What This Port Is
Port 3138 is a registered port — it has an official IANA assignment. The service is rtnt-2 data packets, registered by Ron Muellerschoen at NASA's Jet Propulsion Laboratory (JPL).
RTNT stands for Real-Time Net Transfer, a JPL-developed system for transporting raw GPS observables across the open Internet with low latency. The system compresses GPS data at remote receiver sites and streams it to a central collection server, where JPL's Real-Time GIPSY software uses it to compute global differential corrections to GPS broadcast orbits and clocks. The goal was less than two seconds of latency from a global network of receivers. Port 3137 is its companion — rtnt-1.
In the late 1990s and early 2000s, it was common for research groups to register ports for internal scientific infrastructure. Most of these services never saw wide deployment outside their institutions. RTNT-2 is one of them.
The Registered Port Range
Port 3138 sits in the registered ports range (1024–49151). This range works differently from the well-known ports below 1024:
- Well-known ports (0–1023): Reserved for core Internet services. Requires root/admin privileges to bind on most systems.
- Registered ports (1024–49151): Officially assigned to services by IANA, but no OS-level privilege enforcement. Any process can listen here.
- Dynamic/ephemeral ports (49152–65535): Assigned temporarily by the OS for outbound connections.
Being registered doesn't mean active. Thousands of registered ports sit idle — claimed by applications that were once in wider use, or by research systems like RTNT-2 that were never deployed beyond their originating institution.
The MyDoom Connection
In January 2004, the MyDoom worm became one of the fastest-spreading pieces of malware ever recorded. Its B variant opened a backdoor that listened on the first available TCP port between 3127 and 3198 — a range that includes 3138.
If you see port 3138 listening on a Windows machine from around that era, the NASA GPS explanation is almost certainly not the right one. MyDoom.B used these ports to allow remote access to infected hosts. The collision between a JPL GPS system's port registration and a backdoor trojan's listening range is pure coincidence — the worm's authors weren't being subtle, they were just picking a range above the well-known ports that was unlikely to conflict with common services.
What Might Be on This Port Today
In practice, port 3138 active on a modern machine is most likely:
- A custom application or development server that chose an arbitrary registered port
- Legacy scientific or GPS processing software
- Malware (the MyDoom range is old, but port scanners still flag it)
- Nothing — many port scans probe this range speculatively
How to Check What's Listening
On Linux/macOS:
On Windows:
With nmap (from another machine):
The -sV flag asks nmap to probe the service and identify what's actually running, not just report the port as open.
Why Unassigned-in-Practice Ports Matter
The registered port space is a historical record. It maps decades of Internet software — protocols that mattered to someone, somewhere, at some point. RTNT-2 reflects a time when JPL researchers needed to build their own infrastructure for streaming GPS data globally, before cloud services existed, before GPS APIs were ubiquitous.
Most of these ports will never carry their registered traffic again. They exist as placeholders — claimed but quiet. When you see one active, the question isn't "what does IANA say?" It's "what is actually running here, and why?"
Frequently Asked Questions
Questa pagina è stata utile?