neteng.tools — Network Engineer's Toolbox

Subnet Calculator

IP Address

CIDR /

CIDR Cheat Sheet

CIDR	Subnet Mask	Wildcard	Total IPs	Usable Hosts	Notes

RFC 1918 Private Ranges

Large Private

10.0.0.0/8

10.0.0.0 – 10.255.255.255

16,777,214 usable hosts

Medium Private

172.16.0.0/12

172.16.0.0 – 172.31.255.255

1,048,574 usable hosts

Small Private

192.168.0.0/16

192.168.0.0 – 192.168.255.255

65,534 usable hosts

Loopback

127.0.0.0/8

127.0.0.1 – localhost

RFC 1122

Link-Local (APIPA)

169.254.0.0/16

Auto-assigned when no DHCP

RFC 3927

Multicast

224.0.0.0/4

224.0.0.0 – 239.255.255.255

RFC 1112

tcpdump is a command-line packet analyzer available on Linux, macOS, and BSD systems. Network engineers use it to capture and inspect live traffic on an interface, filter packets by host, port, or protocol, and write captures to .pcap files for analysis in Wireshark. It is one of the most essential tools for troubleshooting connectivity issues, validating firewall rules, and diagnosing application-layer problems at the network level. Use the command builder below to generate the exact syntax you need, or browse the reference section for common one-liners.

Command Builder

Interface

Host / IP

Port

Protocol

Direction

Snap Length

Write to File (.pcap)

Read from File

Packet Count

Net / Subnet

-n (no DNS resolution)

-e (print MAC addresses)

-v (verbose)

-vv (more verbose)

-X (hex + ASCII)

-A (ASCII only)

-tt (absolute timestamps)

$tcpdump -n

Quick Reference

// Capture Basics

Capture on interface, no DNS

tcpdump -ni eth0

Capture all interfaces

tcpdump -ni any

List available interfaces

tcpdump -D

Capture N packets then stop

tcpdump -ni eth0 -c 100

// Filtering

Filter by host

tcpdump -ni eth0 host 10.0.0.1

Filter by port

tcpdump -ni eth0 port 443

Source host only

tcpdump -ni eth0 src host 10.0.0.1

Destination port only

tcpdump -ni eth0 dst port 80

Filter by subnet

tcpdump -ni eth0 net 192.168.1.0/24

Host AND port

tcpdump -ni eth0 host 10.0.0.1 and port 443

Exclude SSH port

tcpdump -ni eth0 not port 22

TCP only

tcpdump -ni eth0 tcp

ICMP only (ping)

tcpdump -ni eth0 icmp

// Write & Read pcap

Write full packets to file

tcpdump -ni eth0 -s0 -w capture.pcap

Capture with filter, write to file

tcpdump -nei igb3 host 10.0.0.1 and port 443 -s0 -w capture.pcap

Read from pcap file

tcpdump -r capture.pcap

Read pcap with filter

tcpdump -r capture.pcap host 10.0.0.1

Rotate files every 100MB

tcpdump -ni eth0 -C 100 -w capture.pcap

// Display & Verbosity

Show hex + ASCII payload

tcpdump -ni eth0 -X port 80

Show MAC addresses

tcpdump -nei eth0

Verbose output

tcpdump -ni eth0 -vv

Absolute timestamps

tcpdump -ni eth0 -tt

IP ↔ Binary Converter

IP Address (dotted decimal)

Binary → IP (32 bits, no spaces)

Wildcard Mask Calculator

Subnet Mask

Common Port Reference

Port	Proto	Service
22	TCP	SSH
23	TCP	Telnet
25	TCP	SMTP
53	TCP/UDP	DNS
67/68	UDP	DHCP
80	TCP	HTTP
123	UDP	NTP
161/162	UDP	SNMP
179	TCP	BGP
389	TCP	LDAP
443	TCP	HTTPS
514	UDP	Syslog
636	TCP	LDAPS
1812/1813	UDP	RADIUS
3389	TCP	RDP

nmap (Network Mapper) is the industry-standard open-source tool for network discovery and security auditing. Network engineers use it to identify live hosts on a subnet, enumerate open ports and running services, detect operating systems, and map network topology. Whether you are performing a quick ping sweep, auditing firewall rules, or inventorying devices across a VLAN, nmap is the go-to tool. Use the command builder below to construct scans without memorizing flags, or browse the reference section for the most common scan types.

Scan Builder

Target (IP, Range, or CIDR)

Scan Type

Port Specification

Port / Value

Timing

Output Format

Output Filename

-O (OS detection)

-sV (service version)

-A (aggressive: OS+version+scripts)

-n (no DNS resolution)

-v (verbose)

-Pn (skip host discovery)

--open (show only open ports)

--script (NSE script)

$nmap

Quick Reference

// Host Discovery

Ping sweep — find live hosts, no port scan

nmap -sn 192.168.1.0/24

Scan single host

nmap 10.0.0.1

Scan range of IPs

nmap 10.0.0.1-50

Skip host discovery (treat all as online)

nmap -Pn 10.0.0.1

// Port Scanning

SYN scan (default, requires root)

nmap -sS 192.168.1.1

Scan all 65535 ports

nmap -p- 192.168.1.1

Scan specific ports

nmap -p 22,80,443,8080 192.168.1.1

Top 100 ports

nmap --top-ports 100 192.168.1.1

UDP scan

nmap -sU 192.168.1.1

Show only open ports

nmap --open 192.168.1.0/24

// Service & OS Detection

Service version detection

nmap -sV 192.168.1.1

OS detection

nmap -O 192.168.1.1

Aggressive scan (OS + version + scripts + traceroute)

nmap -A 192.168.1.1

Fast aggressive subnet scan

nmap -T4 -A --open 192.168.1.0/24

// Output & Saving

Save normal output to file

nmap -oN scan.txt 192.168.1.0/24

Save all formats (normal, XML, greppable)

nmap -oA scan_results 192.168.1.0/24

Greppable output

nmap -oG scan.gnmap 192.168.1.0/24

// NSE Scripts

Run vuln scripts

nmap --script vuln 192.168.1.1

Grab HTTP page titles

nmap --script http-title 192.168.1.0/24

SMB OS discovery

nmap --script smb-os-discovery 192.168.1.1

Default safe scripts

nmap -sC 192.168.1.1

Wireshark is the world's most widely used network protocol analyzer. Network engineers use it to inspect packet captures at the byte level, diagnose application issues, validate encryption, and troubleshoot wireless connectivity problems. Wireshark has two types of filters — capture filters (BPF syntax, applied during capture to limit what is saved) and display filters (Wireshark's own syntax, applied after capture to filter what is shown). Use the builder below or browse the reference sections for the most common filters.

Capture Filter vs Display Filter

Capture Filters (BPF)

Applied before packets are saved
Uses tcpdump/BPF syntax
Reduces file size — only saves matching packets
Cannot be changed after capture starts
Set in: Capture → Options → Filter

host 10.0.0.1 and port 443

Display Filters (Wireshark)

Applied after packets are captured
Uses Wireshark's own syntax
Does not discard packets — just hides them
Can be changed anytime during analysis
Entered in the filter bar at the top

ip.addr == 10.0.0.1 && tcp.port == 443

Display Filter Builder

IP Address

IP Direction

Port

Port Direction

Protocol

TCP Flag

MAC Address

Subnet (CIDR)

Exclude retransmissions

Show TCP errors only

IPv6 only

IPv4 only

▶// Enter values above to build a filter

Basic Display Filters

// IP & Host

Traffic to or from an IP

ip.addr == 10.0.0.1

Traffic from source IP only

ip.src == 10.0.0.1

Traffic to destination IP only

ip.dst == 10.0.0.1

Traffic between two hosts

ip.addr == 10.0.0.1 && ip.addr == 10.0.0.2

Filter by subnet

ip.addr == 192.168.1.0/24

Exclude an IP

!(ip.addr == 10.0.0.1)

Filter by MAC address

eth.addr == aa:bb:cc:dd:ee:ff

// Port & Protocol

Filter by TCP port

tcp.port == 443

Filter by UDP port

udp.port == 53

TCP source port

tcp.srcport == 443

TCP destination port

tcp.dstport == 80

TCP only

tcp

UDP only

udp

ICMP only

icmp

ARP only

arp

// TCP Flags

SYN packets (connection initiation)

tcp.flags.syn == 1 && tcp.flags.ack == 0

SYN-ACK (connection response)

tcp.flags.syn == 1 && tcp.flags.ack == 1

RST packets (connection reset)

tcp.flags.reset == 1

FIN packets (connection close)

tcp.flags.fin == 1

PSH flag set

tcp.flags.push == 1

TCP retransmissions

tcp.analysis.retransmission

TCP errors (retrans, dup ACK, reset)

tcp.analysis.flags

Zero window (receiver buffer full)

tcp.analysis.zero_window

// HTTP / DNS / DHCP

HTTP traffic

http

HTTP GET requests only

http.request.method == "GET"

HTTP POST requests only

http.request.method == "POST"

TLS/HTTPS traffic

tls

TLS Client Hello

tls.handshake.type == 1

DNS traffic

dns

DNS queries only

dns.flags.response == 0

DNS responses only

dns.flags.response == 1

DHCP traffic

dhcp

DHCP Discover

dhcp.option.dhcp == 1

DHCP Request

dhcp.option.dhcp == 3

// VoIP / RTP

SIP traffic

sip

SIP INVITE (call setup)

sip.Method == "INVITE"

RTP (voice/video media streams)

rtp

RTCP (RTP control)

rtcp

SIP or RTP (all VoIP)

sip || rtp || rtcp

RTP jitter analysis

rtp && rtp.marker == 1

// Wireless (802.11)

All 802.11 WLAN frames

wlan

Beacon frames

wlan.fc.type_subtype == 0x0008

Probe requests (client scanning)

wlan.fc.type_subtype == 0x0004

Probe responses

wlan.fc.type_subtype == 0x0005

Authentication frames

wlan.fc.type_subtype == 0x000b

Association requests

wlan.fc.type_subtype == 0x0000

Disassociation frames

wlan.fc.type_subtype == 0x000a

Deauthentication frames

wlan.fc.type_subtype == 0x000c

Filter by BSSID (AP MAC)

wlan.bssid == aa:bb:cc:dd:ee:ff

Filter by SSID name

wlan.ssid == "MyNetwork"

Management frames only

wlan.fc.type == 0

Data frames only

wlan.fc.type == 2

EAPOL (WPA handshake)

eapol

// Capture Filters (BPF syntax)

Capture by host

host 10.0.0.1

Capture by port

port 443

Capture host and port

host 10.0.0.1 and port 443

Capture subnet

net 192.168.1.0/24

Exclude SSH (avoid capturing your own session)

not port 22

TCP only

tcp

UDP only

udp

IPv6 is the successor to IPv4, using 128-bit addresses to solve exhaustion of the 32-bit IPv4 space. With 340 undecillion possible addresses, every device can have a globally routable address. This reference covers notation rules, address types, common prefixes, and the CLI commands you need when troubleshooting IPv6 on Linux, macOS, or network devices.

Address Format & Notation Rules

Structure

2001:0db8:85a3:0000:0000:8a2e:0370:7334

8 groups of 4 hex digits, separated by colons

128 bits total — 16 bits per group

Abbreviation Rules

Rule 1 — Drop leading zeros in each group

0db8 → db8|0000 → 0

Rule 2 — Replace one consecutive group of all-zero groups with ::

2001:db8:0:0:0:0:0:1 → 2001:db8::1

Rule 3 — :: can only appear once per address

2001::db8::1 ← INVALID

Full → Shortened example

2001:0db8:85a3:0000:0000:8a2e:0370:7334

2001:db8:85a3::8a2e:370:7334

Special Notation

Loopback

::1

Equivalent to 127.0.0.1 in IPv4

Unspecified

Equivalent to 0.0.0.0 in IPv4

IPv4-mapped IPv6

::ffff:192.168.1.1

Represents an IPv4 address in IPv6 notation

URL notation (brackets required)

http://[2001:db8::1]:8080/

Address Types

Type	Prefix	Range	Scope	Notes
Loopback	::1/128	—	Host	Equivalent to 127.0.0.1
Link-Local	fe80::/10	fe80:: – febf::	Link	Auto-configured on every interface, not routable
Unique Local (ULA)	fc00::/7	fc00:: – fdff::	Site	RFC 4193 — private use, like RFC 1918
Global Unicast	2000::/3	2000:: – 3fff::	Global	Publicly routable addresses (ISP assigned)
Documentation	2001:db8::/32	—	—	RFC 3849 — examples and docs only, not routable
Multicast	ff00::/8	ff00:: – ffff::	Varies	Replaces IPv4 broadcast; ff02::1 = all nodes
Solicited-Node Multicast	ff02::1:ff00:0/104	—	Link	Used by NDP (replaces ARP)
6to4	2002::/16	—	Global	Deprecated IPv4-to-IPv6 transition mechanism
Teredo	2001::/32	—	Global	NAT traversal tunnel, largely deprecated

Common Prefix Lengths

Prefix	Addresses	Typical Use
/128	1	Single host — loopback, router interface
/127	2	Point-to-point links (RFC 6164)
/126	4	Point-to-point (legacy, avoid — use /127)
/64	18,446,744,073,709,551,616	Standard LAN subnet — required for SLAAC
/56	256 × /64 subnets	Typical residential ISP allocation
/48	65,536 × /64 subnets	Standard enterprise site allocation
/32	65,536 × /48 sites	ISP allocation to a single customer org
/29	8 × /32 allocations	LIR minimum allocation from RIR

Note: Unlike IPv4, IPv6 /64 subnets are standard for all LAN segments regardless of host count. Never subnet smaller than /64 on a LAN — SLAAC requires it.

IPv4 vs IPv6 Comparison

Feature	IPv4	IPv6
Address length	32-bit	128-bit
Address space	~4.3 billion	340 undecillion
Notation	Dotted decimal (192.168.1.1)	Hex colon (2001:db8::1)
Subnetting	VLSM, any prefix	/64 standard for LANs
Private addresses	RFC 1918 (NAT required)	ULA fc00::/7 (NAT not needed)
Broadcast	Yes	No — uses multicast
ARP	Yes	No — replaced by NDP
Auto-configuration	DHCP only	SLAAC + DHCPv6
Header size	20–60 bytes (variable)	40 bytes (fixed)
IPsec	Optional	Built-in (mandatory in spec)
Fragmentation	Routers and hosts	Hosts only (Path MTU discovery)
Loopback	127.0.0.1	::1
Default route	0.0.0.0/0	::/0

Common IPv6 Commands

// Linux (iproute2)

Show IPv6 addresses on all interfaces

ip -6 addr show

Show IPv6 routing table

ip -6 route show

Show neighbor table (replaces ARP)

ip -6 neigh show

Add a static IPv6 address

ip -6 addr add 2001:db8::1/64 dev eth0

Add a static IPv6 route

ip -6 route add 2001:db8::/32 via fe80::1 dev eth0

// Ping & Traceroute

Ping an IPv6 host (Linux)

ping6 2001:db8::1

Ping IPv6 with count

ping6 -c 4 2001:db8::1

Ping link-local (must specify interface)

ping6 fe80::1%eth0

Traceroute IPv6 (Linux)

traceroute6 2001:db8::1

Traceroute IPv6 (macOS / modern Linux)

traceroute -6 2001:db8::1

Ping IPv6 (Windows)

ping -6 2001:db8::1

// DNS & Connectivity

Query AAAA record (IPv6 DNS)

dig AAAA google.com

Query only IPv6 DNS server

dig AAAA google.com @2001:4860:4860::8888

Check if host supports IPv6

curl -6 https://ipv6.google.com

Show your public IPv6 address

curl -6 https://ifconfig.me

tcpdump IPv6 traffic

tcpdump -ni eth0 ip6

nmap IPv6 host scan

nmap -6 2001:db8::1

// Well-Known IPv6 Addresses

Google Public DNS (IPv6)

2001:4860:4860::8888 / 2001:4860:4860::8844

Cloudflare DNS (IPv6)

2606:4700:4700::1111 / 2606:4700:4700::1001

All nodes multicast (link-local)

ff02::1

All routers multicast (link-local)

ff02::2

Use these tools to measure network throughput, latency, and jitter from your current location. Each test uses different server infrastructure and methodology — running multiple tests gives a more complete picture of your connection. Useful for validating SLA performance, troubleshooting slow links, or baselining a new circuit.

⚡

Cloudflare Speed Test

speed.cloudflare.com

Tests download, upload, latency, and jitter using Cloudflare's global edge network. Also shows packet loss and loaded vs unloaded latency — useful for diagnosing bufferbloat.

No Flash Latency Jitter Bufferbloat

Launch →

🔵

Speedtest by Ookla

speedtest.net

The most widely recognized speed test. Tests against the nearest server by default. Good for ISP comparisons and sharing standardized results with vendors or customers.

Industry Standard Server Selection

Launch →

▶

Fast.com

fast.com

Netflix's speed test — measures download speed using Netflix's own CDN infrastructure. Useful for isolating whether Netflix-specific routing is the bottleneck on a customer connection.

Netflix CDN Simple

Launch →

🌐

Google Speed Test

google.com/search?q=speed+test

Google's built-in speed test runs directly in the search results page, powered by Measurement Lab (M-Lab). Uses Google's infrastructure and provides download, upload, and latency.

No Install M-Lab

Launch →

📡

LibreSpeed

librespeed.org

Open-source, self-hostable speed test with no telemetry or tracking. Good for privacy-conscious environments and for organizations that want to run their own internal speed test server.

Open Source Self-Hostable No Tracking

Launch →

🔬

Waveform Bufferbloat Test

waveform.com/tools/bufferbloat

Specifically tests for bufferbloat — excessive latency under load. Grades your connection A–F. Invaluable for diagnosing why latency spikes during heavy downloads even on fast connections.

Bufferbloat Latency Under Load Graded A-F

Launch →

Feature Requests

Got an idea for a tool or feature? Submit it below. We read every request.

Your Request

Email (optional — for follow-up)

Verify you're human

✓ Request received — thanks! We'll consider it for a future update.