Port 3638: EHP Backup Protocol — A Registered Ghost

What Port 3638 Is

Port 3638 sits in the registered port range (1024–49151). These ports are not reserved by IANA in the way that well-known ports (0–1023) are — they don't require elevated privileges to bind — but they are tracked in the IANA Service Name and Transport Protocol Port Number Registry so that applications can stake a claim and avoid collisions.

Port 3638's registered name is EHP Backup Protocol, filed in November 2002 by a registrant whose only contact on record is a Yahoo email address.¹ RFC 6335 governs how these registrations work — in the early 2000s, the registered port range operated largely on a first-come, first-served basis.² You filled out a form. IANA assigned the port. The protocol didn't need to exist yet.

What EHP Backup Protocol Actually Is

Unknown. There is no RFC, no public specification, no software package, and no surviving documentation that explains what "EHP" stands for or how the protocol was supposed to work. The registration exists. The protocol, for all practical purposes, does not.

This was not unusual in 2002. Developers and small companies registered ports for projects that were planned, prototyped, or simply anticipated. Some shipped. Many didn't. Port 3638 appears to be one that didn't.

What You'll Actually Find on Port 3638

If you see traffic on port 3638 on a modern network, it is almost certainly one of the following:

• Application-assigned ephemeral use — Many applications bind to high-numbered ports dynamically. If something chose 3638, it's using the number opportunistically, not because of the EHP registration.
• Custom internal services — Developers sometimes hard-code port numbers for internal tools. Port 3638 is obscure enough that a developer might have picked it precisely because nothing well-known uses it.
• Scanning activity — Automated scanners probe registered ports looking for misconfigured services.

How to Check What's Listening on Port 3638

On Linux or macOS:

# Show what process is using port 3638
ss -tlnp | grep 3638

# Or with lsof
lsof -i :3638

On Windows:

netstat -ano | findstr :3638

The process ID in the output can be matched against Task Manager or tasklist to identify what's actually running.

Why Unassigned-in-Practice Ports Matter

The registered port range contains thousands of entries like port 3638: technically claimed, practically abandoned. This matters for a few reasons.

First, the registration still provides a small amount of collision protection. If you're building a new service and considering port 3638, the IANA record signals that you might conflict with something — even if that something is a 23-year-old ghost.

Second, these ports are neither blocked nor specially trusted. Firewalls don't have opinions about port 3638. That makes it genuinely neutral territory, which is why some internal tools and proprietary software end up here.

Third, seeing unexpected traffic on any registered-but-obscure port is worth investigating. The obscurity isn't protection.