Port 1973 is registered with IANA. The assignment is real. Almost no one uses it.
It belongs to the registered port range (1024–49151)—the middle tier of the port system, where protocols apply to IANA for a reserved number. Below 1024 are the well-known ports: HTTP, SSH, DNS, the foundations. Above 49151 are the ephemeral ports, assigned temporarily to outgoing connections and then released. Registered ports sit between them: named, reserved, often forgotten.
Port 1973 falls into that last category.
What DLSRAP Is
In February 1997, RFC 2106 defined the Data Link Switching Remote Access Protocol, abbreviated DLSRAP.1 It was an IBM-era solution to a specific problem: how do remote workstations running SNA or NetBIOS—IBM's legacy networking protocols—connect to a central router over TCP/IP?
DLSw (Data Link Switching) had already solved this for site-to-site connections, letting IBM mainframe traffic travel over IP networks. DLSRAP extended that to individual remote users. A DRAP client on a workstation would connect over TCP to a DRAP server on a router, which would then relay SNA or NetBIOS traffic to the central site.2
Port 1973 was the default TCP port for this client-server connection.
RFC 2106 was obsoleted almost immediately by RFC 2114, which defined DCAP (Data Link Switching Client Access Protocol), a cleaner successor.3 Neither protocol survived the decade. SNA networks migrated to native IP. NetBIOS over TCP/IP replaced the gateway model. The workstations DLSRAP was built for were replaced by workstations that didn't need it.
Port 1973 was left behind—registered, but empty.
What Moved In
Empty registered ports attract squatters.
KGB-RAT (also identified as Backdoor.Win32.Small.bu) listened on TCP 1973. It allowed unauthenticated remote command execution—an attacker who connected could run commands on the infected machine or capture screenshots. The name is theatrical. The threat was real.
W32.Sonic.Worm, an email worm from 2000, also used this port to download additional payloads after initial infection.
Neither threat is current. Both are historical artifacts from an era when most home machines had no firewall and open ports went unnoticed. But they illustrate why port assignments matter: the moment a port number becomes associated with legitimate-but-abandoned software, it becomes a target. Something has to be listening for the assignment to mean anything.
How to Check What's Listening Here
If you find port 1973 open on a machine, it's almost certainly not DLSRAP. Check what's actually there:
On Linux/macOS:
On Windows:
The process ID in the output will tell you what's running. If it's something you don't recognize, that's worth investigating.
Why Unassigned Ports Matter
The port system works because assignments create expectations. Port 443 means HTTPS. Port 22 means SSH. Everyone agrees, and network equipment, firewalls, and security tools can act on that agreement.
Unassigned or abandoned ports break the system in a small way. Nothing enforces IANA assignments—any application can open any port. When a legitimate assignment falls out of use, the port becomes ambiguous. Is port 1973 open because someone is running ancient IBM networking software? Because a developer picked an arbitrary number for a local service? Because malware is using a number no one monitors?
The answer is almost always the third one or the second one. Almost never the first.
Frequently Asked Questions
ئایا ئەم پەڕەیە بەسوود بوو؟