socat — Bidirectional Network Relays on the Command Line
Practical guide to socat — netcat on steroids: bidirectional relays between sockets, files, pipes, and TLS connections for port forwarding and tunneling.
socat is netcat on steroids: rather than simply connecting two TCP streams, it wires together any two data channels – TCP, UDP, UNIX sockets, files, pipes, serial devices, and TLS connections – in both directions. A single command sets up port forwards, TLS tunnels, or inetd-style services, and lets you inspect raw protocol traffic or route data between network sockets and local processes. This guide covers the most useful socat patterns for everyday work.
TCP Connections
socat TCP-LISTEN:<port>,reuseaddr,fork - — Create a simple TCP server listening on a port.
socat TCP-LISTEN:8080,reuseaddr,fork -socat - TCP:<host>:<port> — Connect to a TCP server (like netcat).
socat - TCP:localhost:8080socat TCP-LISTEN:<port>,reuseaddr,fork TCP:<host>:<port> — TCP port forwarding (proxy).
socat TCP-LISTEN:8080,reuseaddr,fork TCP:backend:3000socat TCP-LISTEN:<port>,reuseaddr,fork,bind=<ip> TCP:<host>:<port> — Port forwarding bound to a specific interface.
socat TCP-LISTEN:8080,reuseaddr,fork,bind=127.0.0.1 TCP:remote:80UDP & UNIX Sockets
socat UDP-LISTEN:<port> - — Listen for UDP packets.
socat UDP-LISTEN:5000 -socat - UDP:<host>:<port> — Send data via UDP.
echo 'test' | socat - UDP:localhost:5000socat UNIX-LISTEN:<path>,fork TCP:<host>:<port> — Forward a UNIX socket to a TCP connection.
socat UNIX-LISTEN:/tmp/myapp.sock,fork TCP:localhost:3306socat TCP-LISTEN:<port>,fork UNIX:<path> — Expose a UNIX socket as TCP — exposes the Docker daemon unauthenticated; local/test environments only, never on a public port.
socat TCP-LISTEN:2375,fork UNIX:/var/run/docker.sockSSL/TLS
socat OPENSSL-LISTEN:<port>,cert=<cert>,key=<key>,fork TCP:<host>:<port> — SSL/TLS termination proxy.
socat OPENSSL-LISTEN:443,cert=server.pem,key=server.key,reuseaddr,fork TCP:localhost:8080socat - OPENSSL:<host>:<port> — Connect to an SSL/TLS server.
socat - OPENSSL:example.com:443socat TCP-LISTEN:<port>,fork OPENSSL:<host>:<port> — Add TLS to an unencrypted connection.
socat TCP-LISTEN:3307,fork OPENSSL:db.example.com:3306File Transfer
socat TCP-LISTEN:<port> OPEN:<file>,creat — Receive a file over TCP.
socat TCP-LISTEN:9999 OPEN:received.tar.gz,creatsocat OPEN:<file> TCP:<host>:<port> — Send a file over TCP.
socat OPEN:backup.tar.gz TCP:remote:9999socat EXEC:'tar czf - /data' TCP-LISTEN:<port> — Stream a tar archive over the network.
socat EXEC:'tar czf - /data' TCP-LISTEN:9999socat TCP:<host>:<port> EXEC:'tar xzf -' — Receive and extract a tar stream.
socat TCP:remote:9999 EXEC:'tar xzf - -C /restore'Debugging & Testing
socat -v TCP-LISTEN:<port>,fork TCP:<host>:<port> — Verbose proxy: show all data passing through.
socat -v TCP-LISTEN:8080,fork TCP:api.example.com:80socat -x TCP-LISTEN:<port>,fork TCP:<host>:<port> — Hex dump proxy: show data in hex.
socat -x TCP-LISTEN:8080,fork TCP:localhost:3000socat READLINE TCP:<host>:<port> — Interactive connection with readline (line editing + history).
socat READLINE TCP:localhost:6379socat /dev/null TCP:<host>:<port> — Quick TCP port connectivity check.
socat /dev/null TCP:db.example.com:5432,connect-timeout=5Common Patterns
socat TCP-LISTEN:<port>,reuseaddr,fork EXEC:<program> — Run a program for each TCP connection (inetd-style).
socat TCP-LISTEN:8080,reuseaddr,fork EXEC:/usr/local/bin/handler.shsocat PTY,link=<path>,raw,echo=0 TCP:<host>:<port> — Create a virtual serial port connected via TCP.
socat PTY,link=/dev/vmodem,raw,echo=0 TCP:192.168.1.100:5000socat TCP-LISTEN:<port>,reuseaddr,fork SYSTEM:'echo HTTP/1.1 200 OK; echo; echo Hello' — Quick HTTP response server for testing.
socat TCP-LISTEN:8080,reuseaddr,fork SYSTEM:'echo HTTP/1.1 200 OK; echo; echo Hello World'Conclusion
socat covers a broader range than any other single command-line tool: port forwards, TLS tunnels, inetd-style services, and live protocol inspection – all in one binary. Once the address syntax clicks, it becomes a natural first reach for any network plumbing task. For quick connectivity checks netcat is simpler; the moment you need protocol transformation or TLS, socat is the answer.
Further Reading
- socat – Wikipedia – background and use cases
- socat(1) – manual page – all options at a glance