Networking & Security

Free Tools

A focused collection of tools for working network and security engineers — subnet math, web security analysis, hardware identity. No signup, no tracking, no upload — every calculation runs in your browser. Bookmark whichever ones you reach for most.

Subnetting & IP Math

Subnetting

Subnet Calculator

Punch in any IPv4 CIDR (e.g. 10.0.5.0/24) and get the network address, broadcast, usable host range, wildcard mask, and binary breakdown. Includes a CIDR reference table.

When to useQuick lookups during firewall changes, IP planning, or whiteboarding.

Open Network Design

Advanced (Network Design)

Carve a parent network into pre-named supernets — Campus, Data Center, Edge, OOB Management, WAN, Reserved Expansion. Excel/Sheets export with VLAN ID and description columns ready for the change ticket.

When to useGreenfield site rollouts, branch refresh designs, IP plans you need to hand to ops.

Open Subnetting

VLSM Calculator

Variable-Length Subnet Masking. Give a parent network and a list of host requirements; get back the optimal sequence of /N subnets, sorted largest-first to avoid wasted space.

When to useSqueezing as many subnets as possible from a constrained block (lab, branch, point-to-point links).

Open Updated Subnetting

CIDR Aggregator + Range Converter

Paste overlapping or adjacent CIDRs and get the minimal summary set. Or convert any IP range into the smallest CIDR list. Surfaces non-aligned input normalization (e.g. 192.168.5.0/22 → 192.168.4.0/22) so route advertisements aren't a surprise.

When to useCleaning up route tables, drafting BGP advertisements, prepping firewall object groups.

Open New Subnetting

IPv6 Subnet Calculator

Inspect any IPv6 prefix — compressed/expanded form, address type (Global, ULA, Link-Local, Multicast…), first/last address, total addresses (formatted as 2^N for the huge ones), reverse DNS — or carve a parent into uniformly-sized subnets. BigInt math, exact across the full 128-bit range.

When to usev6 site planning, /48 → /56 → /64 carve-outs, decoding what address type something is.

Open

Network Analysis

New Network Analysis

Packet Decoder

Paste hex from tcpdump -xx, hexdump -C, or Wireshark "Copy as Hex Stream" and get a layer-by-layer breakdown of every byte. Decodes Ethernet + 802.1Q VLAN + IPv4/IPv6 + TCP/UDP/ICMP/ICMPv6 + ARP, with application-layer hints for HTTP, TLS, SSH, and DNS (including parsed query names). Color-coded hex view shows which bytes belong to which OSI layer.

When to useReading a tcpdump capture without firing up Wireshark, sanity-checking a packet you grabbed off a switch port, teaching someone what's actually in an Ethernet frame.

Open New Network Analysis

OSI Connection Probe

Punch in a website and the tool probes it layer by layer — DNS resolution, the TCP connection, the TLS handshake, the HTTP response — then builds an OSI scorecard: which layers are confirmed working, which failed, and where. Failed layers come with a targeted troubleshooting checklist; Layers 1, 2, and 5 (not observable from outside) get checks for your own side.

When to use"Is it down, or is it me?" — pinning a connectivity problem to a specific OSI layer instead of guessing.

Open New Network Analysis

Firewall Rule Analyzer

Paste a rule set — iptables, a Cisco extended ACL, or AWS Security Group JSON — and the tool normalizes every rule and flags the problems: shadowed and unreachable rules, redundant rules, and over-permissive rules that open SSH, RDP, or a database to the whole internet. Format is auto-detected; ordered first-match sets get full shadowing analysis.

When to useReviewing a firewall change, auditing a security group, or hunting for the dead rule that explains why traffic is not behaving.

Open

Web Security

New Web Security

HTTP Security Headers Analyzer

Paste raw response headers and get a graded breakdown of every security-relevant one — directive-level CSP analysis (flags unsafe-inline, unsafe-eval, missing default-src, wildcards), HSTS configuration, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP, plus info-leak checks for Server and X-Powered-By.

When to useAuditing a production site, prepping for a security review, or proving to your team that X-XSS-Protection should not be set anymore.

Open New Web Security

Email Security Checker

Enter a domain and get its email-authentication posture graded straight from public DNS — SPF (including the qualifier and a recursive DNS-lookup count against the RFC limit of 10), DMARC (policy strength and reporting), DKIM (common-selector auto-probe plus your own), MX, and MTA-STS. Every record is parsed, every problem explained, with the exact fix.

When to useChecking whether a domain can be spoofed, hardening your own SPF/DMARC, or auditing a vendor before you trust their mail.

Open New Web Security

TLS Cipher Suite Decoder

Paste any cipher suite — IANA (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), OpenSSL (ECDHE-RSA-AES128-GCM-SHA256), or hex (0xC02F) — and get the four components decoded with a strength verdict and explicit warnings for known weaknesses (RC4, 3DES, MD5, anonymous auth, no forward secrecy).

When to useDecoding what your scanner found, vetting a load balancer's negotiated cipher, sanity-checking a Terraform module's allowed list.

Open New Web Security

JWT Decoder & Verifier

Paste any JSON Web Token to decode the header, payload, and signature. Surfaces security findings — alg: none, expired tokens, missing exp/iss/aud, very long TTLs, symmetric vs asymmetric algorithms — and optionally verifies the signature against a PEM public key (RS256/ES256) or HMAC secret (HS256) using the browser's Web Crypto API.

When to useInspecting an OAuth/OIDC token your gateway returned, debugging an auth flow, confirming a token came from the expected issuer, or proving to someone that alg: none is in fact still a thing.

Open New Web Security

X.509 Certificate Decoder

Paste a PEM certificate and get a full breakdown — subject, issuer, validity window, Subject Alternative Names, public key, signature algorithm, and every extension decoded. Findings flag expired or soon-to-expire certs, SHA-1/MD5 signatures, weak RSA keys, self-signed certs, wildcard SANs, and over-long validity periods. SHA-256/SHA-1 fingerprints and a raw ASN.1 tree view included.

When to useInspecting what a server actually presents, debugging a chain or hostname-mismatch error, checking expiry before it bites, or learning what is really inside a certificate.

Open

Reference

New Reference

Common Ports Reference

Searchable list of 131 commonly-needed TCP/UDP ports — search by number, service name, or description, filter by category, and click any value to copy. Deprecated services (Telnet, FTP, PPTP, plaintext SNMP/LDAP) flagged with amber security notes.

When to useWriting firewall rules, scoping a port scan, drafting an architecture doc, or settling a "wait, which port is that?" debate in chat.

Open New Reference

OSI Model Reference

The seven layers as an interactive reference — click any layer for its protocols, PDU, the devices that operate there, common failure modes, a troubleshooting checklist, and the diagnostic commands you'd run. Each layer cross-links to the tools here that touch it. Includes the TCP/IP model mapping.

When to useDiagnosing a connection layer by layer, brushing up for a CCNA / Network+ exam, or settling which layer a problem actually lives at.

Open New Reference

CIA Triad Reference

The three pillars of security — Confidentiality, Integrity, Availability — as an interactive reference. Click a pillar for the threats against it, the controls that defend it, and worked examples. A threat matrix maps common attacks (DDoS, ransomware, MITM, SQL injection, supply-chain) to the pillars they actually break, with the mechanism and the mitigation.

When to useReasoning about why a control exists, classifying an incident, threat-modelling, or studying for Security+ / CISSP.

Open New Reference

Cyber Kill Chain Reference

Lockheed Martin's seven-stage model of an intrusion — from Reconnaissance through Actions on Objectives — as an interactive reference. Click any stage for what the attacker does, what it leaves behind, and how a defender breaks the chain there. Each stage cross-links to the tools in this suite that help. Honest note on where the model falls short and what to reach for instead.

When to useStructuring defenses stage by stage, mapping an incident, threat-modelling, or studying for Security+ / CISSP.

Open New Reference

MAC / OUI Tool

Paste a MAC in any format and get the vendor (curated 200+ OUI database covering networking, server, and virtualization gear), address-type classification (UAA / LAA / multicast / broadcast), and detection of well-known patterns (VRRP, HSRP, LLDP, STP, OSPF, IPv6 multicast). Second tab does MAC ↔ IPv6 EUI-64 link-local conversion.

When to useIdentifying a device from a MAC in your ARP table, decoding what HSRP group a virtual router belongs to, generating an IPv6 link-local for a specific NIC.

Open

Privacy: Tools run client-side in your browser; nothing you type is sent to a server, logged, or stored — no analytics on inputs, no telemetry. The one exception is the Security Headers Analyzer's optional Fetch from URL button, which proxies the request through a stateless relay so it can read response headers the browser's CORS rules would otherwise hide. Refresh the page and your work is gone, which is the point.

Network & Security Architect

Need help on a network or security project?

I take consulting engagements for network design, segmentation, and security architecture reviews. Reach out to scope something — direct, or via Upwork.

Work with me → On Upwork →