Check Open Ports in Linux: nmap, netcat, and Bash

By 

Dejan Panovski

Updated on

7 min read

Checking open ports on a Linux system from the command line

Whether you are troubleshooting network connectivity issues or configuring a firewall, one of the first things to check is what ports are actually open on your system.

This guide covers three command-line methods for checking open ports on a Linux system: nmap, netcat, and the Bash /dev/tcp pseudo-device.

What Is an Open Port

A listening port is a network port that an application listens on. You can get a list of the listening ports on your system by querying the network stack with commands such as ss or netstat . Each listening port can be open or closed (filtered) using a firewall.

An open port is a network port that accepts incoming packets from remote locations.

For example, if you are running a web server that listens on ports 80 and 443 and those ports are open on your firewall, anyone (except blocked IPs) will be able to access websites hosted on your web server using their browser. In this case, both 80 and 443 are open ports.

Open ports may pose a security risk because each one can be used by attackers to exploit a vulnerability. You should expose only the ports needed for your application and close all others.

Check Open Ports with nmap

Nmap is a powerful network scanning tool that can scan single hosts and large networks. It is mainly used for security audits and penetration testing.

If available, nmap is usually the most complete tool for port scanning. Beyond basic port discovery, it can also perform service detection, version probing, and host discovery.

The following command scans for all TCP ports on a remote host:

Terminal
sudo nmap -sT -p- 10.10.8.8

The -sT flag tells nmap to scan for TCP connections and -p- scans all 65535 ports. Without -p-, nmap scans only the 1000 most common ports.

output
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-01 21:00 CET
Nmap scan report for 10.10.8.8
Host is up (0.0012s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:05:49:23 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds

The output above shows that only ports 22 and 80 are open on the target system.

To scan for UDP ports, use -sU instead of -sT:

Terminal
sudo nmap -sU -p- 10.10.8.8

For more information, visit the nmap man page to read about all available options.

Check Open Ports with netcat

netcat (or nc) is a command-line tool that can read and write data across network connections using the TCP or UDP protocols.

With netcat you can scan a single port or a port range. To scan for open TCP ports on a remote machine with IP address 10.10.8.8 in the range 20-80, run:

Terminal
nc -z -v 10.10.8.8 20-80

The -z option tells nc to scan only for open ports without sending any data, and -v enables verbose output.

The output will look something like this:

output
nc: connect to 10.10.8.8 port 20 (tcp) failed: Connection refused
nc: connect to 10.10.8.8 port 21 (tcp) failed: Connection refused
Connection to 10.10.8.8 22 port [tcp/ssh] succeeded!
...
Connection to 10.10.8.8 80 port [tcp/http] succeeded!

To print only the open ports, filter the results with the grep command :

Terminal
nc -z -v 10.10.8.8 20-80 2>&1 | grep succeeded
output
Connection to 10.10.8.8 22 port [tcp/ssh] succeeded!
Connection to 10.10.8.8 80 port [tcp/http] succeeded!

To scan for UDP ports, pass the -u flag:

Terminal
nc -z -v -u 10.10.8.8 20-80 2>&1 | grep succeeded
Info
The 2>&1 construct redirects standard error to standard output, which is necessary here because nc writes connection status to stderr.

Check Open Ports with Bash /dev/tcp

Another way to check whether a specific port is open is to use the Bash /dev/tcp/HOST/PORT or /dev/udp/HOST/PORT pseudo-device.

When you open one of these pseudo-devices, Bash attempts a TCP or UDP connection to the specified host and port. If the connection succeeds, the port is open.

The following if..else statement checks whether port 443 on kernel.org is open:

sh
if timeout 5 bash -c '</dev/tcp/kernel.org/443 &>/dev/null'
then
  echo "Port is open"
else
  echo "Port is closed"
fi
output
Port is open

The default connection timeout for pseudo-devices is very long, so the timeout command is used to abort the attempt after 5 seconds. If the connection to kernel.org port 443 succeeds, the test returns true.

To check a range of ports, use a for loop :

sh
for PORT in {20..80}; do
  timeout 1 bash -c "</dev/tcp/10.10.8.8/$PORT &>/dev/null" && echo "port $PORT is open"
done
output
port 22 is open
port 80 is open

Troubleshooting

nmap: command not found
nmap is not installed by default on all distributions. Install it with sudo apt install nmap on Ubuntu, Debian, and Derivatives, or sudo dnf install nmap on Fedora, RHEL, and Derivatives.

nc is not available or behaves differently
Some distributions ship ncat (from the nmap project) instead of the traditional netcat. The flags are similar but not identical. On systems without either, use the Bash /dev/tcp method instead.

nmap shows a port as filtered instead of open or closed
A filtered state means a firewall is dropping packets to that port rather than rejecting them. The port may actually be listening, but the firewall prevents nmap from determining its state. Check the firewall rules on the target host.

UDP scan results are unreliable
UDP scanning is inherently less reliable than TCP scanning because UDP has no handshake. nmap marks ports as open|filtered when there is no response. Use -sV to attempt service detection and get a more definitive result.

nc -z shows a port as open but the service is unreachable
The port is listening but the application may require TLS, authentication, or a specific protocol. Use nmap -sV to probe the service version and confirm what is running.

Quick Reference

CommandDescription
sudo nmap -sT -p- HOSTScan all TCP ports on a host
sudo nmap -sU -p- HOSTScan all UDP ports on a host
nc -z -v HOST PORT_RANGEScan a TCP port range with netcat
nc -z -v -u HOST PORT_RANGEScan a UDP port range with netcat
nc -z -v HOST PORT_RANGE 2>&1 | grep succeededShow only open ports
timeout 5 bash -c '</dev/tcp/HOST/PORT'Test a single TCP port with Bash

FAQ

What is the difference between a listening port and an open port?
A listening port is one that a local application has bound to and is waiting for connections. An open port is a listening port that is also reachable from the network, meaning the firewall permits traffic to it. A port can be listening locally but closed (filtered) externally.

How do I check if a specific port is open on my own machine?
Use ss -tlnp | grep PORT or netstat -tlnp | grep PORT to check listening ports locally. See How to Check Listening Ports in Linux for more detail.

Can I scan ports without installing nmap?
Yes. Use nc -z -v HOST PORT_RANGE for a range scan, or the Bash /dev/tcp/HOST/PORT pseudo-device for a single port check. If nc is not installed on your system, the Bash method works without additional packages.

Do I need root to scan ports?
TCP connect scans (nmap -sT) and nc work as a regular user. UDP scans (nmap -sU) and SYN scans (nmap -sS) require root or sudo because they send raw packets.

Conclusion

Use nmap for thorough port scanning, netcat for quick range checks, and the Bash /dev/tcp pseudo-device when you need a lightweight single-port test without any external tools. For packet-level capture while troubleshooting, use tcpdump .

Tags

linux commands

Linuxize Weekly Newsletter

A quick weekly roundup of new tutorials, news, and tips.

About the authors

Dejan Panovski

Dejan Panovski

Dejan Panovski is the founder of Linuxize, an RHCSA-certified Linux system administrator and DevOps engineer based in Skopje, Macedonia. Author of 800+ Linux tutorials with 20+ years of experience turning complex Linux tasks into clear, reliable guides.

View author page