Port 2834: EVTP — A Name Without a Protocol

What Range This Port Belongs To

Port 2834 sits in the registered ports range (1024-49151), sometimes called the "user ports" range. This is the middle tier of the port numbering system.

The three tiers:

• 0-1023 — Well-known ports. Reserved for foundational Internet services (HTTP on 80, HTTPS on 443, SSH on 22). Binding to these requires root/administrator privileges on most systems.
• 1024-49151 — Registered ports. Anyone can apply to IANA to associate a port number with a named service. Binding doesn't require elevated privileges, but the port is formally claimed.
• 49152-65535 — Dynamic/ephemeral ports. Used temporarily by operating systems for outbound connections. Nothing is registered here; it's open territory.

What IANA Lists

IANA's registry formally assigns port 2834 to a service called EVTP — for both TCP and UDP.¹

That's essentially where the trail ends. There is no RFC defining the protocol. There is no public specification. There is no known implementation that anyone in the networking community discusses or documents. The IANA entry has a name and nothing else.

This happens. Someone once submitted a registration — perhaps for an internal enterprise tool, a project that never launched, or software that was retired before it ever mattered. The registry accepted it. The world moved on.

Known Unofficial Uses

No significant unofficial uses of port 2834 have been documented. Some security scanners flag it because it has historically appeared in scans alongside other unrelated ports, which is not the same as a known association with specific software or malware.

If port 2834 is active on your system, it is almost certainly something specific to your environment — a custom application, internal tooling, or a misconfigured service — not a standard protocol anyone would recognize.

How to Check What Is Listening

If you see port 2834 active on a machine, here is how to identify what is using it:

On Linux or macOS:

# Show which process is listening on port 2834
sudo ss -tlnp | grep 2834

# Alternative using lsof
sudo lsof -i :2834

On Windows:

netstat -ano | findstr :2834

This will give you the process ID (PID). From there:

# Linux/macOS — find the process name
ps aux | grep <PID>

# Windows — find the process name
tasklist | findstr <PID>

Why Unassigned and Phantom Ports Matter

The registered port range contains thousands of entries in various states: actively used protocols, dormant assignments, completely undocumented names, and genuine gaps.

This matters for a few reasons:

Firewall policy. A port with no known legitimate service that shows up active on a production system is a signal worth investigating. It is not automatically malicious, but it warrants an explanation.

Port scanning interpretation. When a security scanner reports port 2834 open, the result is ambiguous. There is no baseline behavior to compare against. "Open and unknown" is a different risk posture than "open and running HTTPS."

The registry as history. Phantom registrations like EVTP are a record of projects that existed — at least long enough for someone to file paperwork. The port range is partly a graveyard of software that almost happened.