Port 3270: Verismart — The Port Everyone Misreads

What Port 3270 Is

Port 3270 sits in the registered port range (1024–49151), the block IANA maintains for applications and services that have formally claimed a port number. According to the IANA registry, port 3270 TCP and UDP belongs to a service called "verismart."¹

Almost no one knows what Verismart was. The registration exists. The company or service behind it has left no meaningful trace. This is more common than you'd expect in the registered port range: organizations claimed ports during the 1990s and early 2000s that no longer exist, leaving their assignments as quiet artifacts in a registry that never expires.

The IBM Confusion

If you search for port 3270, half the results will tell you it's for IBM 3270 terminals or TN3270 connections. This is wrong, and it's wrong in an understandable way.

The IBM 3270 is a family of block-mode terminals introduced in 1971, designed to talk to mainframes over IBM's SNA networks. When the Internet arrived, TN3270 was created: a way to send 3270 data streams over TCP/IP using the Telnet protocol. It's still in active use today, because mainframes are very much still in active use.²

But TN3270 runs on port 23 — the standard Telnet port — by default. The number "3270" in "TN3270" refers to the terminal model, not the port. Microsoft's Host Integration Server documentation explicitly notes that port 23 is the TN3270 default, and recommends moving it to port 24 or another unused port to avoid conflicts with regular Telnet.³

Port 3270 and IBM 3270 terminals share only a number. The similarity has confused network administrators for decades.

What's Actually on This Port

If you find port 3270 open on a system you're examining:

• It is almost certainly not a legitimate Verismart service (the original registrant)
• It may be not a TN3270 mainframe connection (which would be port 23)
• It could be anything: a custom application, malware, or a misconfigured service

Check what's actually listening before assuming.

How to Check What's on Port 3270

On Linux/macOS:

# See what process is listening on port 3270
sudo lsof -i :3270

# Or with ss
sudo ss -tlnp | grep 3270

# Or with netstat
netstat -tlnp | grep 3270

On Windows:

netstat -ano | findstr :3270

Then cross-reference the PID with Task Manager or:

tasklist /fi "PID eq <pid>"

From outside the machine:

# Check if the port is open at all
nmap -p 3270 <target>

Why This Matters

The registered port range contains thousands of entries like this one: a name, a company that may no longer exist, and a port that almost nothing actually uses for its registered purpose. The range was designed to bring order to port allocation, and it does — but over decades, companies fold, products get abandoned, and the assignments outlive everything that justified them.

This creates real ambiguity in security work. When you find an unexpected open port, you can't always trust the IANA name to tell you what's actually running. The registry tells you what was registered, not what's there.

Scan first. Identify after.