Port 2778: Gwen-Sonya — A Name with No Service

Port 2778 sits in the registered port range with a name attached to it — "gwen-sonya," registered with IANA for both TCP and UDP. But that's where the trail ends. There is no RFC, no product documentation, no company, no protocol specification. The service was registered and then, as far as the public record is concerned, never existed.¹

The Registered Port Range

Ports 1024 through 49151 are called the registered ports. Well-known ports (0–1023) are reserved for foundational protocols — HTTP, SSH, DNS — and require significant justification to claim. Dynamic ports (49152–65535) are ephemeral, assigned on the fly.

The registered range in the middle is different. Getting a port registered here historically required little more than submitting a name, a contact, and a brief description to IANA. The barrier was low. Thousands of services were registered in the 1990s and early 2000s as companies, developers, and projects staked their claim — often before the product actually shipped, sometimes before it was finished, occasionally before it was started.²

Port 2778 appears to be one of those claims.

The Gwen-Sonya Mystery

The IANA entry reads: gwen-sonya — service name, TCP/UDP, port 2778. That's all. No description. No assignee contact that leads anywhere. No documentation of what protocol it speaks or what problem it was built to solve.

The name itself is notable. Most registered port names are technical: ftp, mysql, kerberos. A name like "gwen-sonya" sounds personal — two first names — which makes it stranger that nothing survives about it. Whether it was a product, a project codename, or something else entirely isn't known.

It has no observed real-world usage. It does not appear in security research as a vector for malware. It just exists in the registry, unchanged, as a placeholder for something that never materialized — or that lived and died entirely outside public view.

If You See Traffic on This Port

If port 2778 is active on your machine or network, it is not the ghost of Gwen-Sonya returning. Something is using this port for its own purposes — which is common. Unassigned and abandoned registered ports get repurposed by software developers who need a port and pick one that nothing is officially using.

To identify what's listening:

Linux / macOS:

ss -tlnp | grep 2778
# or
lsof -i :2778

Windows:

netstat -ano | findstr :2778
# Then look up the PID:
tasklist | findstr <PID>

The output will tell you which process has claimed this port. From there, checking that process's documentation will tell you why.

Why Ghost Ports Matter

The IANA registry has hundreds of entries like this one — names registered decades ago for services that never shipped, or shipped briefly and then died, leaving only a line in a text file. These registrations still matter for one reason: they hold a port number off the market.

A developer choosing a port for a new application checks the registry. If 2778 shows a registration — even a meaningless one — they'll likely pick something else, leaving Gwen-Sonya's ghost in quiet possession of a port it never used.