Port 548: AFP — Apple's Native Language for Files

Port 548 is where Macs learned to share. For nearly thirty years, every file shared between Apple computers on a local network flowed through this port, speaking a language only Macs truly understood.

What Port 548 Does

Port 548 carries the Apple Filing Protocol (AFP), Apple's proprietary file sharing protocol. When you connected to a shared drive from your Mac, browsed folders on a colleague's machine, or backed up to a Time Capsule, your computer was speaking AFP over TCP through this port.

AFP handles more than just moving bytes. It manages authentication, file locking, permissions, and most importantly, it preserves the unique structure of Mac files that other protocols would destroy.

The Protocol: Preserving What Makes a Mac File a Mac File

Here's something most people never knew: classic Mac files weren't like other files. They had two parts: a data fork (the actual content) and a resource fork (metadata, icons, interface elements, executable code).¹ Move a Mac file to a Windows server using a standard protocol, and half of it vanished. The icon disappeared. The file type was lost. Sometimes the file became unusable.

AFP was designed to preserve both forks intact. It was the only protocol that truly understood what a Macintosh file was.

The protocol works through a session layer called the Data Stream Interface (DSI), which maps AFP operations onto TCP connections.² DSI handles:

• Session establishment on port 548
• Multiple outstanding requests with out-of-order replies
• Tickling: every 30 seconds of inactivity, both client and server send heartbeat messages to confirm the connection is alive
• Automatic timeout: if neither side hears from the other for 120 seconds, the session terminates

AFP versions 3.0 and later communicate exclusively over TCP/IP through port 548, though earlier versions could use AppleTalk for transport.³

The History: From Macintosh Office to Time Machine

1985: The Macintosh Office

In January 1985, Apple announced the "Macintosh Office" alongside a Super Bowl advertisement called "Lemmings."⁴ The vision was ambitious: networked Macs sharing files and printers through AppleTalk, Apple's proprietary networking protocol.

The Macintosh was the first personal computer with networking built in as a standard feature.⁵ LocalTalk connectors used the Mac's printer port, running at 230.4 Kbps. It wasn't fast, but it worked out of the box.

AFP was born as the AppleTalk Filing Protocol, the file sharing layer of this networking stack. Version 1.0 was developed jointly by Apple and Centram Systems West, though it never shipped. Versions 1.1 and 2.0 were formalized as part of the AppleTalk specification.⁶

1987: AppleShare Arrives

The file server component of Macintosh Office was delayed, but in 1987 Apple released AppleShare, dedicated file server software that turned any Mac with 512K of RAM into a network file server.⁷

Apple CEO John Sculley proclaimed it "just as significant as the original Macintosh." The software cost $799. Adding a Mac Plus with a hard drive to run it cost another $3,200. But for businesses and schools, it worked. Mac labs could share files. Design studios could collaborate.

1991-1999: System 7 and the TCP Transition

Personal File Sharing became part of Mac OS with System 7 in 1991, allowing any Mac to share files without dedicated server software.⁸

As TCP/IP rose to dominance in the 1990s, Apple adapted. AppleShare IP introduced AFP over TCP/IP (version 2.2), and the Data Stream Interface was created to carry AFP traffic over TCP connections. Port 548 was assigned as the well-known port for AFP over TCP.

2001: Mac OS X and AFP 3.0

AFP 3.0 arrived with Mac OS X Server 10.0.3, bringing modern features: POSIX permissions, Unicode UTF-8 filenames, and files larger than 2 GB.⁹ Version 3.1 added Kerberos authentication. Version 3.2 added Access Control Lists.

2008: Time Capsule

Apple released the AirPort Time Capsule in 2008, a Wi-Fi router with built-in storage designed specifically for Time Machine backups.¹⁰ For millions of Mac users, AFP became invisible infrastructure: your Mac backed up automatically over the network, and port 548 carried every precious file.

2013: The Beginning of the End

In OS X 10.9 Mavericks, Apple made SMB (Server Message Block) the default file sharing protocol.¹¹ AFP had served Apple well, but SMB worked everywhere. Cross-platform compatibility won.

2020-2025: Deprecation

macOS 11 Big Sur removed the ability to run an AFP server.¹² The client remained, but Apple marked it for deprecation. In macOS Sequoia 15.5, Apple announced that AFP "will be removed in a future version of macOS."

Time Machine backups to NAS devices over AFP are no longer recommended and will lose support entirely. The Time Capsule era is ending.

Netatalk: The Open Source Keeper of the Flame

One of the remarkable chapters in AFP's history is Netatalk, an open source implementation created by Wesley Craig at the University of Michigan in 1990.¹³

Netatalk allowed Unix and Linux servers to speak AFP to Mac clients. This was transformative: universities, businesses, and eventually NAS devices could serve files to Macs without running Mac hardware.

In 1997, Adrian Sun forked Netatalk to add AFP over TCP/IP support. Version 2.0.5 in 2009 added Time Machine support. Suddenly, any Linux box with Netatalk could act like a Time Capsule.

Netatalk's maintainers have kept the flame burning for over 30 years. Version 4.0, released in September 2024, even restored AppleTalk support for vintage Mac enthusiasts.

Security Considerations

AFP's security history is complex.

Authentication: Modern AFP supports DHX2 (Diffie-Hellman Key Exchange 2) and Kerberos authentication. Earlier versions supported cleartext passwords, which should never be used.

Netatalk Vulnerabilities: In 2022, a series of critical vulnerabilities in Netatalk were demonstrated at Pwn2Own:¹⁴

• CVE-2022-23121: Remote code execution without authentication (CVSS 9.8/10)
• CVE-2022-0194, CVE-2022-23122, CVE-2022-23125: Additional RCE vulnerabilities, all rated 9.8/10

These affected NAS devices from QNAP, Synology, and Western Digital. QNAP urged customers to disable AFP entirely until patches were available.¹⁵

CVE-2018-1160: An 18-year-old bug in Netatalk (3.0.0-3.1.11) allowed unauthenticated remote code execution through an out-of-bounds write in the DSI OpenSession handler.¹⁶

Recommendations: Use SMB3 or NFS instead of AFP when possible. If AFP is required, run Netatalk 3.1.18 or later, enforce strong authentication (DHX2), disable guest logins, restrict port 548 to trusted networks, and consider wrapping AFP in a VPN.

Related Ports

The Sunset Protocol

Port 548 carries a protocol designed for a world that no longer exists: a world where Macs were different, where their files were fundamentally unlike any other computer's files, where preserving that difference mattered.

AFP was a protocol built on the premise that Macintosh identity was worth protecting. Every resource fork it preserved was an acknowledgment that these machines were special, that their files carried more than just data.

Now SMB carries Mac files across networks, and the resource fork travels in a hidden sidecar file with an underscore prefix. It works. But something is lost in translation.

For thirty years, port 548 was where Macs were truly themselves.