Port 2761 is assigned to DICOM over ISCL — Digital Imaging and Communications in Medicine, secured via the Integrated Secure Communication Layer. You will almost never see it in active use. That story is worth understanding.
What DICOM Is
DICOM is the standard that lets a CT scanner from one manufacturer send images to a workstation from another and have everything work.1 Without it, every hospital would be an island. DICOM defines both the file format (that .dcm file your radiologist sees) and the network protocol that moves those files between machines.
DICOM uses three ports:
| Port | Purpose |
|---|---|
| 11112 | Standard, unencrypted DICOM |
| 2761 | DICOM over ISCL (legacy encrypted) |
| 2762 | DICOM over TLS (modern encrypted) |
Port 11112 carries most real-world hospital traffic. Port 2762 handles modern encrypted DICOM. Port 2761 is the middle child — born too early, superseded too fast.
What ISCL Was
The Integrated Secure Communication Layer was a security framework developed in the 1990s to protect medical data in transit.2 At the time, hospitals were rightly concerned about patient images traveling across networks in plaintext. ISCL was the answer.
It offered three protections:
- Entity authentication — each endpoint proves its identity before exchanging data
- Data integrity — messages are checksummed to detect tampering
- Privacy — optional encryption of the payload
The problem: ISCL was built on DES encryption and MD5 checksums. Both are now cryptographically broken. DES uses a 56-bit key, which modern hardware cracks in hours. MD5 produces collisions on demand.
TLS arrived and did all the same things, better, with the backing of the entire Internet. By the time hospitals were ready to encrypt DICOM traffic seriously, port 2762 (DICOM over TLS) was the obvious choice.3
Port 2761 was registered before that conclusion was obvious.
The Range It Lives In
Port 2761 sits in the registered ports range (1024–49151). These ports require IANA registration, which means some organization went through a formal process to claim them. Unlike the well-known ports (0–1023), registered ports don't need root/administrator privileges to open. Unlike ephemeral ports (49152–65535), they're meant to be stable, named services.
The registration exists. The service exists on paper. What doesn't reliably exist is traffic.
Is Anyone Using It?
Rarely. Most DICOM implementations skip straight to port 11112 for internal hospital networks (which have their own perimeter security) or port 2762 for encrypted connections. ISCL never achieved widespread adoption because the security community moved on from its underlying primitives before the standard had time to get deployed broadly.
If you see traffic on port 2761 on a network scan, you are almost certainly looking at either:
- A legacy medical imaging system from an institution that implemented ISCL in the early 2000s and never migrated
- A misconfigured or unusual DICOM implementation
- Something unrelated to DICOM using the port opportunistically
Checking What's on This Port
If you find an open port 2761 on a medical network, treat it as a DICOM endpoint using legacy encryption. Verify whether the system should be updated to TLS (port 2762).
Why Unassigned-Looking Ports Still Matter
Port 2761 illustrates something real: the IANA registry is a living record of what people tried to build, not just what succeeded. Some ports are traffic junctions. Some are monuments to standards that got leapfrogged. Knowing which is which helps you read network scans accurately — and avoid chasing ghosts.
Frequently Asked Questions
Esta página foi útil?