Port 2564: HP 3000 NS/VT — A Protocol Frozen in Time

What Port 2564 Is

Port 2564 is formally assigned by IANA to HP 3000 NS/VT block mode telnet — a proprietary terminal protocol developed by Hewlett-Packard for the HP 3000 series of minicomputers.¹

The HP 3000 was a business minicomputer running HP's MPE/iX operating system. It was widely deployed in enterprise environments from the 1970s through the 1990s for manufacturing, banking, and government operations. HP stopped selling new HP 3000 systems in 2003 and ended official support in 2010.²

Unless you're maintaining a legacy HP 3000 installation — and some organizations still are — nothing should be running on port 2564.

What NS/VT Was

Standard Telnet sends data one character at a time. Every keystroke crosses the network as its own event. On a busy LAN, this gets expensive fast.

NS/VT (Network Services/Virtual Terminal) took a different approach: block mode. Instead of transmitting each character as it was typed, NS/VT held the input until a complete record was ready, then sent it all at once.

The efficiency gain was stark. A 40-character command sent through standard Telnet generated roughly 85 network packets. The same command over NS/VT generated 4.³ HP's engineers weren't just building a terminal protocol — they were building one that respected the network.

Terminal emulators like WRQ Reflection and Minisoft MS92 supported NS/VT. Without one of these clients, you couldn't connect — this was proprietary from both ends.

The Registered Port Range

Port 2564 sits in the registered port range (1024–49151). These ports are documented with IANA, meaning a vendor or working group formally claimed them for a specific purpose. Registration doesn't guarantee the service is still in use — it means someone once cared enough to file the paperwork.

The registered range is distinct from:

• Well-known ports (0–1023): Reserved for foundational protocols like HTTP (80), HTTPS (443), SSH (22)
• Dynamic/ephemeral ports (49152–65535): Assigned temporarily by the OS for outgoing connections

A registered port with a dead service is harmless. What matters is what's actually listening, not what the registry says should be there.

Security Note

Port 2564 has been historically associated with malware activity — at least one trojan was observed communicating over this port.⁴ This is common for ports assigned to obscure or legacy protocols: the official service isn't running anywhere, but the port is open and ignored, which makes it attractive for abuse.

If you see unexpected traffic on port 2564 on a modern system, it is almost certainly not HP 3000 connectivity.

How to Check What's Listening

# Linux/macOS — show what process is bound to port 2564
sudo lsof -i :2564

# Linux alternative
sudo ss -tlnp | grep 2564

# Windows
netstat -ano | findstr :2564

If nothing appears, nothing is listening. That's the expected result on any modern machine.