How to test a TCP port with Netcat

A TCP service can appear unreachable when the application is down, when the service is bound to a different address, or when a firewall is blocking the path. Netcat gives a socket-level test that separates an accepted TCP connection from a refused or unanswered port before protocol-specific debugging starts.

OpenBSD Netcat uses -z for zero-I/O scanning, so it opens the connection and exits without sending application data. Adding -v prints the connection result, and -w keeps silent paths from hanging the terminal indefinitely.

The examples use OpenBSD Netcat on Ubuntu 26.04 against loopback test ports. Replace 127.0.0.1 and the sample port with the service endpoint being checked, and treat success as proof of a TCP handshake only; HTTP, TLS, database authentication, and application responses still need a protocol-aware test.

Related: How to connect to a TCP service with Netcat
Related: How to check a TCP port range with Netcat
Related: How to set a Netcat connection timeout
Related: How to troubleshoot TCP connectivity with Netcat
Tool: Netcat Command Generator

Steps to test a TCP port with Netcat:

  1. Choose the exact host name or IP address and TCP port to test. Use the address clients are expected to reach, not only the server's local interface.
  2. Run Netcat in verbose zero-I/O mode against the target TCP port. 
    $ nc -vz -w 2 127.0.0.1 9042
Connection to 127.0.0.1 9042 port [tcp/*] succeeded!

    -z tests the TCP connection without sending payload, -v prints the result, and -w 2 limits the connection attempt to two seconds.

  3. Read a refused result as a reached host with no listener on that port. 
    $ nc -vz -w 2 127.0.0.1 9043
nc: connect to 127.0.0.1 port 9043 (tcp) failed: Connection refused

    A timeout instead of Connection refused usually means the route, firewall, address, or service binding did not answer within the timeout window.

    Related: How to set a Netcat connection timeout
    Related: How to troubleshoot TCP connectivity with Netcat

  4. Repeat the test from the client network when the server passes a local check. 
    $ nc -vz -w 2 service.example.net 443

    A local success on 127.0.0.1 does not prove that another host can cross routing, firewall, load balancer, or security-group boundaries. Expect the same succeeded line when the remote path accepts the TCP connection.

  5. Use a protocol-aware test when the TCP port accepts connections but the application still fails.

    Related: How to connect to a TCP service with Netcat
    Related: How to debug an HTTP request with Netcat
    Related: How to connect to a TLS service with Ncat