Port 2736: Unassigned — A Blank Line in the Registry

What This Port Is

Port 2736 is a registered port — sitting in the range from 1024 to 49151 — with no assigned service. IANA maintains the official registry of port-to-protocol mappings, and for port 2736, that entry is empty.¹

That's not unusual. The registered port range spans 48,127 ports. Many are unassigned, waiting for an application to claim them, or quietly used by software that never bothered to file paperwork.

The Registered Port Range

Ports 1024 through 49151 are called registered ports. Unlike the well-known ports below 1024 (which require root/administrator privileges to bind), registered ports can be used by any application.

The range works like this:

• Ports 0–1023 (well-known ports): Assigned to foundational protocols — HTTP at 80, HTTPS at 443, SSH at 22. Require elevated privileges to open.
• Ports 1024–49151 (registered ports): Where applications live — databases, game servers, proprietary software, development tools. Anyone can request an assignment from IANA, and many don't bother.
• Ports 49152–65535 (ephemeral/dynamic ports): Assigned temporarily by the OS for outgoing connections. Never registered.

Port 2736 sits comfortably in the middle of the registered range, with neighbors that include various database services, video conferencing tools, and industrial control software.

The "Trojan" Flag

Several port-scanning reference sites list port 2736 with a malware warning. This deserves scrutiny.

The warning appears to trace back to the mstream DDoS toolkit, a distributed denial-of-service tool that circulated in the early 2000s. However, detailed technical analysis of mstream's actual communication ports shows it used TCP 6723, TCP 15104, TCP 12754, and UDP ports in the 6000–10000 range — not 2736.² The mstream source code also made ports trivially configurable, which generated a lot of "possibly associated" noise across port databases as analysts tried to document every variant ever spotted.

The short version: the malware flag on port 2736 appears to be low-confidence historical noise. Treat it as a reminder to investigate, not as an indictment.

What to Check

If you see traffic on port 2736 and want to know what's using it:

On Linux or macOS:

# Show which process is listening on port 2736
sudo ss -tlnp sport = :2736

# Or with lsof
sudo lsof -i :2736

On Windows:

# Show listening process with PID
netstat -ano | findstr :2736

# Then look up the PID
tasklist | findstr <PID>

The process name and path will tell you more than any port database ever could.

Why Unassigned Ports Matter

The Internet runs on the assumption that port numbers mean something consistent. When you connect to port 443, you expect HTTPS. When you connect to port 22, you expect SSH. That consistency is what makes protocol negotiation fast and firewall rules predictable.

Unassigned ports are where that assumption breaks down — in both useful and dangerous ways.

Useful: developers running local services, microservices talking to each other inside a private network, applications that pre-date formal IANA registration.

Dangerous: malware deliberately chooses unassigned ports because they're unlikely to be blocked by default firewall rules, and they don't trigger the same scrutiny as traffic on well-known ports.

An unassigned port number is neither safe nor suspicious on its own. What matters is what's listening.