Port 381: HP Performance Data Collector — A Retired Monitoring Port

Port 381 is officially assigned to hp-collector (HP Performance Data Collector), both TCP and UDP.¹ This was part of HP OpenView, an enterprise network and systems management suite that monitored IT infrastructure before modern cloud-based monitoring existed.

The port is now obsolete. HP OpenView was rebranded in 2007 and the technology has long been superseded.²

What It Was For

HP OpenView Performance Agent ran on managed servers—Unix systems, Linux boxes, Windows servers across an enterprise network. Every five minutes, the agent collected performance data: CPU usage, memory consumption, disk I/O, network statistics. It summarized this data, timestamped it, checked for alarm conditions, and sent it to the management console.³

Port 381 was the channel. The Performance Data Collector service on the management server listened on this port, receiving metrics from all the agents scattered across the infrastructure. IT teams used this to see their network's health in one place.

This was the mid-1990s through the early 2000s. Before Prometheus, before Datadog, before every server spoke HTTP and exposed metrics at /metrics. Network management meant dedicated protocols, assigned ports, and agent software running on every machine you wanted to monitor.

How It Worked

The architecture was agent-based and centralized. Each monitored system ran the Performance Agent, which collected data from the operating system. The Scopeux Data Collector component gathered metrics and stored them in local log files with configured maximum sizes.⁴

The agent sent summarized data to the central management server, which listened on port 381. The management console displayed dashboards, triggered alerts when thresholds were exceeded, and stored historical data for trend analysis.

Configuration was handled through ASCII parameter files. You specified what to collect, how often, and what constituted an alarm condition. The system was designed for large-scale enterprise deployments—hundreds or thousands of servers all reporting to central management consoles.

The Evolution

HP OpenView Network Node Manager launched in the mid-1980s. Operations Center came in the late 1980s as an add-on for server and application monitoring. By 1999, it evolved into HP OpenView Operations ITO with SNMP monitoring support.⁵

In 2007, HP rebranded the entire OpenView product line as HP BTO (Business Technology Optimization) Software when it was integrated into the HP Software Division alongside products from Mercury Interactive, Peregrine Systems, and Opsware. The OpenView name was phased out.⁶

The technology continued under different names and ownership, but port 381 and the original Performance Data Collector protocol became legacy. Modern monitoring uses different approaches: REST APIs, time-series databases, container-native metrics, cloud-based observability platforms.

Security Considerations

Port 381 should be closed on modern systems. The HP OpenView products that used it have been discontinued for years, and there's no legitimate reason to have the port open.⁷

There have been reports of trojans using port 381 for communication.⁸ Leaving it open exposes systems to unnecessary risk. The related ports 381-383 have been associated with various vulnerabilities, including arbitrary file deletion exploits on port 383.

If you find port 381 open on a system, either legacy HP OpenView software is still running (which presents its own security concerns), or something else is using the port—neither is good.

Checking Port 381

To see if anything is listening on port 381 on your system:

# On Linux/macOS
sudo lsof -i :381
sudo netstat -tulpn | grep :381

# On Windows
netstat -ano | findstr :381

If you find something listening and it's not intentional, investigate immediately.

Why Unassigned Ports Matter

Port 381 isn't unassigned—it has an official IANA assignment to hp-collector. But it represents a category of ports that are assigned but obsolete: services that once served critical functions but have been replaced by newer technologies.

The well-known port range (0-1023) is full of these ghosts. Ports assigned to protocols and services from the 1980s and 1990s that nobody uses anymore but that still appear in the official registry. Port 381 is one of them.

These obsolete assignments matter for two reasons:

1. Security: Attackers scan for open ports. Finding port 381 open might indicate an unpatched legacy system running outdated software—a valuable target.

2. History: Each assigned port tells a story about what networking infrastructure used to be. Port 381 represents the era when monitoring meant dedicated protocols, when agents pushed data to central consoles over specific ports, when network management was a distinct discipline with its own tooling ecosystem.

The port exists in the registry as a marker of how we used to solve these problems. We still need to monitor systems—we just do it differently now.

Related Ports

Ports 382-383: Also associated with HP OpenView services, now obsolete and recommended to be closed⁹

Port 161-162 (SNMP): The Simple Network Management Protocol that HP OpenView integrated in 1999, still used today for network device monitoring

Port 514 (Syslog): System logging protocol that complemented performance monitoring for enterprise infrastructure management