Port 2228: eHome Message Server — Registered, Obscure, and Unexpectedly Famous

What This Port Is

Port 2228 belongs to the registered port range (1024–49151). These ports are officially tracked by IANA — they're not reserved for system services like well-known ports (0–1023), but vendors and developers can register them to stake a claim.

Port 2228 was registered in January 2006 to eHome Message Server (service name: ehome-ms), attributed to Peter Gabriel.¹ The protocol appears to be related to home automation messaging. It is not widely deployed, not publicly documented in any RFC, and not something you'll encounter in the wild.

This is not unusual. The registered port range contains thousands of entries for software that shipped once, companies that no longer exist, and protocols that never left internal use. The registration is real. The service is not.

What Actually Runs Here: Cisco Layer 2 Traceroute

If you find something listening on UDP port 2228, it's almost certainly a Cisco switch running the Layer 2 Traceroute service.²

This is a diagnostic utility built into Cisco IOS and IOS XE software since the CatOS era. Its purpose: trace the Layer 2 path a packet takes through a switched network, hop by hop, using MAC addresses instead of IP addresses.

That's a legitimate and useful tool for network engineers. The problem is how it ships:

• Enabled by default on Cisco Catalyst switches
• No authentication required — any host with IP reachability can query it
• Responds with detailed topology information — VLAN membership, MAC address tables, interface names, duplex settings, CDP neighbor data³

In other words: a properly unauthenticated service, on by default, that will describe your internal network to anyone who sends it a UDP packet. Cisco issued a security advisory about this in 2019 — not because it was a vulnerability in the traditional sense, but to formally document that it exists and to encourage administrators to disable it if they don't need it.⁴

To disable Layer 2 Traceroute on a Cisco switch:

Switch(config)# no l2 traceroute

How to Check What's Listening on Port 2228

On any Linux or macOS system:

# Check if something is listening locally
ss -ulnp | grep 2228
lsof -i UDP:2228

# Probe a remote host (use with permission)
nmap -sU -p 2228 <target-ip>

On Windows:

netstat -ano | findstr :2228

Why Unregistered and Obscure Ports Still Matter

Port 2228 is a small case study in why the registered port range isn't always what it seems.

IANA registration is not a guarantee that a service is active, secure, or relevant. The registration process historically required little vetting — a name, a contact, a brief description. Thousands of registered ports are dead letters: software abandoned, companies dissolved, protocols that never shipped.

Meanwhile, widely-used software often squats on registered ports it doesn't own. Cisco's Layer 2 Traceroute has been using 2228 for years alongside the eHome registration — not because it was assigned there, but because the port was available and the feature predated any conflict.

The result: a port that technically belongs to a home automation server has become a default attack surface on enterprise network infrastructure. A good reminder that port numbers are recommendations, not contracts.