In the environment I work in we have multiple firewalls in a path so the likely of your traffic being blocked is high. Most of us use to troubleshoot using telnet which has many many flaws and not a great method of testing but it was all we had.
Here is an example of testing using telnet
telnet 10.11.24.11:80 telnet: 10.11.24.11:80: Name or service not known 10.11.24.11:80: Unknown host
The telnet results don't really give you anything to tell you if its successful or not.
Then I discovered at a young age the power of nmap (which is probably why it was quickly blocked in most companys)
Here is an example of testing using nmap
nmap -p 80 10.11.24.11 Starting Nmap 6.40 ( http://nmap.org ) at 2019-07-10 10:58 EDT Nmap scan report for wildweaselmi.thezah.com (10.11.24.11) Host is up (0.000053s latency). PORT STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
Just so you can see what it looks like to see a closed port
nmap -p 443 10.11.24.11 Starting Nmap 6.40 ( http://nmap.org ) at 2019-07-10 11:04 EDT Nmap scan report for wildweaselmi.thezah.com (10.11.24.11) Host is up (0.000047s latency). PORT STATE SERVICE 443/tcp closed https Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
nmap is super quick and very easy to use to get accurate results but it was quickly blocked by corporate security and is no longer an acceptable tool.
In researching I discovered what most people use which is netcat.
Here is an example of the same test using netcat
nc -zv 10.11.24.11 80 Connection to 10.11.24.11 80 port [tcp/http] succeeded!
Its very clear that port 80 is open on 10.11.24.11
And for clarity sake, here is an example testing a closed port using netcat
nc -zv 10.11.24.11 443 nc: connect to 10.11.24.11 port 443 (tcp) failed: Connection refused
Yet again, its very clear that port 443 is not open on 10.11.24.11 or its being blocked along the path by a firewall or some other device.
As with just about any corporation, you find tools that work and they get taken away. Our company is now blocking the use of netcat due to security risks associated with the tool but not offering any other tool as a replacement.
Now I can use bash as a testing tool and here is that example
cat < /dev/tcp/127.0.0.1/22 SSH-2.0-OpenSSH_7.7
here is a test using bash for the successful connection shown above. It just comes back to the command line with no messages which means success
cat < /dev/tcp/10.11.24.11/80
Here is the other test we did above with netcat that failed so you can see the message bash will show.
cat < /dev/tcp/10.11.24.11/443 -bash: connect: Connection refused -bash: /dev/tcp/10.11.24.11/443: Connection refused
NOTE: using bash is very slow and not always reliable but it appears to be more reliable than telnet but not as good as netcat
I'm having to now test using tcpdump which is a very very painful way for me to test but security doesn't give a dang about how easy or difficult it is for you or me.
As a test scenario I can open a port up on a destination box using netcat while we still have it by running
nc -l 5678
Now on my source box I'll confirm that 5678 is open for testing
nc -zv 10.11.24.11 5678
Before we just jump into troubleshooting connection issues with tcpdump its important to understand the three way handshake needed for communication (SYN, SYN/ACK, ACK)
As long as the ports your client are trying to communicate are turned on and listening on the server its very easy and not complicated.
Below you will see two examples of the above. Client being 10.11.24.12 and Server being 10.11.24.11
First tcpdump is capturing the open port 80 on the server. You can see the entire SYN, SYN/ACK, ACK cycle in this successful communication.
Now let's look at a scenario where the port is just not turned on (or listening) on the server. In this case 10.11.24.11 does not have 443 on so what do we capture if we attempt to communicate to that port.
You can see you don't have the complete 3 way handshake. You see the SYN coming from the client but you don't get a SYN/ACK back but instead a RST/ACK from the server telling you that the port isn't listening.
Now let's try the same test but to a different server that is behind a firewall (10.47.208.46) using the same client (10.11.24.12).
First you can see a success capture going through the firewall over port 443
Now here is a capture of the same client to the same server over 9300 which is on the server and listening which you can confirm by logging onto the server and running a quick netstat command
netstat -anp | grep "9300"
Now we perform a capture and see the communication doesn't get any further than a SYN, RST/ACK (no difference than above without a Firewall)