Port 1920: IBM Tivoli Directory Service (FERRET) — A Registered Ghost

Port 1920 sits in the registered ports range (1024–49151), the middle tier of the port numbering system. IANA maintains this range for services that apply for an official registration — unlike the well-known ports below 1024, which are reserved for foundational Internet protocols, registered ports are claimed by vendors and developers on request.

Port 1920 is registered. It just has almost no footprint.

What's Registered Here

In January 2003, IBM registered port 1920 for IBM Tivoli Directory Service — FERRET (service name: can-ferret), covering both TCP and UDP.¹

IBM Tivoli was IBM's enterprise IT management platform — a suite of software for monitoring infrastructure, managing identities, and automating operations in large organizations. The FERRET component was part of Tivoli's directory service layer, handling internal communication between Tivoli components. A related service, can-ferret-ssl, occupies port 3661 for the encrypted version of the same communication.²

Tivoli's directory infrastructure has since evolved into IBM Security Verify Directory (formerly IBM Tivoli Directory Server), which runs on standard LDAP ports. Port 1920 is a relic of the era when enterprise vendors claimed their own ports for internal plumbing that never needed to cross the public Internet — and rarely did.

What You're Likely to Find Here

If something is listening on port 1920 on your machine today, it almost certainly isn't IBM Tivoli. More likely candidates:

• Custom application or development server — developers sometimes bind to arbitrary registered ports during local testing
• Videoconferencing components — some video systems have used this port for control signaling or RTP streams, though this isn't formally registered
• Malware — less common in this range, but any open port with an unknown process deserves scrutiny

The honest answer is: it depends entirely on what's running on that machine.

How to Check What's Listening

Linux/macOS:

# See what process is using port 1920
sudo ss -tlnp | grep 1920

# Or with lsof
sudo lsof -i :1920

Windows:

# Show listening ports with process IDs
netstat -ano | findstr :1920

# Then look up the PID
tasklist | findstr <PID>

If you find an unexpected process on this port, look up the process name. If you don't recognize it, dig deeper before assuming it's benign.

Why Unassigned-ish Ports Matter

The registered port range contains thousands of entries like this one — services that were claimed, shipped with specific enterprise software, and now exist mostly on paper. They represent a historical record of what organizations decided was important enough to register in a given decade.

Port 1920's IANA entry is a small timestamp: early 2003, IBM, enterprise directory infrastructure. The fact that it's nearly invisible today doesn't make the registration meaningless — it means the port did its job quietly, in the background of data centers most people never saw, for systems that kept large organizations running.

That's most of the registered range, actually. The Internet's unglamorous middle tier.