Port 20002 sits in the registered port range (1024-49151), the middle territory of the Internet's port system. IANA hasn't officially assigned this port to any protocol. No RFC defines what should happen here. But that doesn't mean the port sits empty.
What Lives Here
In practice, port 20002 has two distinct identities that have nothing to do with each other:
TP-Link OneMesh: TP-Link's mesh WiFi system uses port 20002 (both TCP and UDP) for communication between the main router and range extenders. When you see traffic labeled "commtact-http" in packet captures, that's OneMesh mesh participants talking to each other. They broadcast on UDP port 20002 to coordinate, maintain connections, and keep your WiFi seamless as you move through your house.12
AcidkoR Trojan: Port 20002 is also associated with AcidkoR, a remote access trojan that targeted Windows 95, 98, and ME systems. Based on the Acid Shiver source code and using Telnet as a client, AcidkoR chose port 20002 as its backdoor.34 Security databases still flag unexpected traffic on this port as potentially malicious.
The Registered Port Range
Port 20002 belongs to the registered port range (1024-49151). These ports exist in a middle zone:
- Not system ports (0-1023): You don't need root/administrator privileges to bind to port 20002
- Not ephemeral (49152-65535): These ports aren't typically used for temporary client-side connections
- Registered with IANA: Organizations can request port assignments, but many ports in this range remain unassigned
The registered range is where software vendors, hardware manufacturers, and unfortunately malware authors all reach for available port numbers. Sometimes they choose the same ones.
The Strange Duality
This is the genuine strangeness of unassigned ports: TP-Link engineers chose 20002 for mesh router communication. Malware authors chose 20002 for their trojan. Neither knew about the other. Neither had to ask permission. The port number was available, so they both took it.
When you see port 20002 active on your network, context is everything. From a TP-Link router broadcasting to 192.168.0.255? That's OneMesh doing its job. From an unknown external source trying to establish a TCP connection? That deserves investigation.
Security Implications
If you use TP-Link OneMesh: UDP broadcast traffic on port 20002 is expected behavior. Your router and extenders need to communicate. This traffic should stay within your local network—your firewall should block port 20002 from the Internet.1
If you don't use TP-Link devices: Unexpected traffic on port 20002 warrants investigation. The AcidkoR trojan is old (Windows ME old), but port scanning and exploitation attempts still happen. Block incoming connections on port 20002 unless you have a specific reason to allow them.3
Checking What's Listening
To see if anything is listening on port 20002 on your system:
Linux/Mac:
Windows:
If you see a process listening and you don't recognize it, investigate. If it's a TP-Link device and you have OneMesh configured, it's expected. If it's something else, find out what.
Why Unassigned Ports Matter
The registered port range contains thousands of unassigned ports. They represent possibility—space for new protocols, new devices, new ways of communicating. But they also represent ambiguity. Without official assignments, multiple uses emerge organically, sometimes creating conflicts, sometimes creating security risks.
Port 20002 tells this story in miniature: a mesh WiFi system and a trojan, both reaching for the same number in the commons, both creating their own meaning for what that port carries.
The Internet's port system works because we mostly agree on what the numbers mean. In the well-known ports (0-1023), that agreement is strong and enforced. In the registered range, especially the unassigned portions, the agreement is weaker—more suggestion than standard, more custom than convention.
And that's both the power and the problem of the middle ports.
Esta página foi útil?