Port 398: Kryptolan — The Ghost in the Registry

Port 398 belongs to the well-known ports range (0-1023), the section of the Internet's addressing system reserved for standardized services assigned by the Internet Assigned Numbers Authority (IANA). These are the ports that require official approval, the ones meant to represent protocols important enough to claim a permanent spot in the registry.

Port 398 has that official assignment. Its name is Kryptolan. And almost nobody has heard of it.

What is Kryptolan?

According to the IANA registry, port 398 (both TCP and UDP) is assigned to "kryptolan," with the contact listed as Peter de Laval from Sectra (pdl@sectra.se).¹ That's all the registry says. No RFC. No protocol specification document. No detailed description of what Kryptolan actually does.

Sectra is real. Founded in Sweden in 1978, the company has spent over four decades building encrypted communication systems for military and government use.² They created the Sectra Tiger, the first mobile phone approved for transmitting classified secrets, deployed by the Swedish Defense Forces in 1998.³ They're a legitimate defense contractor with real cryptographic expertise.

But Kryptolan? The protocol itself is a mystery. No technical documentation survives in easily accessible archives. No RFCs reference it. No modern systems advertise support for it. The port exists in the registry like a forwarding address for someone who moved away decades ago.

What Port 398 Was Meant For

Based on limited sources, Kryptolan appears to have been designed for secure, encrypted communication between network hosts.⁴ It operated on both TCP and UDP port 398, suggesting it needed both reliable (TCP) and fast (UDP) transport options depending on the use case.

The protocol likely emerged during the 1980s or early 1990s, when Sectra was landing major contracts with the Swedish Defense Forces for cryptographic hardware.⁵ This was the era before TLS/SSL became ubiquitous, when governments and defense contractors were building proprietary encrypted communication systems because no good public standard existed yet.

Then SSL arrived. Then SSH. Then IPsec. The commercial Internet exploded, and open standards won. Proprietary encryption protocols, especially ones tied to specific vendors or national defense systems, faded into obsolescence.

The Well-Known Ports Graveyard

Port 398 is not alone. The well-known ports range is littered with assignments like this—protocols that were real, that had official backing, that someone built and deployed, but that never achieved widespread adoption. Some lost to better competitors. Some were tied to companies that no longer exist. Some were solutions to problems that stopped mattering.

The registry doesn't delete them. Once assigned, a port stays assigned. It would be chaos to reuse port numbers—imagine if port 398 were reassigned to a new protocol, and somewhere in a basement server room, an old Kryptolan system suddenly started talking to the wrong service.

So port 398 remains reserved. Officially assigned. Practically empty.

Security Note: Trojan Activity

Port 398 has been flagged in security databases as having been used by malware in the past.⁶ This doesn't mean the port itself is malicious—it means that because port 398 is rarely used for legitimate purposes, it became an attractive target for Trojans looking for unused ports to hide their communications.

If you see unexpected traffic on port 398, investigate it. An old Kryptolan installation is statistically unlikely. Malware is more probable.

How to Check What's Listening on Port 398

On Linux or macOS:

sudo lsof -i :398
sudo netstat -tulpn | grep :398

On Windows:

netstat -ano | findstr :398

If something is listening on port 398 and you don't know why, find out what it is before assuming it's safe.

Why This Matters

Port 398 teaches us something important about Internet infrastructure: permanence has a cost. Once you claim a number in a shared global namespace, you've claimed it forever. The IANA registry is not just a phone book—it's a historical record of every protocol that ever tried to be part of the Internet's standard vocabulary.

Most succeeded. Some failed. Port 398 is one of the failures, preserved in the registry like a fossil, proof that someone once tried to build something here.

The Internet remembers everything, even the things it no longer uses.

Related Ports

• Port 22 (SSH): The modern standard for encrypted remote access that succeeded where proprietary protocols failed
• Port 443 (HTTPS): TLS/SSL-encrypted web traffic, the encryption protocol that won the commercial Internet
• Port 500 (ISAKMP): IPsec key exchange, the VPN standard that dominates encrypted network tunnels