Port 1790: Narrative Media Streaming Protocol — A Name Without a Story

What Range This Port Belongs To

Port 1790 sits in the registered ports range (1024-49151). These are ports that organizations or developers could formally register with IANA to signal their intended use — not as binding assignments, but as a courtesy reservation so two different services wouldn't accidentally collide on the same number.

The well-known ports (0-1023) are reserved for foundational protocols: HTTP at 80, SSH at 22, DNS at 53. The registered range is where everything else goes — commercial software, internal enterprise tools, and protocols that never quite made it to widespread adoption.

Port 1790 is in that second category.

The Name on File: NMSP

IANA records port 1790 as nmsp — the Narrative Media Streaming Protocol — registered for both TCP and UDP. That's the full extent of the official record.¹

No RFC was ever published for it. No major open-source project references it. No documentation explains what "narrative" meant in this context, or what kind of media it was designed to stream, or who submitted the registration. The name suggests something interesting: streaming media organized around narrative structure, perhaps for interactive storytelling or synchronized content delivery. But without documentation, that's speculation.

It's a ghost in the registry.

Observed Traffic

The SANS Internet Storm Center tracks scanning activity on port 1790, and it does appear occasionally in passive observation data.² This is normal for any registered port that isn't actively monitored — automated scanners probe the entire port space continuously, looking for open doors. Seeing traffic on port 1790 almost certainly means a scanner found you, not that NMSP software found you.

There are no known exploits, CVEs, or malware families specifically targeting this port.

What Might Actually Be Running Here

If you see port 1790 open on a system you're responsible for, the honest answer is: it's probably not NMSP. More likely candidates:

• A custom internal application that chose this port arbitrarily
• A development server bound to a non-conflicting registered port
• A gaming client, VPN tool, or proprietary enterprise software using it unofficially

The registered ports range is loosely governed. Software doesn't need to use the port it registered for, and nothing stops software from using a port it never registered.

How to Check What's Listening

On Linux or macOS:

sudo ss -tlnp | grep 1790
# or
sudo lsof -i :1790

On Windows:

netstat -ano | findstr :1790

The output will show the process ID. On Linux/macOS, lsof includes the process name directly. On Windows, take the PID to Task Manager or run:

tasklist | findstr <PID>

Why Unassigned-in-Practice Ports Matter

The registered ports range was built on optimism — that every organization would register cleanly, document thoroughly, and keep records current. In practice, many registrations were made once and never maintained. Protocols were prototyped and abandoned. Companies dissolved. The IANA registry accumulated entries like NMSP: formally registered, functionally orphaned.

This matters for security. When you see an unexpected port open, you can't trust the registry name to tell you what's actually running. Port 1790 might say "Narrative Media Streaming Protocol" in every database on the Internet, but what's listening on your server is whoever opened it — and you need to check that directly.

The port system's integrity depends on administrators knowing what's running on their machines, not on trusting a registry that hasn't been audited since the 1990s.