Use netcat (nc) to validate TCP reachability to an internal app endpoint and prove end-to-end delivery using a
temporary listener on the target host. Capture evidence from both sides so you can separate “network path” failures from
“application” failures.
A branch office reports that the internal web app at 10.10.20.15:8080 is down. You will use netcat
(nc) to verify connectivity and confirm whether traffic from the branch can reach the application host.
When users report an app is “down,” you need fast proof of where the failure lives: DNS, routing, firewall policy, listener state, or the application itself. netcat is a lightweight, low-friction way to validate the path.
10.10.20.15:8080 with a timeout and verbose output.
10.10.20.15:8080.
nc -vz -w 3 10.10.20.15 8080
This uses netcat scan mode (-z) with verbose output (-v) and a 3-second timeout (-w 3)
to answer one question: can you establish a TCP connection to the port?
# Common outcomes (examples):
# Connection to 10.10.20.15 8080 port [tcp/*] succeeded!
# nc: connect to 10.10.20.15 port 8080 (tcp) failed: Connection refused
# nc: connect to 10.10.20.15 port 8080 (tcp) timed out: Operation now in progresssudo nc -lvnp 8080This binds to TCP port 8080 and prints inbound connections and data. Use this as a controlled diagnostic tool and stop it when you’re done.
# Example listener output (varies by nc implementation):
listening on [any] 8080 ...echo "health-check" | nc -w 3 10.10.20.15 8080
Piping a payload into nc makes the client send bytes immediately. On the server-side listener, you should see an
inbound connection and the payload. If Step 1 succeeds but nothing shows up here, think asymmetric routing, NAT, or policy
issues between segments.
# On the app server listener you might see:
Connection received on 10.10.20.15 8080
health-check
Stop the listener with Ctrl+C. Based on your results, write a one-line conclusion:
path blocked (timeout), host reachable but no listener (refused), or path + listener confirmed (payload received).
# Example conclusions:
# - timeout: likely firewall drop or routing issue between branch and 10.10.20.15
# - refused: host reachable; app/service not listening on 8080 (or local firewall RST)
# - payload seen: network path + port delivery confirmed; investigate app itself
Something is already listening. Confirm with ss -tuln | grep :8080. If this is the real app port and you don’t
want to disrupt it, pick a high test port (for example 9099) and repeat the listener/payload steps on that port.
Re-run Step 3 with a timeout (-w) and confirm the listener is still running. If it still fails, investigate
asymmetric routing, NAT, and ACLs between segments.
The host is reachable, but nothing is listening on that port (or a policy device is sending a TCP RST). Check the service
status on the app server and confirm the port with ss -tuln.
Ctrl+C).nc -vz -w <sec> <host> <port>: Test TCP reachability to a port (scan mode + verbose + timeout).
-z: zero-I/O scan mode-v: verbose output-w: timeout in secondsnc -lvnp <port>: Start a TCP listener on a local port.
-l: listen mode-v: verbose output-n: numeric-only output (no DNS lookups)-p: local port to bindecho "<msg>" | nc -w <sec> <host> <port>: Send a payload to a listening socket with a timeout.
ss -tuln: List listening TCP/UDP sockets without DNS/service name resolution.
-t: TCP sockets-u: UDP sockets-l: listening sockets-n: numeric output10.10.20.15:8080: Target host/port used in this lab scenario.