Port 84: CTF — A Diagnostic Ghost from DEC

Port 84 is assigned to CTF, the Common Trace Facility. It is a network diagnostic protocol designed to capture and display protocol exchanges between systems in real time. If you have never heard of it, that tracks. CTF belongs to a world that has mostly faded: Digital Equipment Corporation's DECnet-Plus networking stack on OpenVMS.¹

What CTF Does

CTF is a tracing utility. It collects data at specific points within networking software, called tracepoints, where protocol data passes from one layer to another. When a tracepoint fires, it signals CTF that data is available for collection. An engineer can then record and analyze that data to diagnose network problems.²

Think of it as a network protocol debugger. Not a packet sniffer like Wireshark that captures everything on the wire, but an instrumented observer built into the networking stack itself. Networking products that support CTF embed tracepoints in their code. CTF connects to those tracepoints and lets you watch the conversation between protocol layers in real time.

CTF supports three modes of operation:

• Live tracing connects directly and displays trace records on your terminal as they happen
• Detached tracing writes records to a file for later analysis
• Snapshot tracing buffers records at the remote server and transmits them on demand

The Story Behind It

CTF comes from Digital Equipment Corporation (DEC), one of the most important computer companies most people have never heard of. DEC built the PDP and VAX minicomputers that powered universities, research labs, and businesses throughout the 1970s and 1980s. Their operating system, VMS (later OpenVMS), was legendary for its reliability and uptime.

DECnet was DEC's proprietary networking protocol suite. When DEC evolved it into DECnet-Plus (also called DECnet Phase V) to support OSI networking standards alongside their proprietary protocols, they needed a way to debug the increasingly complex protocol interactions. CTF was the answer.²

The IANA registry lists the assignee as Hugh Thomas.¹ The registration predates the modern era of port assignment documentation, so the exact date is lost. But it sits in the well-known range (0-1023), which means it was assigned early in the Internet's history, when port numbers below 1024 were not yet scarce.

DEC was acquired by Compaq in 1998. Compaq was acquired by Hewlett-Packard in 2002. The OpenVMS operating system and DECnet-Plus survived these acquisitions and are now maintained by VMS Software, Inc. (VSI), which licenses the technology from Hewlett Packard Enterprise.³

The Well-Known Range

Port 84 sits in the well-known port range (0-1023). These ports are assigned by IANA and on most operating systems require root or administrator privileges to bind to. The well-known range was established early in TCP/IP's history to give critical services predictable addresses. Port 84 earned its place here when DECnet-Plus was a significant networking technology. The world moved on. The port number stayed.

Security

Port 84 is not a common attack target, but some security databases flag it because trojans and malware have historically used it for communication.⁴ This is not unique to port 84. Attackers routinely use obscure well-known ports precisely because they are obscure: security tools may not inspect them closely, and administrators may not notice unexpected traffic on a port they have never heard of.

If you see unexpected traffic on port 84, investigate. On a modern network, nothing should be listening on this port unless you are running OpenVMS with DECnet-Plus, which narrows the field considerably.

How to Check What Is Listening on Port 84

Linux:

sudo ss -tlnp | grep :84
sudo lsof -i :84

macOS:

sudo lsof -i :84
netstat -an | grep '\.84 '

Windows:

netstat -ano | findstr :84

If anything responds, and you are not running a DEC-heritage system, you should find out why.

Related Ports

Port 84 sits in a neighborhood of early protocol assignments:

• Port 82 (XFER Utility): Another protocol from the early assignment era
• Port 83 (MIT ML Device): Assigned to MIT's Machine Learning devices
• Port 85 (MIT ML Device): A second port for the same MIT systems
• Port 86 (Micro Focus COBOL): COBOL development tooling
• Port 87 (Private Terminal Link): Any private terminal connection

These neighbors tell the same story: a generation of protocols that were important enough to claim a well-known port, and quiet enough today that most engineers will never encounter them.