Port 3398: Mercantile — A Name Without a Protocol

What Port 3398 Is

Port 3398 sits in the registered port range (1024–49151). These ports require IANA registration, and IANA does list port 3398 — under the service name "mercantile," assigned for both TCP and UDP.

But that name is essentially a ghost. No RFC defines a "mercantile" protocol. No major software implements it. No documentation explains what it was meant to do. Someone registered the name at some point; the protocol itself never materialized, or never escaped its original context.

This happens more often than you might expect. The registered port range contains hundreds of assignments that were claimed, named, and then quietly abandoned as products died, companies folded, or ambitions went unrealized.

What Actually Runs Here

In practice, port 3398 has one documented history worth noting: it was used by PWSteal.Bancos.AA, a banking trojan that targeted e-commerce and financial websites. The malware installed a proxy server on this port and used its own SMTP connection to exfiltrate stolen credentials and keylogger output.¹

Choosing an obscure, nominally registered port for malware infrastructure is a deliberate tactic. Well-known ports get scrutinized. Port 80 has defenders watching it. Port 3398, carrying the improbable banner of "mercantile," is easy to overlook.

SANS ISC records occasional scanning activity directed at port 3398, consistent with low-level automated reconnaissance.² The threat level is not elevated, but traffic here warrants a second look.

Checking What Is Listening

If you see activity on port 3398 and want to know what's behind it:

On Linux/macOS:

# Show processes listening on port 3398
ss -tlnp sport = :3398

# Or with lsof
lsof -i :3398

On Windows:

netstat -ano | findstr :3398

Then match the PID from netstat to a process name in Task Manager. Anything listening here that you did not intentionally install deserves scrutiny.

Why Unassigned Ports Matter

The registered port range was meant to be orderly: one service, one port, documented and intentional. In practice it's a land registry full of abandoned claims. Many registered ports have no active protocol, no specification, and no legitimate traffic — which means legitimate traffic here is genuinely unusual.

This matters for network monitoring. When something starts listening on a port where nothing should be listening, that signal is only meaningful if you know what "nothing should be listening" actually looks like. Port 3398 is a good example of a port where the correct expected answer is: silence.