Port 403 sits in the well-known port range (0-1023), officially assigned by IANA to a service called "decap." Both TCP and UDP. Registered since RFC 1700 in 1994.1 And almost nobody knows what it actually does.
What Is "Decap"?
The name stands for "decapsulation" — the process of removing encapsulation headers from tunneled network traffic.2 That's a real thing in modern networking. GRE tunnels, IP-in-IP tunnels, VXLAN — all require decapsulation at the receiving end.3
But why would decapsulation need its own dedicated port? The actual protocol that was supposed to use port 403 has left almost no trace. No RFC describes it. No implementation survives. Security researchers scanning networks in 2000 found port 403 open on some systems and asked on mailing lists: "What is this?"4
The answer was essentially a shrug. A legacy service. Obscure. Probably unused.
The Well-Known Port Range
Port 403 belongs to the well-known port range (0-1023), which requires root/administrator privileges to bind to on Unix-like systems. These ports were originally intended for standardized system services — the core protocols that keep the Internet running.
IANA assigns these ports carefully. Or at least they do now. In the early 1990s, when RFC 1700 codified the port assignments, the process was less formal. Services were registered, protocols were proposed, and some of them simply never materialized into widespread use.
Port 403 is one of those ghosts. Officially assigned. Rarely seen.
Modern Reality
You will almost never encounter anything legitimately listening on port 403. If you do find it open during a security scan, it's worth investigating — not because "decap" is dangerous, but because unexpected open ports are worth understanding.
Decapsulation in modern networking happens inside kernel modules, network drivers, or specialized hardware. It doesn't need a listening service on a specific port. The protocols that do tunneling (GRE on protocol 47, IPsec on ports 500/4500, etc.) handle their own decapsulation as part of their design.
Why Unassigned and Obsolete Ports Matter
The port registry is a historical document as much as a technical one. It contains active services like HTTP (80) and HTTPS (443), but it also contains fossils like port 403 — traces of ideas that someone once thought important enough to register.
These ghosts matter because:
They show how the Internet evolved. Not every protocol succeeded. Not every good idea caught on. Port 403 is a reminder that the registry isn't just a list of what works — it's a list of what was tried.
They can create confusion. If you're debugging a network issue and see port 403 in a log, you might waste time searching for what "decap" does. Knowing it's a ghost saves you that time.
They reserve space. Even unused, port 403 is assigned. No one else can officially use it. The registry is finite (65,535 ports), and some of that space is occupied by protocols that never materialized.
How to Check What's Listening on Port 403
On Linux or macOS:
On Windows:
If nothing returns, nothing is listening. That's the expected result.
The Truthline
Port 403 has been officially assigned since 1994, yet almost no one has ever run a service on it. It exists in the registry, not in the wild. A service name without a service. A port without a purpose.
That's not a failure. It's evidence. The Internet is built on layers of attempts, experiments, and ideas that didn't quite work out. Port 403 is one of those layers. Registered. Forgotten. Still there.
¿Fue útil esta página?