Port 2904: M2UA — The Phone Network's Secret IP Tunnel

Port 2904 carries M2UA (MTP2 User Adaptation Layer), part of the SIGTRAN protocol family. Its job: take the ancient signaling language of the telephone network and tunnel it invisibly through the Internet.

What Is SS7, and Why Does It Need Help?

Signaling System 7 is how the telephone network talks to itself. Not voice — signaling. The messages that say "dial this number," "the line is ringing," "call connected," "call ended." SS7 was standardized in the 1980s and built for a world of dedicated copper circuits, where signaling traveled on its own private wires completely separate from the voice it controlled.

It worked beautifully for decades. Then the Internet happened.

By the late 1990s, carriers were replacing those expensive dedicated circuits with IP infrastructure. But SS7 didn't speak IP. The phone network couldn't simply be rewritten — it handles billions of calls, emergency services, SMS, roaming agreements between carriers worldwide. You don't rewrite that on a Tuesday.

What M2UA Does

M2UA is part of SIGTRAN — the IETF working group formed specifically to answer the question: how do we run SS7 over IP without breaking everything?

The answer involved several adaptation layers, each targeting a different level of the SS7 stack. M2UA handles the lowest layer: MTP2, the data link layer of SS7. It takes MTP2 signaling messages from a Signaling Gateway (a box sitting at the edge of the traditional telephone network) and hauls them across IP to a Media Gateway Controller (the IP-side brain making call decisions).

The transport underneath is SCTP — Stream Control Transmission Protocol — not TCP or UDP. SCTP was chosen because it offers multi-homing (redundancy across multiple IP paths) and multi-streaming (no head-of-line blocking), both critical for telephony signaling that cannot afford to lose or delay messages.¹

Port 2904 is assigned for M2UA over both SCTP and TCP.²

The Standard

RFC 3331, published in September 2002, defines the M2UA protocol. It was authored by Morneault, Dantu, Sidebottom, Bidulock, and Heitz — engineers working on the problem of converging two worlds that were never designed to meet.³

Who Uses This Port

Telecom carriers and their equipment vendors. If you're running network monitoring on a carrier's infrastructure and see port 2904 active, you're looking at SS7 signaling being backhauled over IP — completely normal for that environment.

If you see port 2904 active on a corporate server or personal machine, that's worth investigating. A variant of Trojan-Dropper.Win32.Small.fp was documented using this port to establish an open proxy. M2UA has no business running on anything that isn't telecom signaling equipment.⁴

How to Check What's Listening

# Linux/macOS — show what process owns port 2904
sudo ss -tlnp sport = :2904
sudo lsof -i :2904

# Windows
netstat -ano | findstr :2904

If it shows up on your system and you're not running telecom infrastructure, treat it as suspicious.

The Range

Port 2904 sits in the registered port range (1024–49151). These ports are registered with IANA, meaning an organization asked for and received an official assignment. They're not system ports (which require root/administrator), but they carry legitimate named services. The registration means something specific was supposed to run here — and in this case, something specific does.