Port 3418: rnmap — A Registered Port Whose Project Didn't Last

What Port 3418 Is

Port 3418 sits in the registered port range (1024–49151). These ports aren't reserved for operating system use like the well-known ports below 1024, but they are assigned to specific services by IANA. Anyone can use them, but the registration exists to prevent naming conflicts.

IANA assigned port 3418 to rnmap (Remote nmap), registered around 2002. It uses both TCP and UDP.¹

What rnmap Was

Remote nmap was a distributed scanning tool: a Python-based client/server system that let multiple users submit network scanning jobs to a single centralized rnmap server. The server handled authentication and ran the actual nmap scans, returning results to whichever client requested them.²

The use case made sense in environments where you wanted to centralize scanning (and the permissions that come with it) instead of giving every engineer raw nmap access across a network.

The project released version 0.10 with SSL support and ran on Linux, NetBSD, and OpenBSD. It was open source under the GPL. It never reached version 1.0. The SourceForge project page still exists; the last meaningful activity was in the early 2000s.³

The Port Today

rnmap is effectively abandoned. No significant deployment of this service exists in the wild.

What does exist: security databases list port 3418 in connection with older Windows malware, specifically the Backdoor.Delf.hp trojan (also called SpySender) and the Xposure backdoor, both of which used this port for remote access communications.⁴ These threats are old and largely irrelevant to modern systems, but they're why port 3418 sometimes appears in firewall block lists and intrusion detection signatures.

If you see traffic on port 3418 on a modern system, it is almost certainly not rnmap. It is either an application that happened to choose this port, or worth investigating.

How to Check What's Using Port 3418

On Linux or macOS:

# Show what process is listening on port 3418
ss -tlnp | grep 3418

# Or with lsof
lsof -i :3418

On Windows:

netstat -ano | findstr :3418

The PID in the output can be matched to a process in Task Manager or with tasklist /fi "PID eq <pid>".

Why Unassigned and Dormant Registered Ports Matter

Port 3418's story is common in the registered range. Someone builds a tool, gets a port registered, the tool never achieves adoption, and the port number sits in the IANA registry indefinitely. The registration doesn't expire automatically.

This matters because:

• Firewall rules sometimes block or flag these ports based on outdated threat intelligence
• Port scanners may misidentify traffic on this port as rnmap when it is something else entirely
• Malware reuse — attackers sometimes choose registered ports specifically because they appear "legitimate" in logs

A registered port tells you someone once had a plan for it. It says nothing about whether that plan succeeded.