Port 2012: ttyinfo / raid-ac — Named but Unclaimed

Port 2012 has two names on paper — ttyinfo on TCP and raid-ac on UDP — and almost no story behind either of them. They appear in port databases. They don't appear to correspond to any software anyone actually ships or documents.

The Registered Port Range

Port 2012 sits in the registered ports range, which runs from 1024 to 49151.

This range works differently from the well-known ports below 1024. Anyone can apply to IANA to reserve a port number for a service. You submit a form, get assigned a name, and your port appears in the registry. But there's no requirement that you build the software, document the protocol, publish an RFC, or tell anyone how it works.

The result is a range littered with ghost entries — ports that have names but no real story. Port 2012 is one of them.

What "ttyinfo" and "raid-ac" Mean

ttyinfo (TCP): The name suggests something related to TTY (teletypewriter) terminal information — a category of Unix system interfaces. Beyond the name, there's no RFC, no protocol specification, and no widely distributed software that's known to use this registration.

raid-ac (UDP): The "raid" portion might suggest RAID (Redundant Array of Independent Disks) storage, with "ac" possibly meaning "access control." Again: no specification, no documentation anyone can point to.

If you're seeing activity on port 2012 on your network, it's almost certainly not one of these two registered services. It's something else that chose this port for its own reasons.

What Might Actually Be on This Port

Because 2012 is uncontested in practice, various applications have used it informally:

• Development servers and local tooling that needed a port out of the way of common ones
• Internal enterprise applications picking an arbitrary registered port
• Historically, some malware used this port for command-and-control traffic — though no active threats are currently associated with it¹

Seeing traffic here doesn't mean something is wrong. It means something chose this port, and you need to find out what.

How to Check What's Listening

On Linux/macOS:

# Show the process listening on port 2012
ss -tlnp sport = :2012

# Or with lsof
lsof -i :2012

On Windows:

# Find the process ID
netstat -ano | findstr :2012

# Resolve the process ID to a name
Get-Process -Id (Get-NetTCPConnection -LocalPort 2012).OwningProcess

The output will tell you exactly what's running there — name, process ID, and usually the executable path.

Why Unassigned-in-Practice Ports Matter

The port registry exists to prevent collisions — so that port 80 means HTTP everywhere, and you don't have to guess. But in the registered range, the system depends on honesty: applicants are supposed to register ports for real services they intend to build and maintain.

When ports get registered and abandoned, they become unclaimed territory. Any application that needs a port can squat here without stepping on anything official. That's usually harmless. Occasionally it's how malware hides — by choosing a port that sounds plausibly legitimate and has a real-looking IANA entry behind it.

Port 2012's two names are window dressing. The port is, for practical purposes, open.

• Port 2012 (tcp/udp) — TCP UDP Ports
• Service Name and Transport Protocol Port Number Registry — IANA
• List of TCP and UDP Port Numbers — Wikipedia