Port 2559: LSTP — The Protocol That Never Arrived

What Port 2559 Is

Port 2559 sits in the registered ports range (1024–49151) — the middle tier of the port numbering system, where organizations and developers can stake a claim with IANA for protocols they're building or planning to build.

Most registered ports belong to recognizable services. Port 2559 belongs to LSTP, listed in the IANA registry as Lightweight Session Transfer Protocol. It operates on both TCP and UDP.

The registrant contact is listed as Waiki Wright, with an IBM email address.¹

That's the entirety of the public record.

The Ghost Protocol Problem

No RFC was ever published for LSTP. No open-source implementation exists. No product documentation mentions it. The name "Lightweight Session Transfer Protocol" is generic enough that it could describe dozens of things — a session handoff mechanism, a lightweight alternative to something heavier — but what it actually does, or was meant to do, is unknown.

This happens more than you'd think. IANA port registration requires no proof that a protocol works, ships, or even exists beyond a name and a contact. Some ports were registered for internal tools that never went public. Others were placeholders for protocols that never made it out of a whiteboard. Port 2559 appears to be one of these.

What Range This Belongs To

The registered ports (1024–49151) were historically available on a first-come, first-served basis. Unlike well-known ports (0–1023), they don't require elevated operating system privileges to bind. Unlike ephemeral ports (49152–65535), they're meant to be stable — the same service, the same port, every time.

A registered-but-abandoned port like 2559 is technically "taken" but functionally available. Nothing enforces exclusivity. Any software can bind to this port; the registration is informational, not protective.

What Might Actually Be on Port 2559

If you see traffic on port 2559, it isn't LSTP — because LSTP has no known implementations. More likely candidates:

• Custom internal software using an obscure port deliberately (security by obscurity)
• Game servers or peer-to-peer applications that happen to use this range
• Misconfigured services that landed on this port accidentally
• Malware using registered-but-quiet ports to blend into normal-looking port traffic

How to Check What's Listening

On any Unix-like system:

# Show what process is listening on port 2559
sudo lsof -i :2559

# Or with ss (modern replacement for netstat)
sudo ss -tlnp sport = :2559

# On Windows
netstat -ano | findstr :2559

The output will show you the process ID and name. From there you can look up the process to understand what's actually running.

Why Unassigned and Ghost Ports Matter

The port numbering system works on trust. Routers and firewalls make decisions based on port numbers, and those decisions assume the registry reflects reality. When ports are registered and then abandoned — or registered for protocols that never exist publicly — the registry drifts from reality.

For security practitioners, quiet registered ports are interesting precisely because of that drift. They're ports that should have something on them, which makes anything actually running there harder to explain.