IP Address and CIDR Subnet Analysis
IP addresses and CIDR notation are the language of network security. Every firewall rule, every blocklist entry, and every network log uses them. Being able to quickly calculate whether an IP falls within a subnet, expand a CIDR range, or identify if an address is private vs. public is a fundamental skill for security work.
Try it now
IP/CIDR Calculator
Runs in your browser, nothing leaves your device.
CIDR notation combines an IP address with a prefix length: 192.168.1.0/24 means the first 24 bits are the network part, leaving 8 bits for host addresses (256 IPs, 254 usable). /32 is a single host. /16 is 65,536 addresses. /8 is 16.7 million. When reviewing firewall rules, understanding the scope of each CIDR block tells you exactly what traffic is being allowed or blocked.
10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 are private (RFC 1918). 127.0.0.0/8 is loopback. 169.254.0.0/16 is link-local. If you see these in external-facing logs, it might indicate a misconfigured proxy, SSRF vulnerability, or spoofed header. In SSRF testing, knowing which ranges are internal helps identify what an attacker might target.
Examples
CIDR range expansion
10.0.0.0/24
Range: 10.0.0.0 - 10.0.0.255 (256 addresses, 254 usable hosts)
Security context
Overly broad CIDR ranges in firewall rules are a common misconfiguration. A /16 allow rule where a /28 would suffice exposes thousands of unnecessary IP addresses. When auditing network rules, always calculate the actual scope of each CIDR block.
Frequently asked
Convert both the IP and the subnet to binary, apply the subnet mask, and compare the network portions. Or use a CIDR calculator tool: enter the IP and the CIDR range, and it will tell you whether the address falls within that network.
Related techniques
HTTP Security Headers Checklist
Review HTTP response headers for security misconfigurations. Check for missing HSTS, X-Content-Type-Options, X-Frame-Options, and information leaks in Server headers.
Regex Patterns
Regular expression patterns for extracting indicators of compromise: IP addresses, domains, hashes, URLs, email addresses, and Bitcoin wallets from security logs and reports.