Test a TCP connection with nc

How to test a tcp connection with nc in each shell

nc -zv -w 3 example.com 443

nc -zv -w 3 example.com 443

nc -zv -w 3 example.com 443

Test-NetConnection -ComputerName example.com -Port 443 -InformationLevel Quiet

powershell -NoProfile -Command "Test-NetConnection -ComputerName example.com -Port 443 -InformationLevel Quiet"

Equivalents listed for Bash, Zsh, Fish, PowerShell, cmd.exe.

Gotchas & notes

• **`nc` is THREE different binaries**: (1) **OpenBSD nc** — base on macOS and OpenBSD, also packaged as `openbsd-netcat` on Debian/Ubuntu. Supports `-z`, `-w SECONDS` timeout, `-N` to close stdin on EOF, `-U` for Unix domain sockets. (2) **GNU nc (netcat-traditional)** — older Debian/Ubuntu default. Supports `-z`, `-w` but NOT `-N` (`-q 0` is the equivalent). (3) **`ncat`** — Nmap project, more features (TLS, SOCKS proxy, brokering), shipped as `nmap-ncat` on RHEL/Fedora. `nc --version` distinguishes them. The `-z`/`-w` flags work across all three for the "just probe" case — divergence appears with stdin/stdout handling.
• **Bash builtin `/dev/tcp/HOST/PORT` is a hidden gem** for ad-hoc TCP testing without `nc` installed: `timeout 3 bash -c "</dev/tcp/example.com/443" 2>/dev/null && echo open || echo closed`. Pseudo-file — bash translates the path into a `socket(AF_INET, SOCK_STREAM, 0)` + `connect()`. **Only works in bash + ksh** (NOT in dash, fish, sh, busybox sh). Useful in slim Docker images that have bash but lack nc. The same idiom with output: `(echo > /dev/tcp/example.com/443) && echo open` — but no timeout knob unless wrapped with `timeout`.
• **pwsh `Test-NetConnection` is SLOW on closed ports** — it runs DNS → ICMP ping → TCP connect serially with no short-circuit, so a closed port often takes 21s (default ping timeout). Faster: `(New-Object System.Net.Sockets.TcpClient).ConnectAsync("example.com", 443).Wait(3000)` — returns immediately on success, returns false at 3000ms on timeout, throws on connection refused. Wrapper: `function Test-Tcp($h, $p, $ms=3000) { $c = New-Object Net.Sockets.TcpClient; try { $c.ConnectAsync($h, $p).Wait($ms) } finally { $c.Close() } }`. For batch testing across many ports/hosts, the async pattern is 50× faster than `Test-NetConnection` in a `ForEach-Object`.
• **Connection state interpretation**: a successful `nc -z` proves the kernel returned `SYN-ACK` (TCP handshake completed) — it does NOT prove the application behind the port is healthy. `nc -zv :22` succeeds the instant `sshd` is listening, even mid-startup when it would refuse auth. For HTTP, a proper health check is `curl -fsS http://host:port/health` (`-f` returns non-zero on 4xx/5xx, `-S` shows errors on failure, `-s` suppresses progress). For TLS, `openssl s_client -connect host:port -servername host < /dev/null` verifies the handshake + presents the cert chain (essential for SNI debugging).
• **UDP testing is harder**: `nc -uzv host port` "succeeds" most of the time because UDP has no handshake — the kernel sends a packet and `nc` returns immediately. The only true negative is an ICMP "port unreachable" message back, which happens if and only if no socket is bound AND the firewall doesn't silently drop it (most firewalls do drop). For DNS specifically: `dig @8.8.8.8 +tries=1 +time=3 google.com` actually tests UDP/53 reachability by attempting a real query. For NTP: `ntpdate -q server` queries without setting the clock. There's no general-purpose UDP probe — protocol-specific tests are the right approach.

Related commands

• nc
• curl
• telnet