Port 3400: CSMS2 — The Name Without a Body

What This Port Is

Port 3400 sits in the registered ports range, which runs from 1024 to 49151. These ports can be claimed by vendors and developers through IANA, the body that keeps the official ledger of port assignments. Unlike the well-known ports (0–1023), which require IANA review and carry protocols the whole Internet depends on, registered ports are first-come, first-served — submit a request, get a name in the registry.

Port 3400 has a name: CSMS2. Registered to a "Markus Michels," assigned to both TCP and UDP. That's all the registry says.¹

What CSMS2 stands for, what software it belonged to, what problem it was solving — none of that is documented anywhere findable. The name exists. The context doesn't. It's a tombstone without a grave.

What Actually Runs Here

In practice, port 3400 is associated with Sophos RED — Remote Ethernet Device. Sophos is a network security company, and RED is their hardware for connecting remote branch offices back to a central Sophos firewall over an encrypted tunnel. The idea: plug a small RED appliance into the branch office, it phones home on TCP port 3400, and the branch behaves as if it's part of the corporate LAN.²

This is Layer 2 tunneling — the RED device bridges raw Ethernet traffic across the Internet. For firewall administrators managing Sophos deployments, port 3400 needs to be open outbound from the remote site to the central firewall.

Sophos's own documentation confirms this. Their PCI compliance discussions flag it as something security scanners will notice and question — because an open port carrying encrypted tunnel traffic looks, to an automated scanner, like a threat.³

What Range This Port Belongs To

Registered ports (1024–49151) are the middle territory of the port numbering system:

• Well-known ports (0–1023): HTTP, SSH, DNS, SMTP. Require IANA review. The backbone.
• Registered ports (1024–49151): Applications and services that claimed a number. Quality varies.
• Dynamic/ephemeral ports (49152–65535): Temporary client-side ports. No assignment needed.

A port being "registered" tells you only that someone filed paperwork. It says nothing about whether that software still exists, whether it's secure, or whether the registered use is what you'll actually find on that port.

How to Check What's Listening

On Linux or macOS:

# Show what process is using port 3400
sudo lsof -i :3400

# Or with ss (modern Linux):
sudo ss -tlnp | grep 3400

# Or with netstat:
sudo netstat -tlnp | grep 3400

On Windows:

netstat -ano | findstr :3400
tasklist | findstr <PID>

If you find something on port 3400 you don't recognize: check the process name, look up the PID, verify it belongs to software you installed. Sophos RED is expected. Anything else is worth investigating.

Why Unassigned-in-Practice Ports Matter

The gap between the registry and reality is normal — and worth understanding.

IANA's registry reflects what vendors requested, not what the Internet uses. Software dies. Companies fold. Products pivot. The registry doesn't update automatically. CSMS2 is registered, but if the software is gone, the port is effectively orphaned — a name with no living body behind it.

This matters because it means registered ports aren't inherently safer or more trustworthy than unregistered ones. Malware has used registered port numbers precisely because firewalls sometimes treat them as legitimate traffic. An open port is an open port. The name in the registry is just paperwork.