If you do a lot of network recon or incident response, you might end up having to do quite a bit of subnet math. Things like range conversions, CIDR breakdowns, figuring out if two ACLs overlap, carving exclusions out of large blocks. It’s a regular thing.

For a long time, my workflow was what I think everyone does, but won’t admit to doing; that is, visit some random online subnet calculator, paste in the CIDR, copy the output, and then close the tab while looking furtively around to see if anyone saw you. Of course, ipcalc works too, but it only does single network lookups. It also can’t compare ranges, batch a file, or tell you if any of the networks you’re working overlap.

NetCleaver started as an excuse to learn Python’s ipaddress module while solving some of the trust and portability issues I was facing. The CLI came first with the web UI coming a little later because I wanted something I could share with teammates who weren’t about to pip install anything, and some of the output just works better rendered visually, too.

What NetCleaver does#

Basically, subnet math, IP conversions, and network auditing from the command line or a browser.

# basic subnet info
netcleaver cidr 10.0.0.0/16

# auto-detect and convert whatever you give it
netcleaver convert 0xc0a80101
netcleaver convert 255.255.255.0
netcleaver convert /24

# carve subnets out of a block
netcleaver exclude 10.0.0.0/16 10.0.1.0/24 10.0.2.0/24

# check if an IP falls within a network (scriptable)
netcleaver contains 10.0.0.0/8 10.1.2.3 -q && echo "yes" || echo "no"

The convert command is the one I tend to use most. Give it an IP, a hex value, a netmask, a wildcard, a CIDR prefix, whatever. It’ll figure out what you gave it and show you all the other representations. Very nice.

Auditing#

The audit command is the most useful option for security work. Just point it at a file full of networks and it will check for:

  • Overlapping ranges
  • Duplicate entries
  • Redundant subnets (a /24 that’s already inside a /16)
  • Fragmentation (blocks that could be aggregated)
  • Overly broad ranges
  • Bogon space
  • Context-aware issues (private IPs in an external ACL, public IPs in an internal list)
netcleaver audit -f firewall_rules.txt --context internal
netcleaver audit -f external_acl.txt --context external -q

The quiet mode returns exit code 0 for clean, 1 for issues found. Useful in CI or scripts that validate network configs.

Web UI#

As mentioned earlier, there’s a web interface, too. The WebUI has the same functionality, just a different wrapper. I run it at netcleaver.axiom0x0.sh if you wanted to try it out without having to first install anything.

Locally you can run:

python netcleaver_web.py -d

NetCleaver has visual subnet breakdowns and the usual conversion tools you’d expect. That said, the whole thing runs on Flask, so don’t point it at the internet or run it in production without putting a WSGI server and web proxy in front of it.

File input and piping#

Most commands accept -f for file input. Files accept one network per line, and comments with #. Piping can pair nicely with other tools:

# expand a range and feed it to nmap
netcleaver expand 192.168.1.0/28 -p | nmap -iL - -sP

# aggregate a messy list
netcleaver supernet -f messy_networks.txt -p > clean.txt

# split internal ranges into /24s for scanning
netcleaver split -f internal.txt 24 -p > targets.txt

Install#

git clone https://github.com/axiom0x0/netcleaver.git
cd netcleaver
pip install -e .

After that, netcleaver is available globally. The repo has the complete command reference.