# socat — Bidirectional Network Relays on the Command Line

> Practical guide to socat — netcat on steroids: bidirectional relays between sockets, files, pipes, and TLS connections for port forwarding and tunneling.

Source: https://www.jpkc.com/db/en/cheatsheets/networking/socat/

<!-- PROSE:intro -->
socat is netcat on steroids: rather than simply connecting two TCP streams, it wires together any two data channels – TCP, UDP, UNIX sockets, files, pipes, serial devices, and TLS connections – in both directions. A single command sets up port forwards, TLS tunnels, or inetd-style services, and lets you inspect raw protocol traffic or route data between network sockets and local processes. This guide covers the most useful socat patterns for everyday work.
<!-- PROSE:intro:end -->

## TCP Connections

`socat TCP-LISTEN:<port>,reuseaddr,fork -` — Create a simple TCP server listening on a port.

```bash
socat TCP-LISTEN:8080,reuseaddr,fork -
```

`socat - TCP:<host>:<port>` — Connect to a TCP server (like netcat).

```bash
socat - TCP:localhost:8080
```

`socat TCP-LISTEN:<port>,reuseaddr,fork TCP:<host>:<port>` — TCP port forwarding (proxy).

```bash
socat TCP-LISTEN:8080,reuseaddr,fork TCP:backend:3000
```

`socat TCP-LISTEN:<port>,reuseaddr,fork,bind=<ip> TCP:<host>:<port>` — Port forwarding bound to a specific interface.

```bash
socat TCP-LISTEN:8080,reuseaddr,fork,bind=127.0.0.1 TCP:remote:80
```

## UDP & UNIX Sockets

`socat UDP-LISTEN:<port> -` — Listen for UDP packets.

```bash
socat UDP-LISTEN:5000 -
```

`socat - UDP:<host>:<port>` — Send data via UDP.

```bash
echo 'test' | socat - UDP:localhost:5000
```

`socat UNIX-LISTEN:<path>,fork TCP:<host>:<port>` — Forward a UNIX socket to a TCP connection.

```bash
socat UNIX-LISTEN:/tmp/myapp.sock,fork TCP:localhost:3306
```

`socat TCP-LISTEN:<port>,fork UNIX:<path>` — Expose a UNIX socket as TCP — exposes the Docker daemon **unauthenticated**; local/test environments only, never on a public port.

```bash
socat TCP-LISTEN:2375,fork UNIX:/var/run/docker.sock
```

## SSL/TLS

`socat OPENSSL-LISTEN:<port>,cert=<cert>,key=<key>,fork TCP:<host>:<port>` — SSL/TLS termination proxy.

```bash
socat OPENSSL-LISTEN:443,cert=server.pem,key=server.key,reuseaddr,fork TCP:localhost:8080
```

`socat - OPENSSL:<host>:<port>` — Connect to an SSL/TLS server.

```bash
socat - OPENSSL:example.com:443
```

`socat TCP-LISTEN:<port>,fork OPENSSL:<host>:<port>` — Add TLS to an unencrypted connection.

```bash
socat TCP-LISTEN:3307,fork OPENSSL:db.example.com:3306
```

## File Transfer

`socat TCP-LISTEN:<port> OPEN:<file>,creat` — Receive a file over TCP.

```bash
socat TCP-LISTEN:9999 OPEN:received.tar.gz,creat
```

`socat OPEN:<file> TCP:<host>:<port>` — Send a file over TCP.

```bash
socat OPEN:backup.tar.gz TCP:remote:9999
```

`socat EXEC:'tar czf - /data' TCP-LISTEN:<port>` — Stream a tar archive over the network.

```bash
socat EXEC:'tar czf - /data' TCP-LISTEN:9999
```

`socat TCP:<host>:<port> EXEC:'tar xzf -'` — Receive and extract a tar stream.

```bash
socat TCP:remote:9999 EXEC:'tar xzf - -C /restore'
```

## Debugging & Testing

`socat -v TCP-LISTEN:<port>,fork TCP:<host>:<port>` — Verbose proxy: show all data passing through.

```bash
socat -v TCP-LISTEN:8080,fork TCP:api.example.com:80
```

`socat -x TCP-LISTEN:<port>,fork TCP:<host>:<port>` — Hex dump proxy: show data in hex.

```bash
socat -x TCP-LISTEN:8080,fork TCP:localhost:3000
```

`socat READLINE TCP:<host>:<port>` — Interactive connection with readline (line editing + history).

```bash
socat READLINE TCP:localhost:6379
```

`socat /dev/null TCP:<host>:<port>` — Quick TCP port connectivity check.

```bash
socat /dev/null TCP:db.example.com:5432,connect-timeout=5
```

## Common Patterns

`socat TCP-LISTEN:<port>,reuseaddr,fork EXEC:<program>` — Run a program for each TCP connection (inetd-style).

```bash
socat TCP-LISTEN:8080,reuseaddr,fork EXEC:/usr/local/bin/handler.sh
```

`socat PTY,link=<path>,raw,echo=0 TCP:<host>:<port>` — Create a virtual serial port connected via TCP.

```bash
socat PTY,link=/dev/vmodem,raw,echo=0 TCP:192.168.1.100:5000
```

`socat TCP-LISTEN:<port>,reuseaddr,fork SYSTEM:'echo HTTP/1.1 200 OK; echo; echo Hello'` — Quick HTTP response server for testing.

```bash
socat TCP-LISTEN:8080,reuseaddr,fork SYSTEM:'echo HTTP/1.1 200 OK; echo; echo Hello World'
```

<!-- PROSE:outro -->
## Conclusion

socat covers a broader range than any other single command-line tool: port forwards, TLS tunnels, inetd-style services, and live protocol inspection – all in one binary. Once the address syntax clicks, it becomes a natural first reach for any network plumbing task. For quick connectivity checks netcat is simpler; the moment you need protocol transformation or TLS, socat is the answer.

## Further Reading

- [socat – Wikipedia](https://en.wikipedia.org/wiki/Socat) – background and use cases
- [socat(1) – manual page](http://www.dest-unreach.org/socat/doc/socat.html) – all options at a glance
<!-- PROSE:outro:end -->

## Related Commands

- [nc](https://www.jpkc.com/db/en/cheatsheets/networking/nc/) – simple TCP/UDP connections and quick connectivity checks
- [ssh](https://www.jpkc.com/db/en/cheatsheets/networking/ssh/) – secure tunnels and remote port forwarding over SSH
- [tcpdump](https://www.jpkc.com/db/en/cheatsheets/networking/tcpdump/) – capture and inspect network traffic