Port 3085: pcihreq — A Registered Name With No Story

What Range This Port Belongs To

Port 3085 falls in the registered port range (1024–49151), sometimes called user ports. This range is managed by IANA — applications and services can formally register a port number to claim it for their protocol, preventing collisions with other software.

Unlike the well-known ports (0–1023), which require special OS privileges to bind and carry protocols everyone depends on (HTTP, SSH, DNS), registered ports are a more open territory. Any application can request one, and many do — sometimes without ever shipping software that actually uses it.

The IANA Registration: pcihreq

IANA lists the service name pcihreq for port 3085 on both TCP and UDP.¹

"pcihreq" most likely expands to something like "PCI Hardware Request" — a reference to the PCI (Peripheral Component Interconnect) bus architecture used in computers. But the registration has no RFC, no contact, and no documentation trail that survives today. It's one of hundreds of ports in the registry where the original registrant's intent has been lost.

Whether any shipping software ever used this port under the pcihreq name is unclear. It's registered in name; in practice, it's unclaimed territory.

Security Notes

Some security databases flag port 3085 as having historical associations with malware — trojans that commandeered it for command-and-control communication.² This isn't unusual. Malware frequently uses registered-but-obscure ports precisely because they're less likely to be blocked by firewalls than well-known ports, and less likely to raise immediate alarms.

If you see unexpected traffic on port 3085, investigate what process owns it before assuming it's benign.

How to Check What's Listening

If port 3085 is open on your system, these commands will tell you what owns it:

macOS / Linux:

# Show what process is listening on port 3085
sudo lsof -i :3085

# Alternative with netstat
sudo netstat -tlnp | grep 3085

# With ss (modern Linux)
sudo ss -tlnp sport = :3085

Windows:

netstat -ano | findstr :3085

The output will show the process ID (PID). From there, cross-reference with Task Manager or ps aux | grep <PID> to identify the application.

Why Unassigned-in-Practice Ports Matter

The port registry has 49,151 registered slots. Many are occupied by services that were registered decades ago, or by companies that no longer exist, or by protocols that never shipped. Port 3085 is one of them: technically claimed, practically open.

This creates a predictable pattern that security teams deal with constantly. When an application needs a port and doesn't want to register one formally, it picks something from the quiet middle of the registered range — somewhere between 2000 and 9000, where few firewalls have opinions. Port 3085, with its ghost registration and obscure name, fits that profile perfectly.

If you find it active on a machine you manage and can't explain it, that's worth explaining.