Port 1998: Cisco XOT — Where Legacy X.25 Meets TCP/IP

Port 1998 is registered with IANA for a single purpose: Cisco XOT, or X.25 Over TCP. It sits in the registered port range (1024-49151), meaning it requires IANA registration but no special system privileges to open.

The story of this port is really the story of a generation of networking infrastructure that refused to die.

What Is X.25?

X.25 is a packet-switching protocol from the 1970s — one of the first standards for wide-area networking. Before TCP/IP dominated everything, X.25 was how banks connected their branches, how airlines ran reservation systems, how governments moved data across borders. It was reliable, well-understood, and deeply embedded in critical infrastructure.

Then TCP/IP won. IP networks became cheap, ubiquitous, and fast. X.25 networks — built on expensive dedicated leased lines — became liabilities. But the applications running on top of X.25? Those were staying. Replacing a bank's core transaction processing system, or a country's ATM network, wasn't something you could do over a weekend.

What XOT Does

XOT is a bridge. It takes X.25 virtual circuits — the connection abstraction that X.25 uses — and encapsulates them inside TCP connections. Each X.25 virtual circuit gets its own TCP connection, all of them pointed at port 1998 on the far end.

The result: your legacy X.25 application thinks it's talking to an X.25 network. Underneath, it's riding TCP/IP like everything else. The leased lines can go away. The application never has to know.

Greg Satz designed and implemented XOT at Cisco. RFC 1613, published in May 1994, documents the protocol. ¹ It carries an IETF label of "Legacy" — appropriate for a protocol whose entire purpose was to extend the life of something already considered old at publication time.

Who Uses Port 1998

XOT is found primarily in:

• ATM networks: Many ATMs were built on X.25 infrastructure. XOT let banks migrate to IP backbones while keeping terminals in service.
• Payment terminals: Point-of-sale systems, especially in Europe where X.25 networks ran longer than in North America.
• Industrial telemetry: Utilities, transportation systems, and industrial controls built on X.25 in the 1980s.
• Government networks: Some public sector organizations ran X.25 networks well into the 2000s.

Cisco IOS has supported XOT for decades, and the protocol remains documented in current Cisco configuration guides. ²

Security

XOT carries no encryption. The X.25 traffic inside the TCP connection is transmitted in plaintext. If you see port 1998 traffic on a network you didn't expect, it warrants investigation — either a legitimate legacy system or something using the port opportunistically.

Legitimate XOT deployments should be protected with IPsec or run within isolated VLANs. Open exposure of port 1998 to untrusted networks is unnecessary.

How to Check What's Using This Port

# On Linux/macOS — show what's listening on port 1998
ss -tlnp | grep 1998
lsof -i :1998

# On Windows
netstat -ano | findstr :1998

# Check for active connections (not just listeners)
ss -tnp | grep 1998

If you see something on port 1998 on a modern system with no Cisco equipment, it's worth figuring out what it is. The port isn't commonly exploited, but unknown listeners on any port deserve scrutiny.

Why Unassigned Ports Still Matter

Most of the registered port range is exactly like port 1998 — officially assigned to something specific, used by a narrow slice of deployments, invisible to most people. The port system works precisely because this registry exists: applications can claim a port, document it, and be found there reliably.

Port 1998's story is a small piece of how the Internet absorbed everything that came before it. X.25 didn't disappear — it got wrapped in TCP and kept running. That pragmatism is part of why critical infrastructure still works.