Port 1919: can-dch — Registered, Obscure, Rarely Seen

What Port 1919 Is

Port 1919 sits in the registered ports range (1024–49151). These ports are assigned by IANA — the Internet Assigned Numbers Authority — to specific services upon request. Unlike the well-known ports below 1024, registered ports don't require root privileges to bind, and they're not reserved in any strict technical sense. They're more like a name in a ledger than a lock on a door.

IANA's ledger says port 1919 belongs to can-dch, a component of IBM's Tivoli monitoring suite. Tivoli was IBM's enterprise systems management platform — software used by large organizations to monitor servers, storage, and network infrastructure. The "DCH" in can-dch stands for Directory Component Handler, part of Tivoli's internal communication architecture.¹

Why You Probably Won't See It

IBM Tivoli was a dominant enterprise monitoring platform in the 2000s. It's still in use, but it's far from common. The specific component assigned to port 1919 — the DCH directory handler — is an internal plumbing detail of a product that most people in IT have never touched.

In practice, port 1919 is one of those registered ports where the registration exists more than the traffic does. If you see something on port 1919 on a network that doesn't run IBM Tivoli, it almost certainly isn't can-dch.

What You Might Actually Find There

When port 1919 shows up in security reports or traffic analysis, it's often flagged in connection with malware. FTP.Casus, a trojan family, has used this port for command-and-control traffic.² This isn't unusual — malware frequently colonizes obscure registered ports precisely because they attract less scrutiny than the well-known ones.

Finding an open port 1919 on a system that doesn't run IBM Tivoli is worth investigating.

How to Check What's Listening

# On Linux/macOS — show what process owns port 1919
sudo lsof -i :1919

# Or with ss (faster on modern Linux)
sudo ss -tlnp | grep 1919

# On Windows
netstat -ano | findstr :1919
# Then look up the PID in Task Manager

If nothing comes back, nothing is listening. That's the normal state for port 1919 on most systems.

Why Unassigned (and Rarely Used) Ports Matter

The registered ports range contains thousands of entries. Many of them — like port 1919 — were claimed by software that never achieved wide deployment, or by products that have since faded. The ports remain in the registry indefinitely.

This matters for two reasons:

Security scanning treats open ports as potential indicators of compromise. A port that should almost never be in use becoming active is a meaningful signal — more so than, say, port 443 opening unexpectedly.

Port conflicts happen when developers reach for an obscure port number and unknowingly collide with a registered service. Checking IANA before hardcoding a port number is good practice, even if the registered service is nearly extinct.