names, node type, and any associated MAC address.
Ports: 137, 138
netisNetis is an identifier for Netis and Netcore SOHO routers, including the well-known UDP/53413 administrative backdoor exposed by historical firmware. runZero attributes the service from the netis-specific hint and tags the asset as a Netis router so the historical backdoor exposure is surfaced in inventory and reports.
netop-remote-control — Netop Remote ControlNetop Remote Control is a commercial remote-administration product from Netop (formerly Danware), commonly deployed in classroom, kiosk, and retail environments. runZero attributes the asset from the Netop host banner observed on the standard service port and tags the service as remote-access for inventory and exposure reporting.
nfsNFS is the Network File System used to share files across Unix-like systems (Sun RPC program 100003). Issues a NFS NULL ping and a MOUNT EXPORT call (via portmap) and returns the supported NFS versions and the list of exported filesystems and allowed clients.
Port: 2049
nrpe — Nagios NRPENagios NRPE is the protocol used by Nagios/Icinga to run checks on remote hosts. Sends a _NRPE_CHECK probe and returns the NRPE protocol version and any version banner disclosed.
Port: 5666
ntpNTP is the Network Time Protocol used to synchronize clocks across networks (RFC 5905). Sends mode-3 client and mode-6 control queries and returns the stratum, reference identifier, refid clock source, and (when enabled) implementation/version strings disclosed by mode-6 readvar.
Port: 123
omronfins — Omron FINSOmron FINS is the Factory Interface Network Service protocol used to communicate with Omron CJ/CS/NJ/NX PLCs and related automation devices. Issues a Controller Data Read (0501) and returns the controller model and firmware version along with the FINS handshake banner.
Port: 9600
opcda — OPC Classic (OPC DA)OPC Classic (OPC DA) is the OLE for Process Control data-access standard layered over Microsoft DCOM, widely deployed in legacy SCADA, HMI, and historian gateways. runZero detects OPC DA servers when the DCERPC scanner observes the OPCEnum interface UUID advertised by the endpoint mapper.
opcua — OPC UAOPC UA is a vendor-neutral industrial information-model and data-access standard. Performs a GetEndpoints request and returns the application URI, product URI, server-certificate metadata, and per-endpoint security policies and identity tokens.
Ports: 4840, 4843, 48050
openvpnOpenVPN is the tunnel control-channel protocol used by OpenVPN Community Edition and OpenVPN Access Server VPN gateways. Sends a P_CONTROL_HARD_RESET_CLIENT_V2 packet and returns the local and remote OpenVPN session identifiers from the server's hard-reset reply.
Port: 1194
oracle — Oracle TNSOracle TNS is the Transparent Network Substrate listener protocol used by Oracle Database servers. Sends a TNS Connect carrying a VERSION command and returns the listener version, instance name, and supported services.
Ports: 1521, 1522, 1525, 2483, 2484
oracledb — Oracle Database (TNS)Oracle Database (TNS) is a lightweight Oracle Net listener probe used to identify Oracle Database servers without negotiating a session. Sends a minimal TNS Connect, parses the Refuse/Accept/Resend reply, and returns the packet type, VSNNUM, error code, and disclosed listener version.
Ports: 1521, 1522, 1525
orion — SolarWinds Orion PlatformSolarWinds Orion Platform is a Windows-based network-management suite that bundles NPM, NCM, NTA, IPAM, SAM, UDT, and related modules. The HTTP extractor matches the Orion footer in the web console, parses the platform release and component list, and returns orion.version, orion.components, and SolarWinds Orion software identification.
panasonictv — Panasonic TVPanasonic TV is the network control service exposed by Panasonic Viera and similar consumer smart TVs for remote-control companion apps. runZero identifies these televisions from the proprietary control-protocol banner returned on connection, applies Panasonic TV fingerprinting, and attributes the asset as a Panasonic television.
panxmlapi — Palo Alto Networks PAN-OS XML APIPalo Alto Networks PAN-OS XML API is the authenticated management API (system info, ARP/MAC/neighbor caches, interfaces) issued against Palo Alto Networks firewalls and Panorama. Used by the runZero scanner with a user-supplied API key to enumerate adjacent assets and device facts.
pca — Symantec pcAnywhereSymantec pcAnywhere is a remote-access protocol. Sends the pcAnywhere status probe and returns the host name, status, and capability flags disclosed in the response.
Port: 5632
pcworx — Phoenix Contact PCWorxPhoenix Contact PCWorx is a runtime protocol used to program and interact with ILC-series and other Phoenix Contact controllers. Queries controller identification and returns the PLC type, model number, and firmware version, date, and time.
Port: 1962
pega — Pega PlatformPega Platform is a low-code business process management and CRM application server from Pegasystems used for enterprise workflow automation. The HTTP extractor matches Pega in the page title or body, parses the version span, and returns the pega.version attribute and Pegasystems Pega software identification.
pfcpPFCP is the Packet Forwarding Control Protocol used in 5G/LTE mobile cores between control-plane and user-plane functions. Sends a PFCP Heartbeat Request and returns the recovery time stamp and supported feature flags.
Port: 8805
pop3POP3 is the Post Office Protocol version 3 used by mail clients to retrieve messages from a server. Reads the POP3 greeting and runs CAPA, returning the server software banner, supported capabilities, and STARTTLS availability.
Ports: 110, 995
postgres — PostgreSQLPostgreSQL is the frontend/backend wire protocol used by PostgreSQL database servers and compatible engines such as Amazon RDS/Aurora and CockroachDB. Performs an SSLRequest followed by a StartupMessage and returns the server version, supported authentication mechanisms, advertised server parameters, and TLS availability.
Ports: 5432, 5433, 6432
postgresqlPostgreSQL is the open-source object-relational database. runZero negotiates the PostgreSQL frontend/backend protocol to obtain the server version, advertised authentication methods, and TLS support. The shorter "postgres" identifier is the default protocol name; this entry covers detections that reported the long form.
Port: 5432
powerlink — Ethernet POWERLINKEthernet POWERLINK is a real-time industrial Ethernet protocol from the EPSG, used for deterministic motion control and I/O between managing nodes and controlled nodes on machine tools, packaging lines, and robotics cells. Passively decodes POWERLINK frames and returns the node identifier, vendor identifier, product code, and revision.
pptpPPTP is the Microsoft Point-to-Point Tunneling Protocol legacy VPN. Sends a Start-Control-Connection-Request and returns the protocol version, vendor, firmware revision, and host name.
Port: 1723
printerid — Printer IdentificationPrinter Identification is a vendor-specific service exposed on TCP/9200 by HP, Lexmark, and other network printers and MFPs. runZero parses the model string returned by the device, records it as printerid.model, and uses the value as a synthetic fingerprint to identify the printer make and model during asset categorization.
proconos — Phoenix Contact ProConOSPhoenix Contact ProConOS is the PLC runtime protocol from KW-Software/Phoenix Contact, used by ILC, RFC, and OEM-rebadged controllers running the ProConOS or ProConOS eCLR runtime. Issues a runtime identification query and returns the ladder-logic runtime version, PLC type, project name, boot project, and project source-code identifier.
Port: 20547
profinetPROFINET is an industrial Ethernet protocol used for cyclic and acyclic real-time communication with PROFINET I/O devices and PLCs. Performs a Read Identification request and returns the device vendor, order number, serial, software/hardware revision, and (when enabled) discovered slot/subslot module list.
Ports: 34962, 34963, 34964
profinet-dcp — PROFINET DCPPROFINET DCP is the Discovery and basic Configuration Protocol used at Layer 2 to identify and assign names/IPs to PROFINET stations. Passively decodes DCP Identify announcements and returns the station name, vendor and device identifiers, and device role.
prosoft — ProSoft Discovery ServiceProSoft Discovery Service is the UDP discovery protocol used by ProSoft Technology industrial gateways and radios. runZero parses the response to recover the device model, firmware revision, MAC address, and IP configuration.
Port: 1718
psdisco — PlayStation DiscoveryPlayStation Discovery is the Sony PlayStation 4/5 console-discovery service (HTTP/1.1-style SRCH messages on UDP/987 and UDP/9302) used by Remote Play and second-screen companion apps. Sends a SRCH probe and decodes the response, returning the host id, host name, host type, system version, discovery-protocol version, and running-app title metadata.
Ports: 987, 9302
pulsar — Apache PulsarApache Pulsar is the binary client/broker protocol used by Pulsar messaging brokers and Pulsar Functions deployments for pub/sub messaging and event streaming. Sends a CONNECT command and returns the broker server version, protocol version, and authentication-method requirements.
Ports: 6650, 6651
qdrant — Qdrant Vector DatabaseQdrant is an open-source vector search database used by retrieval-augmented LLM applications. runZero attributes services as Qdrant from Recog matches against the HTTP API root and the /metrics endpoint, which expose the server version.
Ports: 6333, 6334
qotd — Quote of the DayQuote of the Day is the RFC 865 diagnostic service historically exposed by Unix inetd hosts and frequently abused for UDP amplification. Passively decodes QOTD replies in TCP and UDP captures and returns the protocol tag along with the truncated quote text or banner observed in the response.
Port: 17
qualys — Qualys Cloud Agent / Scanner ApplianceQualys Cloud Agent / Scanner Appliance is the web management interface exposed by Qualys vulnerability-management components, including the on-premises Scanner Appliance and Cloud Agent UI. The HTTP fingerprinter inspects these pages and returns the product name, appliance role, and any version identifiers disclosed.
quicQUIC is the IETF transport (RFC 9000), an encrypted UDP-based transport that carries HTTP/3 and is increasingly used by CDNs, web servers, and SaaS endpoints. runZero attributes the service as QUIC when the long-header Initial packet is observed on a probed UDP port and tags the asset for web / TLS exposure tracking.
radiusRADIUS is an AAA protocol used in Wi-Fi, VPN, and network-access control. Sends an Access-Request with an invalid principal and returns the response code, any Reply-Message and NAS-Identifier, and the list of attributes present in the reply.
Ports: 1645, 1646, 1812, 1813
raritan-csc — Raritan CommandCenterRaritan CommandCenter is the Common Socket Connection (CSC) management protocol used by Raritan CommandCenter Secure Gateway appliances and adjacent Raritan KVM/serial console managers. Passively detects the <CSC/> banner emitted on connection and tags the asset as a Raritan CommandCenter device.
rdpRDP is the Microsoft Remote Desktop Protocol used by Windows Remote Desktop Services. Performs an X.224 Connection-Request and returns the supported security protocols, NLA requirement, and (when TLS is offered) certificate-derived hostname/version metadata.
Ports: 3389, 3390
redisRedis is an in-memory data-structure store and message broker. Issues PING/INFO/AUTH probes and returns the Redis version, role, mode, and authentication or protected-mode requirements.
Ports: 6379, 16379, 26379
rexecrexec is the BSD Remote Execution protocol (legacy, transmits credentials in cleartext). Detects an rexec listener and returns the responsiveness and any host-identification banner observed.
Port: 512
riak — Riak Protocol BuffersRiak is a distributed NoSQL key/value store from Basho. This entry covers the Protocol Buffers transport on TCP/8087 used by the native Riak clients; the HTTP API is reported separately as riak-http.
Port: 8098
riak-http — Riak HTTP APIRiak HTTP API is the REST interface exposed by Basho Riak nodes (typically TCP/8098). runZero queries /stats and /riak/ to recover the node name, ring size, and Riak version.
Port: 8098
ripRIP is a distance-vector IGP. Sends a RIP Request and returns the RIP version and any advertised routes disclosed by the responder.
Port: 520
rloginrlogin is the legacy BSD remote-login protocol (RFC 1282) superseded by SSH. runZero records the banner and any login prompt returned by the server, and flags the service as a clear-text credential exposure.
Port: 513
roomalert — AVTECH Room AlertAVTECH Room Alert is an environmental monitoring appliance. Reads the device banner and returns the model, OS version, MAC address, and IP address.
Port: 9999
rpcbind — ONC RPC / rpcbindONC RPC / rpcbind is the portmap service used to discover Sun RPC programs (NFS, NIS, ...). Queries the portmap dump and returns the registered program list with versions, protocols, and ports.
Port: 111
rsync — rsync (SSH-tunneled)rsync is the rsync daemon wire protocol exposed on TCP/873 by file mirrors, backup servers, and software-distribution archives. Reads the server greeting, performs the version handshake, and returns the protocol version, raw banner, and module list when the server permits enumeration.
Port: 873
rsyncd — rsync daemonrsync daemon is the standalone rsync service (rsync://) listening on TCP/873. Reads the daemon greeting and lists modules, returning the rsync version, available module names, and module comments.
Port: 873
rtmpRTMP is the Adobe Real-Time Messaging Protocol used to stream audio, video, and data between Flash players and media servers. Performs the RTMP handshake and returns the protocol version byte echoed by the server.
Port: 1935
rtps — OMG RTPS / DDSOMG RTPS / DDS is the Real-Time Publish-Subscribe wire protocol from the Object Management Group; underlies DDS in robotics, ROS 2, and industrial IoT. Sends an SPDP participant announcement and returns the participant GUID, vendor identifier and name, and protocol version.
Ports: 7400, 7401, 7410, 7411
rtspRTSP is a streaming-control protocol used by IP cameras, NVRs, and media servers to control streams. Issues an OPTIONS request and returns the server software, supported methods, and any session-description metadata disclosed by DESCRIBE.
Ports: 554, 8554
s7comm — Siemens S7CommSiemens S7Comm is the protocol used to program and exchange data with SIMATIC S7-300, S7-400, S7-1200, and S7-1500 PLCs. Issues SZL identification reads and returns the module name, plant identification, copyright, serial, module type, hardware/firmware version, and (when enabled) backplane rack/slot module list.
Port: 102
sadp — Hikvision SADPHikvision SADP is the Search Active Devices Protocol used to discover Hikvision and OEM IP cameras and NVRs. Sends a SADP Inquiry and returns the device serial, model, firmware, MAC, IP configuration, and activation state.
Port: 37020
sccp — Cisco SCCP / SkinnyCisco SCCP / Skinny is a call-control protocol used by Cisco IP phones registering with CallManager/Unified Communications Manager. Sends a Register message and returns the call-manager response and station identification.
Ports: 2000, 2443
sctptun — SCTP TunnelSCTP Tunnel is runZero's identifier for SCTP-over-UDP encapsulation (RFC 6951) used to traverse middleboxes that block native SCTP. It is reported when an SCTP INIT is observed inside a UDP/9899 datagram.
Port: 9899
securemote — Check Point SecuRemoteCheck Point SecuRemote is a Check Point VPN topology discovery service. Sends the topology query and returns the gateway hostname and server identifier disclosed in the response.
Port: 264
sentinel — Redis SentinelRedis Sentinel is the high-availability supervisor for Redis. runZero issues SENTINEL ping and SENTINEL master to recover the sentinel version, monitored master name, and quorum configuration on unauthenticated instances.
Port: 26379
sercos-iii — SERCOS IIISERCOS III is a real-time industrial Ethernet protocol used for drives, servos, and I/O in machine tools and packaging machinery. Passively decodes SERCOS III frames and returns the slave count, cycle time, and vendor and device codes.
servicetag — Sun Service TagSun Service Tag is a discovery service used to inventory Sun/Oracle hardware and software. Sends the discovery probe and returns the registered product instance, instance URN, and version.
Port: 6481
sgsap — SGsAP (SCTP)SGsAP (SCTP) is the SGs interface (3GPP TS 29.118) over SCTP between MME and MSC for SMS over SGs and CSFB. Verifies the SCTP association and SGsAP payload protocol identifier and returns endpoint identification.
Port: 29118
sipSIP is a signaling protocol used to establish voice, video, and messaging sessions. Sends an OPTIONS request and returns the response code, server/user-agent strings, allowed methods, and any contact and via metadata disclosed.
Ports: 5060, 5061
slpSLP is the Service Location Protocol used to discover services on a LAN (RFC 2608); commonly exposed by VMware ESXi and printers. Sends an attribute and service-type request and returns the SLP version, advertised services, and per-service attribute summary.
Port: 427
smb — SMB / CIFSSMB / CIFS is the file-sharing and IPC protocol used by Windows and Samba. Negotiates SMB1/2/3 and reads tree/share metadata, returning the dialect, signing/encryption requirements, server OS, NetBIOS/computer name, domain, and (when permitted) the list of shares.
Ports: 139, 445
smb1 — SMBv1SMBv1 is the legacy Server Message Block dialect (CIFS / NT LM 0.12) deprecated by Microsoft and disabled by default since Windows 10 1709 / Server 2019. runZero flags this dialect specifically because it is required by the EternalBlue and related exploits and should be disabled wherever possible.
Ports: 139, 445
smb2 — SMBv2SMBv2 is the Server Message Block dialect family introduced in Windows Vista / Server 2008 (dialects 2.0.2 and 2.1). runZero records the negotiated dialect, signing requirements, server GUID, and operating-system version reported during NEGOTIATE_PROTOCOL and SESSION_SETUP.
Port: 445
smb3 — SMBv3SMBv3 is the Server Message Block protocol family introduced in Windows 8 / Server 2012 (dialects 3.0, 3.0.2, 3.1.1). runZero records the negotiated dialect, signing and encryption capabilities, and any pre-auth integrity hash advertised by the server.
Port: 445
smppSMPP is the Short Message Peer-to-Peer protocol used between SMS clients and SMSCs. Sends a bind_transceiver probe and returns the SMSC system identifier and SMPP version.
Port: 2775
smtpSMTP is the Simple Mail Transfer Protocol used to transfer email between servers and from clients to relays. Reads the SMTP greeting and runs EHLO, returning the server software, supported extensions, STARTTLS availability, and supported authentication mechanisms.
Ports: 25, 465, 587, 2525
snmpSNMP is the Simple Network Management Protocol used to monitor and configure network devices and servers. Walks system.* and selected enterprise OIDs over SNMPv1/v2c (and SNMPv3 when configured) and returns sysDescr, sysObjectID, sysName, location, contact, and a vendor/device-type fingerprint derived from the response.
Ports: 161, 162, 10161, 10162
snppSNPP is the Simple Network Paging Protocol (RFC 1861) used to deliver pages to paging gateways. Reads the SNPP greeting and returns the gateway banner.
Port: 444
socks — SOCKS ProxySOCKS is a generic proxy protocol with two incompatible versions (SOCKS4 and SOCKS5). This entry captures sightings where only the SOCKS family was identified; the version-specific decoders socks4 and socks5 record the negotiated authentication methods and supported commands.
Port: 1080
socks4SOCKS4 is a proxy protocol (SOCKS version 4) used by client applications and proxy servers (Squid, Dante, SSH dynamic forwarding) to relay TCP connections through an intermediary. Sends a CONNECT request to a benign target and returns the proxy responsiveness and the SOCKS reply status code observed.
Ports: 1080, 1081
socks5SOCKS5 is a proxy protocol (SOCKS version 5, RFC 1928) used by client applications, Tor (9050/9150), and proxy servers such as Dante, 3proxy, and Squid to relay TCP and UDP through an intermediary. Sends a method-selection request and returns the SOCKS version, supported authentication methods, and proxy reachability.
Ports: 1080, 1081, 9050, 9150
solr — Apache SolrApache Solr is the Lucene-based enterprise search platform. runZero attributes services as Solr from the X-Solr-Version response header, the admin-UI banners, and the /solr/admin/info/system JSON, which exposes the Solr and Lucene versions, JVM details, and host operating system.
Port: 8983
some-ip — AUTOSAR SOME/IPAUTOSAR SOME/IP is the Scalable service-Oriented MiddlewarE over IP used between automotive ECUs on in-vehicle Ethernet for service discovery and RPC. Sends a SOME/IP-SD FindService and returns the advertised service IDs and service count.
Ports: 30490, 30491
sonarqubeSonarQube is the static analysis and code-quality platform from SonarSource. runZero attributes services as SonarQube from the application's HTTP banners and the /api/system/status endpoint, recovering the server version and edition.
Port: 9000
sonicwall-sgms — SonicWall GMS AgentSonicWall GMS Agent is the Global Management System agent used to manage SonicWall firewalls. Identifies the agent from its TCP banner.
Port: 3023
spiceSPICE is the Simple Protocol for Independent Computing Environments, used to access KVM virtual machines and virtual desktops. Identifies SPICE servers from the link-handshake banner.
Port: 5930
splunk — Splunk Enterprise / Universal Forwarder Web UISplunk Enterprise / Universal Forwarder Web UI is the HTTP-served management interface for Splunk's SIEM and log-collection platform. The HTTP extractor inspects splunkd and Splunk Web responses and returns the product edition and version.
spotify-connect — Spotify ConnectSpotify Connect is the device-discovery and remote-control protocol used by Spotify clients to find playback endpoints (smart speakers, AV receivers, set-top boxes). Detected via the _spotify-connect._tcp mDNS record and the /zc HTTP endpoint exposed by the device.
ssdpSSDP is the Simple Service Discovery Protocol used by UPnP devices to advertise services. Sends an M-SEARCH and returns the advertised service types, USN, server string, and Location URLs of the responding devices.
Port: 1900
sshSSH is the Secure Shell remote-access and tunneling protocol. Reads the SSH banner, runs a KEX-init exchange, and (when credentials are configured) authenticates, returning the server software string, supported KEX/host-key/cipher/MAC algorithms, host keys and fingerprints, and accepted authentication methods.
Ports: 22, 2222, 22222
sstpSSTP is the Microsoft Secure Socket Tunneling Protocol, a PPP-over-HTTPS remote-access VPN used by Windows RRAS, MikroTik RouterOS, and SoftEther. Sends an SSTP_DUPLEX_POST handshake over TLS and returns the listener responsiveness, HTTP Server header, and inferred vendor (Microsoft, MikroTik, SoftEther).
Port: 443
steam — Steam Server DiscoverySteam Server Discovery is the Valve Steam Remote Play / In-Home Streaming LAN broadcast protocol. Sends a CMsgRemoteClientBroadcastDiscovery and returns the hostname, client/instance/device IDs, client version, OS type, public IP, and Steam Deck / VR / Remote Play status.
Port: 27036
stunSTUN is the Session Traversal Utilities for NAT protocol (RFC 5389) used for NAT discovery in WebRTC and VoIP. Sends a binding request and returns the SOFTWARE attribute and the observed XOR-MAPPED-ADDRESS reported by the server.
Ports: 3478, 3479, 5349, 5350
sua — SUA (SCTP)SUA (SCTP) is the SCCP User Adaptation Layer (RFC 3868) over SCTP, used to carry SS7 SCCP signaling over IP. Verifies the SCTP association and SUA payload protocol identifier and returns endpoint identification.
Ports: 2904, 14001
subversion — Apache SubversionSubversion is the Apache version-control system. This entry covers detections produced by integration data and Recog banners; runZero's active svn decoder negotiates the svnserve protocol on TCP/3690 to recover the repository UUID, root URL, and supported capabilities.
Port: 3690
sunrpc — Sun RPC PortmapperSun RPC Portmapper (also known as rpcbind) is the legacy ONC RPC service registry. This entry covers Recog-only matches against banners that did not return a structured rpcbind dump; the active rpcbind decoder enumerates registered programs and their dynamic ports.
Port: 111
svn — SubversionSubversion is the Apache Subversion svn:// version-control protocol. Reads the SVN greeting and returns the minimum and maximum supported protocol versions, supported capabilities, and offered authentication mechanisms.
Port: 3690
sybase — Sybase / SAP ASE (TDS 5.0)Sybase / SAP ASE (TDS 5.0) is the Tabular Data Stream 5.0 wire protocol used by Sybase ASE and SAP Adaptive Server Enterprise. Sends a TDS prelogin probe and returns the server version reported in the prelogin response.
Port: 5000
syslogSyslog is a standard event-logging protocol used to forward log messages between hosts and collectors. Identifies syslog listeners over UDP/TCP and decodes RFC 3164/5424 messages to report the priority, facility, severity, version, hostname, and application name.
Ports: 514, 6514
tcpmuxTCPMUX is the TCP Port Service Multiplexer (RFC 1078), a legacy diagnostic service. Queries the registered service list and returns the disclosed names.
teamviewerTeamViewer is the proprietary binary protocol used by the TeamViewer remote-access client to reach the TeamViewer cloud over TCP/5938. Sends a TeamViewer ping/hello probe and identifies the service from the response magic and command byte.
Port: 5938
telnetTelnet is a remote-terminal protocol (RFC 854) that transmits credentials in cleartext. Reads the negotiation banner and any login prompts, returning the device hostname, OS or product banner, and supported telnet options.
Ports: 23, 992, 2323
tenable-agent-id — Tenable Agent IdentifierTenable Agent Identifier is the synthetic protocol runZero uses to track the unique agent UUID reported by Tenable Nessus and Tenable.io agents observed via integrations. It is not a network protocol and has no associated wire-level scan.
tftpTFTP is the Trivial File Transfer Protocol (RFC 1350) used for boot images, firmware, and config transfer. Sends a benign read request and returns the responsiveness and any error-code metadata that discloses the server implementation.
Port: 69
thinprintThinPrint is the Cortado virtual-printing protocol used by Citrix, VMware Horizon, and Microsoft RDS deployments to redirect print jobs from session hosts to client-side printers. Detected from the TPAutoConnect listener banner on TCP/4000.
Port: 4000
timeTime is the legacy 32-bit time-of-day service (RFC 868). Reads the response to confirm the service and detect amplification-capable hosts.
Port: 37
tls — TLS / SSLTLS / SSL is the Transport Layer Security encrypted-transport substrate used by HTTPS and most modern Internet protocols. Performs a TLS handshake and returns the negotiated version and cipher suite, supported versions and extensions, and the full server-certificate chain with subject, issuer, SANs, validity, and key metadata.
Ports: 443, 5986, 6443, 8443, 9443
tristation — Triconex TriStationTriconex TriStation is the proprietary engineering protocol used to program and configure Tricon and Trident Safety Instrumented Systems controllers. Passively decodes TriStation frames and returns the controller identification observed.
Port: 1502
turnTURN is the Traversal Using Relays around NAT protocol (RFC 5766) used as a media relay for WebRTC and VoIP. Sends an Allocate request and returns the SOFTWARE attribute, mapped and relayed addresses, allocation lifetime, requested transport, and any error code.
Ports: 3478, 3479, 5349, 5350
ubnt — Ubiquiti DiscoveryUbiquiti Discovery is a device-discovery protocol used by UISP/UNMS and the Ubiquiti Discovery Tool. Sends the discovery probe and returns the device hostname, model, firmware, MAC, and IP configuration.
Port: 10001
unitronics — Unitronics PCOMUnitronics PCOM is the proprietary protocol used to communicate with Unitronics Vision and Samba/UniStream PLC+HMI controllers. Queries the controller identification and returns the model and OS version.
Port: 20256
upnp — Universal Plug and PlayUPnP is the device-control protocol layered on top of SSDP. runZero fetches the device-description XML referenced in the SSDP LOCATION header to recover the friendly name, manufacturer, model, serial number, UPnP UUID, and the list of advertised services.
uscan — Apple Image Capture (uscan)uscan is the AirScan/Mopria HTTP scanner protocol used by macOS Image Capture, iOS Notes, and Mopria-compatible clients to discover and drive network scanners. Detected via the _uscan._tcp mDNS record and the /eSCL/ScannerCapabilities XML returned by the device.
uscans — Apple Image Capture over HTTPS (uscans)uscans is the TLS-protected variant of the AirScan/Mopria scanner discovery protocol, advertised via the _uscans._tcp mDNS record. runZero fetches the HTTPS /eSCL/ScannerCapabilities document to recover the device make, model, firmware, and supported scan profiles.
vault — HashiCorp VaultVault is HashiCorp's secrets-management platform. runZero queries /v1/sys/health and /v1/sys/seal-status on the HTTP API to recover the Vault version, cluster name, cluster ID, sealed/initialized state, and replication mode.
Port: 8200
vmauthd — VMware vmauthdVMware vmauthd is the authentication daemon listening on VMware ESXi and Workstation hosts. Identifies the service from its 220 greeting banner.
Port: 902
vmware — VMware vSphere SOAPVMware vSphere SOAP is the vSphere Web Services SOAP API exposed by vCenter Server and ESXi hosts for management and automation. Issues a RetrieveServiceContent call to /sdk and returns the product name, full version and build, API type and version, OS type, and product line.
Port: 443
vnc — VNC / RFBVNC / RFB is the Virtual Network Computing remote-desktop protocol, also known as the Remote Frame Buffer protocol. Reads the protocol-version handshake and returns the RFB version, supported security types, and any disclosed vendor banner.
Ports: 5800, 5900, 5901, 5902, 5903
vsdp — Vivotek Search Discovery ProtocolVSDP is the UDP broadcast discovery protocol used by Vivotek IP cameras and video servers. runZero parses the response to recover the camera model, firmware version, MAC address, and IP configuration.
Port: 3702
vxlan — Virtual eXtensible LANVXLAN is the L2-over-UDP tunneling protocol (RFC 7348) used by data-center overlay networks. runZero observes VXLAN encapsulation on UDP/4789 and records the VXLAN Network Identifier (VNI) of the inner Ethernet frame.
Port: 4789
waveu — Wave/UE DiscoveryWaveU is the UDP discovery service used by Crestron AirMedia and selected Wave-branded conferencing endpoints to advertise their presence to companion mobile and desktop apps. runZero parses the response to recover the model and firmware revision.
wbsm — IBM Web-Based System ManagerIBM Web-Based System Manager (WSM/WebSM) is the remote-administration protocol used by the Java WSM client to manage AIX systems. Identifies the service from its banner.
Port: 9090
wdbrpc — VxWorks WDB AgentWDB RPC is the Wind River Workbench Debug Bridge agent built into many VxWorks images and exposed (often unintentionally) on UDP/17185. runZero issues a target-info query to recover the VxWorks version, BSP name, CPU type, and target name; presence of WDB indicates the host can be remotely controlled without authentication.
Port: 17185
webminWebmin is a web-based Unix administration suite that exposes a UDP discovery service on UDP/10000 alongside Usermin and Virtualmin. Sends the "webmin" query and returns the advertised Webmin server IP, port, and HTTP/HTTPS scheme used to reach the management UI.
Port: 10000
wireguardWireGuard is a modern in-kernel VPN protocol. Sends a benign handshake-initiation probe and returns the responsiveness and any rate-limited replies that confirm a WireGuard endpoint.
Port: 51820
wiznet — WIZnet DiscoveryWIZnet Discovery is a device-discovery protocol used by WIZnet serial-to-Ethernet modules and embedded TCP/IP chips. Sends the discovery probe and returns the raw advertised configuration fields.
Ports: 5000, 50001
wsd — Web Services Dynamic DiscoveryWeb Services Dynamic Discovery (WS-Discovery) is the SOAP-over-UDP multicast discovery protocol used by Windows printers, scanners, and ONVIF IP cameras. runZero issues a Probe to ff02::c / 239.255.255.250 and parses the ProbeMatch response to recover the device's endpoint reference, types, scopes, and metadata URLs.
Port: 3702
wsman — WS-ManagementWS-Management (WS-Man) is the SOAP-over-HTTP/HTTPS management protocol used by Windows Remote Management (WinRM), iDRAC, iLO, and IPMI baseboard controllers. runZero issues an Identify request to recover the product vendor, product version, and supported protocol versions.
Ports: 5985, 5986
x11 — X11 / X Window SystemX11 / X Window System is the X Window System display protocol used by Unix graphical desktops; if exposed, it allows remote display capture and input injection. Performs an X11 connection-setup probe and returns the X.Org/XFree86 vendor string, protocol-major version, and the access state of the server.
Ports: 6000, 6001, 6002, 6003, 6004, 6005, 6006, 6007, 6008, 6009, 6010, 6011, 6012, 6013, 6014, 6015
x2ap — X2AP (SCTP)X2AP (SCTP) is the X2 Application Protocol (3GPP TS 36.423) over SCTP used between LTE eNodeBs. Verifies the SCTP association and X2AP payload protocol identifier and returns endpoint identification.
Port: 36422
xdmcpXDMCP is the X Display Manager Control Protocol used by X Window System login managers (xdm, gdm, kdm). Sends an XDMCP query and returns the responding manager's hostname and supported authentication types.
Port: 177
xmppXMPP is the Extensible Messaging and Presence Protocol used by chat servers (Jabber, Openfire, ejabberd). Sends a stream-start request and returns the server software banner, supported XMPP version, and STARTTLS / SASL feature summary.
Ports: 5222, 5223, 5269
zabbix — Zabbix AgentZabbix Agent is the monitoring agent used by the Zabbix server to collect host metrics. Sends an agent.version request and returns the agent version, derived CPE, and whether remote commands are enabled.
Ports: 10050, 10051
zabbix-agent — Zabbix AgentZabbix Agent is the host-side collector polled by a Zabbix server over TCP/10050. runZero requests the agent.version and agent.hostname items to recover the agent build and configured hostname from unauthenticated agents.
Port: 10050
zebra — Zebra DiscoveryZebra Discovery is a network discovery protocol used by Zebra Technologies label and barcode printers. Sends the discovery probe and returns the printer hostname disclosed in the response.
Port: 6101
zookeeper — Apache ZooKeeperApache ZooKeeper is a distributed coordination service whose wire protocol exposes four-letter administrative commands. Sends a four-letter (ruok/srvr/conf) command and returns the access state, mode (leader/follower/standalone), node count, and ZooKeeper version when the command is permitted.
Ports: 2181, 2888, 3888
zyxel — Zyxel Device Web ManagementZyxel Device Web Management is the HTTP management interface exposed by Zyxel switches and routers (e.g. GS1200 series), serving a system_data.js endpoint that advertises model, firmware version, MAC, hostname, and IP configuration.
Additional protocols
iec60870-5-104