Linux ncat Command Reference: Syntax, Flags, and Examples

linux ncat command is a feature-packed networking utility from the Nmap Project that reads, writes, redirects, and encrypts data across networks from the command line.

ncat [OPTIONS...] [hostname] [port]

Invoked as ncat (or symlinked nc), the utility is available via sudo apt install ncat or sudo yum install nmap-ncat. The Ncat implementation (version 7.x) extends traditional Netcat with SSL/TLS, proxy support, and advanced connection handling. This reference covers syntax, common flags, and verified examples from the official manual and Nmap Project documentation.

Table of Contents

Syntax

ncat [OPTIONS...] [hostname] [port]

Use ncat for listening (-l), connecting, or scanning. The default protocol is TCP; add -u (not shown in all manuals) for UDP, but verify with your local man page.

Options and Flags

Flag	Type	Default	Description
`-l, --listen`	Mode	Off	Listen for an inbound connection.
`-p, --local-port PORT`	Numeric	Random	Specifies the local port for listening or connecting.
`-v, --verbose`	Boolean	Off	Increase verbosity level; use twice for debug.
`-z, --zero`	Boolean	Off	Zero-I/O mode for port scanning.
`-k, --keep-open`	Boolean	Off	Accept multiple connections in listen mode.
`--ssl`	Boolean	Off	Enable SSL/TLS encryption.
`--ssl-cert FILE`	File	N/A	Specify SSL certificate file (PEM).
`--ssl-key FILE`	File	N/A	Specify SSL key file.
`--proxy HOST:PORT`	String	N/A	Use an HTTP or SOCKS proxy for connections.
`--proxy-type http\|socks4\|socks5`	String	HTTP	Proxy server type.
`--send-only`	Boolean	Off	Only send data, cleanly close after EOF.
`--recv-only`	Boolean	Off	Only receive data.
`-e, --exec COMMAND`	String	N/A	Execute a shell command upon connection.
`--allow HOST`	CIDR	N/A	Restrict allowed connecting hosts.
`-4`	Boolean	Off	Use IPv4 only.
`-6`	Boolean	Off	Use IPv6 only.

Usage Examples

Port Scanning

ncat -zv 10.143.90.106 20-80

Scans ports 20 through 80 on the target. The -z flag prevents sending data, -v prints open ports to stderr. Useful for firewall rule verification.

File Transfer with Clean Shutdown

# Receiver
ncat -l -p 4444 > archive.tar.gz

# Sender
ncat -v --send-only 10.143.90.106 4444 < archive.tar.gz

--send-only causes the sender to exit cleanly after EOF, preventing the receiver from hanging. Ideal for automated scripting.

Encrypted Chat Server

# Server
ncat -l -p 9999 --ssl --keep-open

# Client
ncat -v --ssl 10.143.90.24 9999

All traffic encrypted via SSL/TLS. --keep-open allows multiple sequential chat sessions without restarting.

Debugging HTTP Responses

echo -e "GET / HTTP/1.1rnHost: 10.143.90.24rnConnection: closernrn" | ncat 10.143.90.24 80

Manually crafts a raw HTTP request to inspect server responses and headers. Useful for debugging without a browser.

Troubleshooting & Common Errors

Error Message	Root Cause	Resolution Command
`Ncat: bind to 0.0.0.0:80: Permission denied`	Ports below 1024 require root.	`sudo ncat -l -p 80`
`Ncat: Connection refused.`	No service listening on target.	Verify target service or check firewall rules.
`nc: getaddrinfo: Name or service not known`	DNS resolution failure.	Use an IP address instead of hostname.
`Ncat: Address already in use`	Port is occupied.	`ss -tlnp \| grep 80` then `kill PID`

Performance Considerations and Tuning

Performance tuning for ncat (from the Nmap Project’s Ncat Reference Guide) focuses on controlling connection rates, timeouts, and concurrency limits to avoid resource exhaustion and reduce latency. Unlike nc, ncat exposes dedicated knobs for these parameters.

Idle timeouts: Use --idle-timeout (seconds) to close dormant connections (e.g., --idle-timeout 30). Prevents accumulation of stale sockets.
Connection limits: --max-conns caps simultaneous client connections (e.g., --max-conns 100). Combined with --keep-open, enables persistent listener pools.
Delay between sends: --delay inserts inter‑packet gap in milliseconds (e.g., --delay 10) to throttle bandwidth or mimic low‑rate traffic.
TCP buffer sizes: While ncat has no direct buffer‑size flag, kernel parameters /proc/sys/net/ipv4/tcp_rmem and tcp_wmem control receive/send window sizes. For bulk transfers, increase values (e.g., 4096 87380 6291456).
Batch/interval mode: For legacy nc compatibility, -i sets delay between lines sent (e.g., -i 0.1). Useful for reducing burstiness.

Tuned listener example with 20-second idle timeout, 50 concurrent clients, 5-millisecond delay:

ncat --listen --idle-timeout 20 --max-conns 50 --keep-open --delay 5 -p 8080

For higher parallelism, launch multiple ncat listeners on different ports or use --broker (chat mode) to multiplex. Always pair application‑layer tuning with kernel‑level TCP buffer adjustments for maximum throughput.

Security and Operational Best Practices

Operate ncat with least privilege and strict access controls. Run as a non‑root user unless necessary; use --allow and --deny to whitelist or blacklist client IPs. Limit resource exhaustion with --max-conns and --idle-timeout. The --keep-open flag maintains persistent listeners; --limit (with --listen) restricts total connections.

For authentication: --chat requires a nickname before joining multi-user chat; --proxy-auth supplies proxy credentials. When using --exec or --sh-exec, spawned child processes inherit the calling user’s identity; use a dedicated system account and sudo only when needed.

IAM / Least‑privilege: Use --allow / --deny or --allowfile / --denyfile for IP‑based access control. Set --max-conns and --idle-timeout to throttle resource usage.
Authentication: Enable --chat for nickname‑based identity, or --proxy-auth for proxy credential validation. For remote command execution via --exec, restrict users with system accounts.
Audit / Logging: Capture all transmitted data using --output or --append-output. Monitor binary invocations with auditd and collect service logs via journalctl.

Example audit and logging commands:

# Audit all ncat executions (requires auditd)
sudo auditctl -w /usr/bin/ncat -p x -k ncat_execution

# Log ncat service output persistently
ncat --listen --keep-open --output /var/log/ncat/log.txt --append-output

# Check systemd service logs for ncat (if running as a service)
journalctl -u ncat.service --since "24 hours ago" --no-pager

Frequently Asked Questions

What is the difference between ncat -k and ncat without -k when used with -l?

Answer: -k keeps the listener socket open after a client disconnects, allowing multiple sequential connections.

Use -k for persistent services like a simple echo server or file transfer endpoint. The flag reuses the same listening port for new connections. Example:

# Listener that re-accepts connections
ncat -k -l -p 9999 -v
# Without -k, one-time listener
ncat -l -p 9999 -v

Without -k, you must restart ncat for each new client.

When should I use the --ssl flag with ncat?

Answer: Use --ssl to encrypt the entire connection with TLS when transmitting sensitive data (passwords, secrets) over untrusted networks.

ncat uses OpenSSL; no certificate is required by default (self-signed will work). Example encrypted chat:

# Server
ncat --ssl -l -p 4444
# Client
ncat --ssl server.example.com 4444

For client authentication, pair with --ssl-cert and --ssl-key.

How do I fix "Ncat: Connection refused." when connecting to a remote listener?

Answer: Ensure the listener is running, port is open (firewall), and hostname/IP is reachable.

Diagnostic steps:

# Verify listener exists
nc -zv 10.0.0.1 8080
# On listener host, confirm process is listening:
sudo ss -tlnp | grep :8080
# Temporarily stop firewall for testing:
sudo ufw disable

For cloud instances, check security group inbounds (AWS) or NSG rules (Azure) for destination port.

Does ncat work on Windows and Linux cloud environments (AWS, Azure, GCP)?

Answer: Yes.

Installation on major cloud Linux images:

sudo yum install nmap-ncat    # RHEL/Amazon Linux
sudo apt install ncat          # Debian/Ubuntu

On Windows (cloud or on-prem):

# Download Nmap zip, extract, run ncat.exe
ncat.exe -v -l -p 9999

No cloud-specific conflicts; standard TCP/UDP port rules apply.

What is the fastest way to transfer a large file using ncat?

Answer: Use ncat with --send-only on the sender and --recv-only on the receiver, combined with pv for speed display.

Optimal one-shot file transfer:

# Receiver (start first)
ncat --recv-only -l -p 4444 > largefile.bin
# Sender
pv largefile.bin | ncat --send-only receiver.ip 4444

Use --keep-open if multiple transfers are expected. Avoid -k for single transfers to prevent socket reuse latency.

Thomas Heinrich

Command Line Expert & Software Engineer

Welcome! I’m Thomas Heinrich, a software engineer and system administrator with a deep passion for the Command Line Interface (CLI). With years of experience navigating the terminal, building backend architectures, and automating server deployments, I created this space to share practical, real-world terminal knowledge.

Whether you are a beginner taking your first steps in a Linux environment or a seasoned DevOps engineer looking to optimize your deployment scripts, you will find actionable solutions here. My goal is to help you ditch the mouse, speed up your workflow, and harness the full power of the command line.