Port 2987: ResolveNet IDENTIFY — A Registered Ghost

What Port 2987 Is

Port 2987 sits in the registered ports range (1024–49151). These ports are assigned by IANA to specific services — companies and protocol designers submit requests, IANA records the assignment, and the port becomes officially "theirs."

Port 2987 belongs to ResolveNet (IOM) Ltd, a company based on the Isle of Man that registered it for a service called IDENTIFY.¹ Based on available records, ResolveNet was involved in electronic commerce and business directory services — likely a system where participating services could announce and authenticate themselves on a network.

The company is effectively defunct. The protocol was never widely adopted. The port is listed in IANA records but produces no traffic on the public Internet worth noting.

This makes port 2987 a ghost assignment: officially registered, practically abandoned.

What the Registered Range Means

When you see a port in the 1024–49151 range, IANA has likely recorded an official owner — but official ownership doesn't guarantee the service is alive, widely used, or even maintained. Thousands of registered ports belong to products that were discontinued, companies that dissolved, or protocols that never gained adoption.

Unlike the well-known ports (0–1023), registered ports carry no assumption of being present on any given system. Finding port 2987 open on a machine you're investigating means nothing until you check what's actually listening there.

What Might Be Listening

If you find port 2987 open on a system, it's almost certainly not ResolveNet's IDENTIFY service. More likely candidates:

• A developer chose it arbitrarily for a local application
• A legitimate service configured to run on a non-default port
• Something you should investigate

Some security scanners historically flagged port 2987 due to associations with older malware activity, though no specific widely-documented trojan is exclusively tied to it.²

How to Check What's Listening

On Linux or macOS:

sudo ss -tlnp | grep 2987
# or
sudo lsof -i :2987

On Windows:

netstat -ano | findstr :2987
# Then look up the PID:
tasklist | findstr <PID>

From another machine:

nmap -sV -p 2987 <target-ip>

The -sV flag asks Nmap to probe the port and try to identify the service — useful when you don't recognize what's running there.

Why Abandoned Assignments Matter

The registered port space has a long memory. Assignments from companies that folded in the early 2000s still appear in IANA's records. This creates an interesting security property: an attacker who knows which registered ports are effectively abandoned can use them with low likelihood of tripping a "known bad port" firewall rule.

Port 2987 isn't dangerous because of what it is. It's worth understanding because of what it represents: the port space is not a clean map of active services. Much of it is history.