IEC 60870-5-104 Port Numbers Explained: TCP 2404, TLS 19998, and Firewall Configuration

IEC 60870-5-104 runs over TCP/IP. The port number defines where the controlled station (RTU or IED) listens for incoming connections from the controlling station (SCADA master).

Two ports are used in practice:

• TCP 2404 — the standard port for IEC 104 communication (IANA registered)
• TCP 19998 — the common port for IEC 104 over TLS (secured communication per IEC 62351-3)

Getting the port wrong means no connection. Leaving it unprotected means your SCADA system is exposed. This guide covers everything about IEC 104 ports — from the IANA registration to practical firewall rules you can copy and paste.

1. TCP Port 2404 — The Standard IEC 104 Port

TCP port 2404 is the default and official port for IEC 60870-5-104 communication. It is defined in the IEC 60870-5-104 standard (IEC 60870-5-104:2006, Section 4) and registered withEC by IANA.

Every IEC 104 device — RTU, IED, gateway, or data concentrator — listens on TCP port 2404 by default. The SCADA master initiates the TCP connection to this port.

On port 2404, all traffic is unencrypted. ASDUs, control commands, general interrogation, clock synchronization, and all other IEC 104 messages travel in plain text. Anyone with network access can capture and read the traffic using Wireshark.

2. IANA Registration Details

Field	Value
Service Name	iec-104
Port Number	2404
Transport Protocol	TCP
Description	IEC 60870-5-104 Process Control
Assignment Notes	IANA registered
Reference	IEC 60870-5-104

The IANA registration confirms that port 2404 is exclusively assigned to IEC 60870-5-104. No other protocol should use this port.

3. How the Connection Works on Port 2404

The IEC 104 connection sequence on port 2404:

Step	Direction	What Happens
1	Master → RTU	TCP SYN to port 2404
2	RTU → Master	TCP SYN-ACK
3	Master → RTU	TCP ACK — TCP connection established
4	Master → RTU	STARTDT act (U-format) — activate data transfer
5	RTU → Master	STARTDT con (U-format) — confirm activation
6	Master → RTU	C_IC_NA_1 (General Interrogation) — request all current data
7	RTU → Master	ASDUs with current data (Type 1, 3, 9, 13, 30, 36, etc.)
8	RTU → Master	Spontaneous events continue flowing
…	Both	TESTFR act/con keep-alive frames at t3 interval

The RTU (controlled station) is always the TCP server — it listens on port 2404. The SCADA master (controlling station) is always the TCP client — it initiates the connection.

4. TCP Port 19998 — Secured IEC 104 with TLS

TCP port 19998 is the common industry port for IEC 104 communication secured with TLS (Transport Layer Security). It is specified in IEC 62351-3 (security for TCP/IP-based protocols) and IEC/TS 60870-5-7 (security extensions for IEC 60870-5-101 and IEC 60870-5-104).

Port 19998 provides:

• Encryption — all IEC 104 messages are encrypted using AES
• Authentication — both client and server verify each other’s X.509 certificates
• Integrity — messages cannot be tampered with in transit

Using a separate port for secured communication prevents accidental fallback to unencrypted communication on port 2404.

5. How TLS Works on Port 19998

Step	Direction	What Happens
1	Master → RTU	TCP SYN to port 19998
2	RTU → Master	TCP SYN-ACK
3	Master → RTU	TCP ACK — TCP connection established
4	Master → RTU	TLS ClientHello — propose cipher suites
5	RTU → Master	TLS ServerHello — select cipher suite, send certificate
6	Master → RTU	Client certificate + key exchange
7	Both	TLS Finished — encrypted channel established
8	Master → RTU	STARTDT act (encrypted inside TLS)
9	RTU → Master	STARTDT con (encrypted inside TLS)
10	…	Normal IEC 104 communication — all encrypted

The TLS handshake adds 1–3 seconds to the connection setup. Once established, the overhead is minimal.

6. Port 2404 vs Port 19998 Comparison

Feature	Port 2404	Port 19998
Standard	IEC 60870-5-104:2006	IEC 62351-3 / IEC/TS 60870-5-7
Encryption	None — plain text	TLS 1.2 or TLS 1.3
Authentication	None	X.509 certificate-based
Integrity	None	TLS MAC (message authentication code)
IANA registered	Yes	No (industry convention)
Wireshark decoding	Direct — IEC 104 visible immediately	Encrypted — requires TLS key log to decode
Legacy support	All devices	Modern devices only
Recommended for	Legacy/isolated networks only	All new installations
Firewall rule	Allow TCP 2404	Allow TCP 19998

7. Connection Direction: Who Connects to Whom

This is one of the most common configuration mistakes.

Role	TCP Role	Port	Behavior
Controlled station (RTU/IED)	TCP Server	Listens on 2404 (or 19998)	Waits for incoming connections
Controlling station (SCADA master)	TCP Client	Connects TO 2404 (or 19998)	Initiates the connection

The RTU always listens. The master always connects.

The master uses a random ephemeral source port (e.g., 49152–65535) and connects to the RTU’s destination port 2404.

In Wireshark

• Packets with destination port 2404 = data going to the RTU (master → RTU)
• Packets with source port 2404 = data coming from the RTU (RTU → master)

8. Redundant Connections and Port Behavior

IEC 104 supports redundant connections for high-availability SCADA systems. The standard defines redundancy groups where multiple TCP connections can exist simultaneously.

Common Redundancy Configurations

Configuration	Port Behavior
Single connection	One TCP connection on port 2404
Dual master redundancy	Master A and Master B both connect to the same RTU on port 2404. Only one is active.
Dual RTU redundancy	Master connects to RTU A and RTU B, both on port 2404. Only one sends data.
Multi-port	Some vendors allow configuring a second listening port (e.g., 2405) for the redundant connection

When a failover occurs, the standby master sends STARTDT act on its existing TCP connection (or opens a new one). The RTU switches data transfer to the new active master.

9. Custom Port Numbers

Some vendors allow configuring IEC 104 on a non-standard port. This is technically valid but creates problems:

• Firewall rules become non-standard
• Wireshark does not decode IEC 104 automatically (requires Decode As or preference change)
• Interoperability testing becomes harder
• Security monitoring tools may not recognize the traffic

If you must use a custom port, document it clearly and configure Wireshark: Edit → Preferences → Protocols → IEC 60870-5-104 → TCP Port.

10. Firewall Rules for IEC 104

Linux iptables — Allow Port 2404

bash

# Allow IEC 104 from SCADA master (192.168.1.10) to RTU (192.168.1.100)
iptables -A INPUT -p tcp -s 192.168.1.10 --dport 2404 -j ACCEPT
iptables -A INPUT -p tcp --dport 2404 -j DROP

Linux iptables — Allow Port 19998 (TLS)

bash

# Allow secured IEC 104 from SCADA master to RTU
iptables -A INPUT -p tcp -s 192.168.1.10 --dport 19998 -j ACCEPT
iptables -A INPUT -p tcp --dport 19998 -j DROP

Windows Firewall (PowerShell)

powershell

# Allow inbound IEC 104 on port 2404 from SCADA master
New-NetFirewallRule -DisplayName "IEC 104" -Direction Inbound -Protocol TCP -LocalPort 2404 -RemoteAddress 192.168.1.10 -Action Allow

# Block all other IEC 104 traffic
New-NetFirewallRule -DisplayName "IEC 104 Block" -Direction Inbound -Protocol TCP -LocalPort 2404 -Action Block

Cisco IOS ACL

access-list 101 permit tcp host 192.168.1.10 host 192.168.1.100 eq 2404
access-list 101 deny tcp any host 192.168.1.100 eq 2404

Key Rules

• Never expose port 2404 or 19998 to the internet
• Restrict access to known SCADA master IP addresses only
• Log all connection attempts for security monitoring
• Block port 2404 entirely if TLS on port 19998 is available

11. Wireshark Capture and Display Filters

Capture Filter (before starting capture)

tcp port 2404

For TLS-secured IEC 104:

tcp port 19998

Display Filters

Filter	What It Shows
iec60870_104	All IEC 104 traffic
tcp.port == 2404	All traffic on port 2404 (including TCP handshake)
tcp.dstport == 2404	Traffic going to the RTU
tcp.srcport == 2404	Traffic coming from the RTU
tcp.port == 19998	Secured IEC 104 traffic (shows as TLS unless decrypted)
iec60870_asdu.typeid == 100	General Interrogation commands
iec60870_asdu.typeid == 36	Measured values (short float with timestamp)

Decoding IEC 104 on a Non-Standard Port

If your system uses a custom port, Wireshark will not decode it automatically. Fix:

1. Edit → Preferences → Protocols → IEC 60870-5-104 → change the TCP port
2. Or right-click a packet → Decode As → TCP port → IEC 60870-5-104

12. Testing Port Connectivity

Before configuring IEC 104 communication, verify that the port is reachable.

From the SCADA Master

bash

# Test if RTU port 2404 is open
telnet 192.168.1.100 2404

# Or using netcat
nc -zv 192.168.1.100 2404

# Or using PowerShell
Test-NetConnection -ComputerName 192.168.1.100 -Port 2404

On the RTU

bash

# Verify IEC 104 is listening
netstat -tlnp | grep 2404

# Expected output:
# tcp  0  0  0.0.0.0:2404  0.0.0.0:*  LISTEN  12345/iec104_server

Common Results

Result	Meaning	Fix
Connection succeeded	Port is open and IEC 104 service is running	OK
Connection refused	Port is not open — IEC 104 service is not running	Start the IEC 104 service on the RTU
Connection timed out	Firewall is blocking the port	Check firewall rules on the RTU and network devices
Host unreachable	Network path is broken	Check IP addresses, routing, and physical connectivity

13. Common Port-Related Problems and Fixes

Problem	Symptom	Fix
Wrong port configured	TCP connection refused	Verify both master and RTU use the same port (2404 or 19998)
Firewall blocking port 2404	Connection timeout	Add firewall rule to allow TCP 2404 from the master IP
RTU not listening	Connection refused	Restart the IEC 104 service. Check RTU configuration.
Master connecting to wrong IP	No response	Verify the RTU IP address in the master configuration
Multiple masters on same port	Second master cannot connect	Some RTUs limit concurrent connections. Check max connections setting.
Port 2404 exposed to internet	Security risk	Block external access immediately. Restrict to SCADA VLAN only.
TLS handshake fails on 19998	Connection drops after TCP handshake	Check certificates. Verify TLS version compatibility. Check cipher suites.
Wireshark shows TCP but not IEC 104	Non-standard port	Configure Wireshark Preferences → Protocols → IEC 60870-5-104 → set port
NAT breaking IEC 104	Intermittent connection drops	Avoid NAT for IEC 104. Use direct routing or VPN.

14. Security Best Practices for IEC 104 Ports

Do

• Use port 19998 with TLS for all new installations
• Restrict access to port 2404/19998 by source IP address
• Place IEC 104 devices on a dedicated SCADA VLAN
• Log all connections — both successful and failed
• Use IDS/IPS with IEC 104 protocol awareness (e.g., Claroty, Nozomi, Dragos)
• Implement IEC 62351-3 for TLS and IEC 62351-5 for application-level authentication

Do Not

• Expose port 2404 or 19998 to the internet — ever
• Use port 2404 without additional security on networks with IT connectivity
• Rely on “security by obscurity” (changing to a non-standard port does not add security)
• Allow IEC 104 traffic to pass through untrusted networks without VPN or TLS

For a complete security guide, see: IEC 60870-5-104 Security Explained: TLS, IEC 62351 & IEC/TS 60870-5-7

Summary

IEC 60870-5-104 uses two TCP ports:

• Port 2404 — IANA-registered standard port. Unencrypted. Used in legacy systems.
• Port 19998 — industry-standard port for IEC 104 over TLS. Encrypted. Recommended for all new systems.

The key things to remember:

• The RTU is always the TCP server (listens on port 2404/19998). The master is always the TCP client (connects to the RTU).
• Never expose port 2404 to the internet. Restrict by source IP and use a dedicated SCADA VLAN.
• Use tcp port 2404 as a Wireshark capture filter. Use iec60870_104 as a display filter.
• Test connectivity with telnet or nc -zv before configuring IEC 104 parameters.
• For non-standard ports, configure Wireshark via Preferences → Protocols → IEC 60870-5-104.

💡 Tip: Use the free IEC 104 Frame Decoder Tool to decode any IEC 104 frame byte by byte — including APCI, ASDU type ID, cause of transmission, and data values.

For timeout configuration, see: Adjusting Timeout Values (t0–t3) in IEC 60870-5-104

For Wireshark analysis, see: Wireshark IEC 60870-5-104 Decoding Guide