Port 3647: Splitlock Gateway — A Ghost in the Registry

What This Port Is

Port 3647 is registered with IANA as splitlock-gw — the Splitlock Gateway service — on both TCP and UDP. The registration dates to January 2003, filed by a contact named Andrew Tune.¹

So it's not technically unassigned. It's something close to the opposite: officially claimed, but by a ghost.

What Splitlock Was

Splitlock was a data security company built around a core idea: split your data into multiple cryptographically separated parts, stored in different locations. Without the key to reassemble them, stolen data is useless. The company had two registered ports — 3606 for the Splitlock Server and 3647 for the Splitlock Gateway, the component that presumably brokered connections between parts of the system.

The company had an interesting run. It attracted attention for its cryptographic approach to security and, later, for legal battles involving its founder. By the mid-2010s, the software had faded from active use. The IANA registration stayed.

This is how ports orphan. A company registers a port, ships a product, and eventually closes or pivots. The IANA entry doesn't expire. Port 3647 will be "Splitlock Gateway" in the registry for as long as the registry exists.

What Range This Port Belongs To

Port 3647 sits in the registered ports range, also called user ports: 1024 through 49151.

This range is different from the well-known ports (0–1023), which require root or administrator privileges to bind and are home to foundational protocols — HTTP on 80, SSH on 22, DNS on 53. Registered ports are lower-friction: any process can bind to them, and companies or individuals can register a specific port with IANA for their application.

The registration process doesn't involve much gatekeeping. You submit a form, IANA reviews it for conflicts, and if the port is available, your service name appears in the registry. The assignment is permanent and free. This is why the registry contains thousands of entries for software that no longer exists — once you're in, you're in.

Is Anything Actually Using Port 3647 Today?

Almost certainly not Splitlock. If you see traffic on port 3647, it's either:

• Leftover Splitlock infrastructure (extremely unlikely in 2025)
• Custom software that picked the port arbitrarily
• Malware using an obscure registered port to blend in or avoid blocks
• A scan probing for open ports across ranges

The practical status of port 3647 is: unclaimed in any meaningful sense. The registration is a historical artifact.

How to Check What's Listening

If port 3647 shows up in your logs or you're curious whether anything on your machine has bound to it:

Linux / macOS:

# Show what process is listening on port 3647
ss -tlnp | grep 3647

# Alternative using lsof
lsof -i :3647

macOS (also works):

netstat -an | grep 3647

Windows:

netstat -ano | findstr :3647

The output will show the process ID bound to the port, if any. On most systems, nothing will be listening here.

Why Ghost Ports Matter

The registered port range contains thousands of entries like this one — legitimate registrations for software that shipped, was used, and eventually disappeared. The ports remain assigned, technically off-limits for new registrations, but open for any software to use in practice.

This creates a strange situation: the most "obscure" ports are sometimes the most documented, because someone cared enough to register them. Port 3647 has a name. Port 3648 has nothing. Both are equally available for any software that wants to use them.

For network defenders, ghost ports are worth noting. If you see unexpected traffic on 3647, it's more likely to be modern software (or malware) than Splitlock. The name in the registry tells you what it was, not what it is.