What This Port Does
Port 2535 is assigned by IANA to MADCAP — the Multicast Address Dynamic Client Allocation Protocol. MADCAP uses UDP.
MADCAP does for multicast addresses what DHCP does for regular IP addresses: a client asks a server for a multicast address, the server leases one from its pool, and the client uses it for the duration of the lease. When a multicast session ends, the address returns to the pool for someone else.
The problem MADCAP solves is real. Multicast requires every session to use a distinct group address (in the 224.0.0.0/4 range for IPv4). Without a coordination mechanism, two applications could accidentally claim the same address and collide. MADCAP is that coordination mechanism.
The DHCP Parallel
MADCAP's designers built it to feel familiar. Like DHCP, it runs over UDP. Like DHCP, it uses a lease model. Like DHCP, a client can request a specific address or let the server choose. Like DHCP, leases expire and can be renewed.
The parallel is intentional — RFC 2730 explicitly acknowledges the similarity and notes that MADCAP is a separate protocol with no common dependencies. Two different solutions to structurally similar problems.1
One key difference: MADCAP clients can send requests via unicast (directly to a known server) or via multicast (announcing to any listening server). The server always responds via unicast directly to the client.
Why You've Never Seen It
MADCAP was defined in December 1999, during the same era that imagined IP multicast would become a backbone technology for Internet-scale video delivery. That future didn't materialize. Multicast routing between autonomous systems is complex, most ISPs never deployed it externally, and the rise of CDNs and unicast streaming removed much of the urgency.
Without widespread multicast deployment, MADCAP had no operational context to fill. It's implemented in some enterprise multicast environments and was part of Windows Server's multicast support, but it's rarely encountered in routine network operations.2
What You'll Actually Find on Port 2535
In practice, if you see traffic on port 2535:
- Enterprise multicast infrastructure — some organizations run internal multicast for video distribution, conferencing systems, or financial data feeds, and may use MADCAP for address coordination
- Misconfigured or legacy software — applications that registered for this port during the late-1990s multicast enthusiasm
- Nothing — the most common answer; most hosts have nothing listening here
Security scanners occasionally flag port 2535 as having been used by malware, but this reflects opportunistic use of an open port rather than anything specific to MADCAP.
How to Check What's Listening
On Linux/macOS:
On Windows:
If you find something listening here and you're not running intentional multicast infrastructure, it's worth investigating.
The Registered Port Range
Port 2535 sits in the registered port range (1024–49151). These ports are assigned by IANA for specific protocols and services, but the assignments aren't enforced — any application can bind to any port. IANA registration is coordination, not access control.3
The registered range is where most application-layer protocols live: database servers, messaging systems, custom enterprise software. MADCAP's assignment here reflects the late-1990s optimism that it would become standard infrastructure. The port sits reserved, waiting for a multicast Internet that mostly didn't come.
Была ли эта страница полезной?