Port 2794: URP — Registered, but Invisible

What Port 2794 Is

Port 2794 is a registered port — it sits in the range 1024 to 49151, the band IANA maintains for services that have formally applied for a number. Most registered ports belong to established protocols with real documentation and real deployments. Port 2794 is a different case.

According to the IANA Service Name and Transport Protocol Port Number Registry, port 2794 was assigned on November 26, 2024, to a protocol called Uniform Resource Platform, service name urp, registered for both TCP and UDP. The registrant contact traces to the China Academy of Information and Communications Technology (CAICT), a government-affiliated research institution in Beijing.¹

That's where the trail ends. There is no RFC. No public specification. No observable deployments. No mailing list discussions. The port was claimed, and then went quiet.

The Registered Port Range

The ports from 1024 to 49151 are called registered ports (sometimes "user ports"). Anyone can apply to IANA to reserve a number in this range for a named service. The process is lighter than it sounds — IANA assigns numbers on a first-come basis with minimal technical vetting. The registry is a directory, not a seal of approval.

This means a port number can be officially assigned to a service that:

• Exists only in internal deployments
• Was never publicly released
• Is still in early development
• Or was registered speculatively, with no deployed implementation

Port 2794 appears to be in one of these categories. The number is taken. What runs on it, if anything, isn't publicly documented.

What You Might Actually See on Port 2794

Because no widely-used software claims port 2794, finding something listening on it on your machine or network is worth investigating. Common explanations:

• Custom internal software — enterprise or lab tools that happened to pick this number
• Dynamic reassignment — operating systems use the ephemeral range (32768–60999 on Linux, 49152–65535 on Windows) for outbound connections, but some systems occasionally land in the registered range
• Malware — historically, some trojans have used obscure registered ports to blend in with legitimate traffic; port 2794 has appeared on older threat lists for this reason

How to Check What's Listening

On Linux or macOS:

sudo ss -tlnp | grep 2794
# or
sudo lsof -i :2794

On Windows:

netstat -aon | findstr :2794
# Then look up the PID:
tasklist | findstr <PID>

If you see something listening, the process name will tell you whether it's expected software or something to investigate further.

Why Unassigned (or Barely-Assigned) Ports Matter

The port number space is a shared namespace. When a protocol claims a number, it's asking every firewall, every network scanner, and every administrator to associate that number with a specific service. A number that's claimed but undocumented creates confusion: is traffic on this port expected, or suspicious?

Port 2794 sits in an ambiguous position — officially registered, practically invisible. Until CAICT publishes documentation or deploys something observable, that ambiguity won't resolve.