Port 497: Retrospect — The Port That Remembers

Port 497 is officially assigned to Retrospect, a backup and recovery system that has been protecting data since 1989. This is the port where backup servers and client machines coordinate the work of making sure nothing is ever truly lost.¹

What Runs on This Port

Retrospect uses TCP port 497 for communication between the central backup server (called the Retrospect engine) and client machines running the Retrospect Client software. When a backup is scheduled, the server connects to port 497 on each client to ask a simple question: "What's changed since last time?"²

The protocol is elegant in its efficiency. Instead of performing full backups repeatedly, Retrospect uses "progressive backup" technology—it only copies files that are new or have been modified since the previous backup. The server doesn't need to be told whether to do a "full" or "incremental" backup. It just remembers what it's already seen and copies everything else.³

This conversation happens over port 497: the server initiating contact, the client responding with file metadata and changes, the server pulling back only what's needed. The architecture assumes the server initiates—clients listen on 497, waiting for the backup window to open.

The History

Retrospect was created by Dantz Development Corporation in 1989, initially for the Macintosh platform.⁴ At the time, backup meant floppy disks and tape drives. The Internet as we know it didn't exist yet. Port assignments were still being figured out.

But Dantz understood something fundamental: automated backup had to be centralized and scheduled. You couldn't trust humans to remember to back things up. The software needed to reach out, across the network, and do the work automatically.

Port 497 was assigned for this purpose—a dedicated channel for backup coordination traffic.

Over the decades, Retrospect survived:

• The shift from Mac-only to cross-platform (Windows, Linux, Unix)
• The transition from tape to disk to cloud storage
• Multiple corporate acquisitions (EMC in 2004, Roxio in 2010, StorCentric in 2019)
• A 2023 bankruptcy and spin-off into an independent company

Through all of it, port 497 kept doing its job. The protocol remained backward compatible. Networks that set up Retrospect in the 1990s could still use the same port, the same basic communication pattern, decades later.

How It Works

The backup workflow over port 497 follows this pattern:

1. Server initiates contact — At the scheduled backup time, the Retrospect server connects to TCP port 497 on each client machine
2. Authentication — Client and server authenticate using public/private key encryption (no passwords sent over the network)
3. File comparison — Server asks client for metadata about files; client responds with information about what exists and what's changed
4. Selective transfer — Server requests only the files it doesn't already have backed up
5. Completion — Connection closes; client returns to listening on port 497 until the next backup window

The actual backup data doesn't necessarily flow over port 497—that's just the control channel. But the coordination, the scheduling, the "what needs to be saved" conversation—that all happens here.⁵

Security Considerations

Port 497 has been exploited. Over the years, vulnerabilities in the Retrospect client have been discovered, including denial-of-service attacks that could crash the backup agent by sending malformed data to port 497.⁶

More concerning: malware has occasionally used port 497 as a communication channel, masquerading as legitimate backup traffic. If you see unexpected connections on port 497 from machines that shouldn't be running Retrospect, investigate immediately.⁷

If you run Retrospect:

• Keep the client software updated
• Use firewall rules to restrict port 497 access to known backup servers only
• Enable encryption for backup traffic
• Monitor logs for failed authentication attempts

If you don't run Retrospect:

• Port 497 should be closed
• If something is listening on 497, find out what it is and why

Related Ports

• Port 22 (SSH) — Modern remote backup often uses SFTP over SSH instead of dedicated backup protocols
• Port 3389 (RDP) — Remote Desktop Protocol, another service that connects to clients for administrative tasks
• Port 443 (HTTPS) — Cloud backup services typically use HTTPS instead of dedicated ports

Checking Port 497

To see if anything is listening on port 497:

On Linux/Mac:

sudo lsof -i :497
netstat -an | grep 497

On Windows:

netstat -ano | findstr :497
Get-Process -Id [PID]

If you find something listening and you don't run Retrospect, investigate what process owns that port.

Why This Port Matters

Port 497 represents a particular philosophy of backup: centralized, scheduled, and automatic. The server comes to you. You don't have to remember. You just have to leave port 497 open and let the backup system do its job.

In an era where most backup has moved to cloud services over HTTPS, port 497 is a reminder of how network backup used to work—and in many enterprise environments, still works. Dedicated ports. Dedicated protocols. Purpose-built tools that have been running, largely unchanged, for decades.

Every night, across thousands of networks, port 497 opens. The server asks what's changed. The client answers. And the work of remembering—of making sure nothing is ever truly lost—continues.