Port 2922: cesdcdtrn — A Registered Ghost

What This Port Is

Port 2922 sits in the registered port range (1024–49151), the middle tier of the 65,535-port address space. These ports are assigned by IANA on a first-come, first-served basis to applications and services that request them. Unlike well-known ports (0–1023), registered ports don't require special system privileges to use — any application can bind to them.

IANA's registry lists port 2922 as cesdcdtrn — short for "CESD Contents Delivery Data Transfer," assigned for both TCP and UDP. Its neighbor, port 2921, is cesdcdman — "CESD Contents Delivery Management." The pair suggests a system with separate channels for control and data, a common pattern in network protocols.

But here's the honest part: CESD is effectively unknown. There is no RFC, no technical specification, no vendor documentation, and no meaningful presence in network traffic databases. Someone registered these ports — presumably for a content delivery system — and the project either never shipped, died quietly, or operates entirely in private infrastructure without public documentation.

What "Registered but Unknown" Means

The registered port range has a problem: assignment is permanent and cheap. Organizations claimed ports for projects that were abandoned, internal tools that never needed public standardization, or proprietary systems that never left their own networks. The result is thousands of ports like 2922 — technically assigned, practically empty.

This doesn't mean nothing uses port 2922 in practice. Unassigned and ghost-assigned ports get used all the time by:

• Internal enterprise software that picks a port and never registers it properly
• Development environments that bind to arbitrary registered ports
• Misconfigured services that land on unusual ports by accident
• Malware that uses unmonitored ports to avoid detection

If you see traffic on port 2922 on your network, it isn't CESD — it's something else entirely.

How to Check What's Using This Port

If port 2922 shows up in your logs or monitoring:

Linux/macOS:

sudo ss -tlnp | grep 2922
sudo lsof -i :2922

Windows (Command Prompt as Administrator):

netstat -aon | findstr :2922
tasklist /fi "PID eq <PID_from_above>"

Across your network:

nmap -sV -p 2922 <target>

The -sV flag on nmap attempts service version detection, which can identify what's actually running even when the port number doesn't match any known service.