Port 1816: HARP — The Registered Mystery

Port 1816 sits in the registered port range — the middle tier of the port numbering system, from 1024 to 49151. These ports are assigned by IANA to specific services upon request, distinguishing them from the well-known ports (0–1023) used by foundational protocols like HTTP, SSH, and DNS.

The IANA registry lists port 1816 as assigned to HARP, on both TCP and UDP. A contact name is attached to the registration: Bjorn Chambless.¹

That's where the trail ends.

The Registered Port Range

The registered port range exists because the well-known ports ran out of room — or rather, out of justification. Ports below 1024 were historically reserved for services so fundamental that only privileged system processes could bind to them. Everything else needed somewhere to go.

IANA created the registered range as a coordination mechanism: any developer or organization could request a port assignment for their protocol, providing a contact and a brief description. The registry doesn't require a public specification, an RFC, or working software. It requires a form and a name.

This creates an interesting artifact: ports that are technically claimed but practically invisible. HARP on port 1816 is one of them.

What Is HARP?

Unknown. No RFC describes it. No open-source project uses it by name. No forum post explains what "Harness Applications and Real-time Protocol" — the expanded name reported by some port databases — actually does or who uses it.²

This happens more often than you'd expect. The registered port range contains hundreds of entries tied to private software, abandoned projects, or internal corporate tools that were never meant for public documentation. The assignment secures a port number; it doesn't obligate anyone to publish a spec.

Port 1816 may be in active use inside some private network, running software that will never be described publicly. Or the registration may be dormant — a claim staked and then forgotten.

What Might Be Listening on Port 1816

If you see traffic on port 1816 on your network, it's almost certainly not HARP. In practice, software that doesn't officially have a port chooses one opportunistically. Developer tools, internal services, and ad hoc applications frequently land in the registered range without checking whether the port is already claimed.

To see what's actually listening on this port on your machine:

Linux / macOS:

ss -tlnp | grep 1816
# or
lsof -i :1816

Windows:

netstat -ano | findstr :1816
# Then look up the PID:
Get-Process -Id <PID>

If something is there, the process name will tell you more than the port number ever could.

Security Considerations

The SANS Internet Storm Center logs scanning activity on port 1816, as it does for most ports in this range.³ Generic port scanning isn't targeted — automated scanners probe wide ranges looking for anything that responds. A service running on 1816 is no more or less exposed than one on any other registered port.

The relevant question is always: should this port be open at all? If you didn't put it there, find out what did.