Port 1822 sits in the registered ports range (1024–49151). These are ports that organizations and developers can formally claim through IANA, the body that coordinates Internet naming and numbering. A registered port is supposed to mean something: a specific protocol, a specific service, a specific use case. Someone asked for this port and IANA said yes.
The name on file: es-elmd, registered for both TCP and UDP.
What is es-elmd? Nobody seems to know. There is no RFC documenting the protocol. No vendor has publicly claimed it. No open-source project uses it. The IANA registry — the definitive record of what lives on every port — has a name and nothing else.1
This happens more than you might expect. The registered ports range contains thousands of entries, many of them claimed during the 1990s and early 2000s by companies that registered a port for a product that was never widely deployed, or was later abandoned. The registration persists; the product doesn't.
What Gets Observed Here
The SANS Internet Storm Center logs scanning activity on port 1822, but at low levels — routine reconnaissance that touches millions of ports, not targeted exploitation of something known to be running here.2 There is no publicly documented malware or exploit associated with this port.
If you see traffic on port 1822 in your environment, it is almost certainly either:
- An application that chose this port informally (it is available and uncontested)
- A scanner probing the registered range
- Something internal to your network using it as a high port
How to Check What's Listening
If port 1822 is open on a machine you manage, find out what's actually using it:
On Linux or macOS:
On Windows:
The process ID in the output will tell you what's actually running. From there, check the process name against what you expect to be on that system.
Why Unassigned Ports Matter
The registered ports range exists to prevent collisions — two applications fighting over the same port on the same machine. But registration only works if the registered services actually exist and are documented. Port 1822 illustrates the failure mode: a name in a registry, no documentation, no way to know what it was ever for.
This matters because security tools make decisions based on port numbers. A firewall rule, an intrusion detection signature, a compliance report — all of them treat registered ports differently from ephemeral ones. A port with an IANA name but no documentation sits in an uncomfortable middle ground: officially claimed, practically unknown.
The honest answer about port 1822 is: it belongs to something called es-elmd, and we do not know what that is.
War diese Seite hilfreich?