1. Ports
  2. Port 431

Port 431: UTMPCD — The Ghost in the Well-Known Range

Port 431 is officially assigned to UTMPCD (UTMP Client Daemon) by IANA for both TCP and UDP.12 But here's the truth: you'll almost never see traffic on this port in the wild.

What UTMPCD Was Supposed to Be

UTMPCD appears to be related to Unix's utmp system—the mechanism that tracks user logins and logouts.3 On Unix systems, the utmpd daemon monitors processes and maintains records of who's logged in, when they logged in, and when they logged out.4

The "C" in UTMPCD likely stands for "Client," suggesting this was meant to be a network-accessible version of this login tracking system. A daemon that other systems could query to find out who was logged into a particular Unix machine.

The Reality

UTMPCD never gained widespread adoption. Modern Unix systems handle utmp tracking locally through their own daemons like utmpd or utmps-utmpd.45 There was never a compelling reason to expose login tracking over the network on a dedicated port.

Port 431 sits in the well-known range (0-1023), which means it was assigned during an era when IANA was more liberal with allocations. Someone thought UTMPCD would matter enough to deserve a permanent, privileged port number. They were wrong.

What This Port Tells Us

Port 431 is a fossil. It's evidence of a protocol someone designed, submitted to IANA, and then abandoned or never deployed. The well-known ports range is full of these—assignments made in the 1980s and 1990s for services that either never launched or died quietly.

Unlike port 80 (HTTP) or port 22 (SSH), which carry billions of connections every day, port 431 is silent. It's a reserved room in a hotel that nobody ever checks into.

If You See Traffic on Port 431

If you're seeing activity on port 431 in your network logs, investigate it. This isn't a port that should have legitimate traffic in modern networks. Possible explanations:

  • Legacy Unix systems running extremely old network services
  • Misconfigured software using port 431 for something unrelated to UTMPCD
  • Port scanning or reconnaissance activity
  • Malware using an obscure port to avoid detection

Check what's listening:

# Linux/macOS
sudo lsof -i :431
sudo netstat -tlnp | grep :431

# Windows
netstat -ano | findstr :431

The Well-Known Range

Port 431 belongs to the well-known ports range (0-1023), historically reserved for system services and requiring root privileges to bind.6 These ports were meant for protocols important enough to deserve global recognition.

But importance is hard to predict. Some well-known ports (HTTP, SSH, DNS) became foundational to the Internet. Others, like port 431, became footnotes—officially assigned but practically unused.

Why Unassigned Ports Matter

Port 431 isn't technically unassigned—it has UTMPCD's name attached to it. But functionally, it's empty space. These ghost assignments matter because:

  1. They occupy namespace — Port numbers are finite (65,535 total), and well-known ports are especially scarce
  2. They create confusion — Someone might assume traffic on port 431 is legitimate UTMPCD when it's actually something else
  3. They're historical records — Each assignment captures a moment when someone believed a protocol deserved permanence

Port 431 is a reminder that the Internet's infrastructure contains countless abandoned experiments. Not every port number tells a story of success. Some just tell a story of hope.

Related Ports

  • Port 37 — Time Protocol, another rarely-used well-known port
  • Port 79 — Finger protocol, once popular for user information queries, now obsolete
  • Port 513 — rlogin, remote login protocol superseded by SSH

Previous

Port 428: OCS_CMU — A Well-Known Port Nobody Remembers

Next

Port 424: opc-job-track — The Mainframe's Job Tracker

Was this page helpful?

😔
🤨
😃