What This Port Is
Port 2991 sits in the registered ports range (1024-49151), also called user ports. These are ports that software vendors and developers can formally register with IANA — the Internet Assigned Numbers Authority — to reserve a name and prevent collisions with other services.
Port 2991 is registered under the name wkstn-mon, short for Workstation Monitor, assigned to a contact named William David. It appears on both TCP and UDP.1
That is essentially all that is known about it.
The Ghost Registration Problem
The IANA registry has over 10,000 port entries. A meaningful number of them look exactly like port 2991: a service name, a protocol, a contact — and nothing else. No RFC. No implementation. No documentation of what the protocol actually does.
These are ghost registrations. Someone had an idea, reserved a port, and never shipped the software. Or shipped it internally, never published it, and moved on. The name lives in the registry; the protocol does not live anywhere.
Port 2991 scanning activity visible on SANS ISC represents automated probes — Internet-wide scanners sweeping ranges looking for open ports, not traffic from any actual wkstn-mon service.2
If You See Port 2991 Open on Your System
Something is listening there, but it is not wkstn-mon. Check what it actually is:
macOS or Linux:
Windows:
Then look up the PID in Task Manager or with tasklist /fi "PID eq <pid>".
Any process using this port chose it arbitrarily — or a developer used it for a private service and it happened to not collide with anything important. That is the practical value of the registered range: enough structure to avoid the obvious collisions, not enough to guarantee every name means something.
Why Unassigned-in-Practice Ports Matter
The port registry is not a perfect map of what runs on the Internet. It is a coordination mechanism — a way to say "this name is spoken for" so that two competing services do not independently choose 2991 and then conflict. Whether anyone ever actually uses 2991 for wkstn-mon is a different question entirely.
When you see a registered port with no documentation, you are seeing the gap between the map and the territory. The territory — actual software, actual traffic — is what matters.
Questa pagina è stata utile?