Linux and Unix Port Scanning With netcat [nc] Command

How do I find out which ports are opened on my own server? How do I run port scanning using the nc command instead of the nmap command on a Linux or Unix-like systems?

The Nmap (“Network Mapper”) is an open-source tool for network exploration and security auditing. If Nmap is not installed and you do not wish to use all of Nmap options/features, you can use the netcat/nc command for scanning ports. This may useful to know which ports are open and running services on a target machine. You can use nmap command for port scanning too.
Tutorial details
Difficulty level Easy
Root privileges No
Requirements Linux/Unix with netcat/nc
Est. reading time 1m

How do I use nc to scan Linux, UNIX and Windows server port scanning?

Try the nc / netcat command as follow. The -z flag can be used to tell nc to report open ports, rather than initiate a connection. Run nc command with -z flag. You need to specify hostname / ip along with the port range to limit and speedup operation:

## netcat or nc syntax ##
nc -z -v {host-name-here} {port-range-here}
nc -z -v host-name-here ssh
nc -z -v host-name-here 22
nc -w 1 -z -v server-name-here port-Number-here
## scan 1 to 1023 ports ##
nc -zv 1-1023

Sample outputs:

Connection to localhost 25 port [tcp/smtp] succeeded!
Connection to 25 port [tcp/smtp] succeeded!
Connection to 80 port [tcp/http] succeeded!
Connection to 143 port [tcp/imap] succeeded!
Connection to 199 port [tcp/smux] succeeded!
Connection to 783 port [tcp/*] succeeded!
Connection to 904 port [tcp/vmware-authd] succeeded!
Connection to 993 port [tcp/imaps] succeeded!

Port Scanning With netcat [nc]

You can scan individual port too. The syntax is

nc -zv v.txvip1 443
nc -zv v.txvip1 80
nc -zv v.txvip1 22
nc -zv v.txvip1 21
nc -zv v.txvip1 smtp
nc -zvn v.txvip1 ftp
## really fast scanner with 1 timeout value ##
netcat -v -z -n -w 1 v.txvip1 1-1023

Sample outputs:

Fig.01: Linux/Unix: Use Netcat to Establish and Test TCP and UDP Connections on a Server

Fig.01: Linux/Unix: Use Netcat to Establish and Test TCP and UDP Connections on a Server


  1. -z : Port scanning mode i.e. zero I/O mode.
  2. -v : Be verbose [use twice -vv to be more verbose].
  3. -n : Use numeric-only IP addresses i.e. do not use DNS to resolve ip addresses.
  4. -w 1 : Set time out value to 1.
  5. -u : Use udp instead of TCP.
  6. -4 : Force IPv4 version addresses.
  7. -6 : Make sure we use IPv6 version addresses only.

Let us scan for UDP port 1194 (OpenVPN) or WireGuard VPN UDP port 31194:
$ nc -w 2 -v -u 1194
$ nc -w 2 -v -u 31194
$ nc -w 2 -v -4 443

The last command used IPv4, and it is useful when remote hosts have IPv4 and IPv6 addresses. For example, run the dig command/host command as follows:
$ host
We see: has address has address has address has IPv6 address 2606:4700:10::6816:bd6 has IPv6 address 2606:4700:10::6816:ad6 has IPv6 address 2606:4700:10::ac43:7ef

Now use IPv6 addresses only for
$ nc -w 2 -v -6 443

More examples

Let us try:

$ netcat -z -vv http [] 80 (http) open
 sent 0, rcvd 0
$ netcat -z -vv https
DNS fwd/rev mismatch: !=
DNS fwd/rev mismatch: !=
DNS fwd/rev mismatch: !=
DNS fwd/rev mismatch: !=
DNS fwd/rev mismatch: !=
DNS fwd/rev mismatch: !=
DNS fwd/rev mismatch: !=
DNS fwd/rev mismatch: != [] 443 (https) open
 sent 0, rcvd 0
$ netcat -v -z -n -w 1 1-1023
(UNKNOWN) [] 989 (ftps-data) open
(UNKNOWN) [] 443 (https) open
(UNKNOWN) [] 53 (domain) open

Data transfer using nc

I am going start nc to listen on a specific port such as 4242, with output captured into a file called file.output:
$ nc -l 4242 > file.output
Using a second laptop (macbook pro), connect to the listening nc process, feeding it the file which is to be transferred:
$ nc -N 4242 < /path/to/input.file
Once the file has been transferred, the connection will close automatically. Naturally, this is not secure as there is no encryption took place. Hence, never run it over the Internet or LAN without a VPN.

Finding OpenSSH server version

The syntax is simple

# Port Scanning With netcat including displaying version #
echo "QUIT" | nc 22
echo "QUIT" | nc -v ssh
# OR pass the -vv  to get remote OpenSSH version # 
nc -vv ssh

We can also specify a list of ports to scan, for example:
$ nc -zv http https 20 22-23
Our final example, only show open or closed ports:

nc -w 1 -zv {host} {port} 20-23  2>&1 | grep succeeded
nc -w 1 -zv https 20-23  2>&1 | grep succeeded
nc -w 1 -zv https 20-23  2>&1 | grep failed
How to port scanning with netcat or nc command on Linux and Unix

Scanning port with nc / netcat on your Linux, Unix, and macOS system


In this page we explained port scanning with netcat / nc utility from your Unix, macOS or Linux computer. The nc /netcat command on Linux or Unix is used for just about anything under the sun involving TCP, UDP, or UNIX-domain sockets. Hence I recommend reading man pages by typing the following man command:
$ man nc
You may find following tutorial useful too:

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 11 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
11 comments… add one
  • Paul Aug 20, 2012 @ 13:32

    I had to add verbosity (-v) to get the output as above. By default my version displayed nothing. (Talking of that, I couldn’t figure out how to get it’s version…)

  • Sandeep Mar 20, 2013 @ 14:55


    I run this command on my ubuntu server but I am not getting that kind of output as you provided here. When I am using -z option that time it is not giving any kind of output. If use -t or option then it is giving output for port range 1-100 .. output is :SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1 only.

    I.e it is scanning for port 22 only.

    Could you please tell me why options are not running on Ubuntu ?

  • Allen Mar 21, 2013 @ 21:57

    I had to add -v for it to work for me

    nc -z -v 22
    Connection to 22 port [tcp/ssh] succeeded!

  • Tom Oct 31, 2013 @ 16:58

    nc -zv server port
    for lazy ones .)

  • Bom Feb 19, 2015 @ 10:39

    Do more faster port-scan using gnu-parallel.

    time seq 65535 | parallel --pipe --cat -j200% -n1000 'nc -vz localhost $(head -n1 {})-$(tail -n1 {})'
    real    0m52.813s
    user    3m16.853s
    sys     0m7.860s


    time nc -vz localhost 1-65535
    real    1m49.139s
    user    1m44.407s
    sys     0m4.733s
  • schland Dec 10, 2015 @ 19:38

    most of my classmates use netcat to cheat in the exam : P

  • Kevin Liang May 30, 2016 @ 23:24

    Hi, this is a great guide.
    However, when using netcat to conduct a port scan, the results can be lengthy. Is there any way to have netcat -zv [host] [port ranges] display only OPEN PORTS?

    • Zakaria Dec 28, 2016 @ 1:04

      did you figured out how to show only opened ports ?

      • ad Jan 12, 2017 @ 8:18

        Use grep.

        netcat -zv [host] [port ranges] 2>&1 | grep succeeded

        netcat -zv [host] [port ranges] |& grep succeeded

        • Patrik Dec 22, 2020 @ 13:18

          nc -zv host portrange | 2</dev/null

          • patrik Dec 22, 2020 @ 13:19

            wopps a | in the line
            should be
            nc -zv host portrange 2</dev/null # moves error to null

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum