In This Guide
- What IP Tracking Actually Means
- What an IP Address Reveals (and What It Does Not)
- How to Trace an IP Address Step by Step
- Combining IP Data: Geolocation + WHOIS + Reputation
- IP Tracking for Website Owners
- IP Tracking in Email Headers
- Legal and Ethical Boundaries
- Limitations: VPNs, Proxies, and the Gaps
- IP Tracking Tools: When to Use What
- Frequently Asked Questions
On October 21, 2016, large sections of the internet went dark. Twitter, Reddit, Netflix, GitHub, and dozens of other major sites became unreachable for hours. The culprit was a massive DDoS attack against Dyn, a DNS infrastructure provider, powered by the Mirai botnet — a network of hijacked IoT devices like security cameras and home routers. The FBI's investigation relied heavily on IP tracing: tracking the command-and-control server IPs, mapping the geographic distribution of the attacking devices, and tracing hosting account registrations back to three college-aged individuals. IP address data from server logs, WHOIS records, and geolocation lookups formed the backbone of the digital evidence chain that led to guilty pleas in December 2017.
The Mirai case illustrates what IP tracing actually looks like in practice. It is not the instant, pinpoint-accuracy tracking you see in crime dramas. It is a methodical process of collecting network-level data points — geographic region, network operator, registration records, connection patterns — and building a picture from the pieces. No single IP lookup produces a name or a doorstep. But combined intelligently, IP data is one of the most powerful tools available for investigating online activity.
This guide walks through how IP tracking works, what you can realistically learn from an IP address, and how to use the available tools effectively — whether you are investigating suspicious traffic on your server, analyzing visitor patterns, tracing the origin of an email, or just trying to understand what your own IP reveals about you.
What IP Tracking Actually Means — Separating Reality from Fiction
Hollywood has done a number on public expectations of IP tracking. In the movies, someone types an IP address into a terminal and within seconds a satellite zooms into a specific building. In reality, IP tracking is useful and powerful, but it works at a fundamentally different level of precision.
An IP address is a network routing identifier. It tells the internet's infrastructure where to send data. When you visit a website, your device's IP address is included in every request so the server knows where to send the response. This is a technical necessity, not a surveillance mechanism — it is the digital equivalent of a return address on an envelope.
What IP tracking can do is associate that network identifier with useful metadata: the geographic region where that IP block is routed, the ISP or organization that operates the network, whether the IP has been flagged for malicious activity, and what type of connection it represents. This metadata is valuable for security analysis, fraud detection, visitor analytics, and network troubleshooting — but it requires understanding what the data means and what it does not.
Tracking vs. tracing vs. logging
These terms get used interchangeably, but they describe different activities:
- IP tracing — a one-time lookup to find the geographic location, ISP, and network information for a specific IP address.
- IP tracking — monitoring IP addresses over time, such as logging which IPs visit a website or recording login attempts from different locations.
- IP logging — recording IP addresses in server access logs, application logs, or purpose-built tracking systems like IP Tracker Online.
All three use the same underlying data — geolocation databases, WHOIS records, and reputation feeds — but they answer different questions. Tracing answers "where is this IP right now?" Tracking answers "what has this IP been doing?" Logging creates the raw records that make both possible.
What an IP Address Reveals (and What It Does Not)
This is the most important section in this guide, because the gap between what people think an IP reveals and what it actually reveals drives most of the bad decisions made with IP data.
What you can learn
| Data Point | What It Tells You | Reliability |
|---|---|---|
| Country | The country where the IP block is registered and routed | 95–99% |
| City / Region | The nearest city to the ISP's routing infrastructure for this IP | 55–90% (varies by region) |
| ISP | The company providing internet access for this IP (Comcast, Vodafone, AWS, etc.) | 95%+ |
| Organization | The entity the IP block is assigned to (may differ from ISP for corporate ranges) | 95%+ |
| ASN | The Autonomous System Number identifying the network on the internet's routing layer | 99%+ |
| Connection type | Whether the IP is residential, business, hosting/datacenter, or mobile | 85–95% |
| Reputation | Whether the IP appears on blacklists for spam, malware, brute force, or proxy use | Varies by source |
The ISP and organization fields are often more useful than the geolocation. Knowing that an IP belongs to DigitalOcean (a cloud hosting provider) versus Comcast (a residential ISP) immediately tells you whether you are looking at a human visitor or a server-based bot. Knowing the ASN lets you identify all IPs on the same network, which is valuable when investigating coordinated activity. For deeper network ownership details, a WHOIS lookup provides the full registration record for an IP block, including abuse contacts and allocation dates — our WHOIS IP lookup guide covers how to read those results.
How to Trace an IP Address Step by Step
The practical process of tracing an IP depends on what you are trying to learn. Here is the general workflow, from quick lookup to full investigation.
Step 1: Run a geolocation lookup
Start with a basic IP lookup on InfoSniper. Enter the IP address and you will get the country, region, city, ISP, ASN, timezone, and coordinates — plotted on an interactive map. If you need to visualize the location on a map, our locate IP on map tool provides a dedicated mapping interface, and our IP location map guide explains how to interpret the results.
This first step answers the "where and who" questions: where is this IP geographically, and what network does it belong to?
# Trace an IP address via JSON API curl "https://www.infosniper.net/json.php?k=YOUR_KEY&ip_address=185.220.101.34" # Response includes: country, city, ISP, ASN, lat/lng, timezone # See full documentation: infosniper.net/api-documentation/
Step 2: Check WHOIS registration
If you need to know who operates the network — not just the ISP name but the registered organization, abuse contact email, and when the IP block was allocated — run a WHOIS lookup. This is essential when you need to report abuse, since WHOIS tells you exactly who to contact.
Step 3: Check the IP's reputation
An IP address can look completely normal on a geolocation lookup but have a long history of malicious activity. The IP reputation checker queries multiple threat intelligence feeds to see if an IP has been flagged for spam, malware distribution, brute force attacks, or use as a proxy or VPN endpoint.
Step 4: Cross-reference and analyze
The real value comes from combining these data points. A login attempt from a Comcast IP in Chicago with a clean reputation tells a very different story than a login from a DigitalOcean IP in Amsterdam that appears on three blacklists. For bulk analysis of many IPs, the bulk upload tool processes up to 100 addresses at once.
Combining IP Data: Geolocation + WHOIS + Reputation
Individual data points from an IP trace are useful, but they become significantly more powerful when combined. Here is how the three main data sources complement each other in a real investigation.
Suspicious login detected: 185.220.101.34 GEOLOCATION: Country: Germany | City: Berlin ISP: Zwiebelfreunde e.V. | ASN: AS60729 Connection type: Hosting/Datacenter WHOIS: Organization: Zwiebelfreunde e.V. (Tor exit node operator) Abuse contact: [email protected] Allocated: 2016 REPUTATION: Blacklisted: 4 of 8 feeds Flags: Tor exit node, known abuse source Risk score: HIGH CONCLUSION: Tor exit node traffic. Not a direct attacker — originating user is anonymized. Block or flag for additional authentication. Do not attribute activity to Germany.
In this example, the geolocation alone says "Germany." The WHOIS reveals it is a Tor relay operator. The reputation data confirms it is a known anonymization endpoint. Each layer adds context that changes how you should respond. That nuance — the ability to tell a German business visitor from a Tor exit node — is why multi-source IP analysis matters.
According to IBM's 2024 Cost of a Data Breach Report, organizations take an average of 194 days to identify a breach. IP tracking and logging are front-line tools in that identification process — unusual IP patterns in access logs are often the earliest indicator that something is wrong.
IP Tracking for Website Owners
If you run a website, you are already collecting IP addresses whether you realize it or not. Every web server records client IP addresses in its access logs. The question is what you do with that data.
Understanding your traffic
Server access logs contain the IP address of every visitor, along with what they requested and when. Running those IPs through a geolocation tool shows you where your audience is — not just by country, but by city and ISP. This is raw, unsampled data that complements what Google Analytics provides.
For developers integrating IP lookup into their applications, the InfoSniper API returns geolocation data in JSON or XML format, making it straightforward to enrich your analytics pipeline.
Identifying bots and scrapers
Legitimate bots (Googlebot, Bingbot) identify themselves via user-agent strings, but many scrapers and malicious bots do not. IP analysis helps identify them: if an IP belongs to a datacenter or hosting provider rather than a residential ISP, and it is making hundreds of requests per minute, it is almost certainly automated. Cross-referencing with the IP reputation checker adds another layer of confidence.
Investigating abuse and attacks
When you see brute-force login attempts, comment spam, or scraping activity in your logs, tracing the source IPs tells you whether you are dealing with a single actor, a distributed botnet, or automated attacks from hosting infrastructure. The geographic and network distribution of the attacking IPs shapes your response — blocking a single IP range is effective against targeted attacks but useless against globally distributed botnets.
Services like IP Tracker Online provide specialized tools for logging and monitoring IP addresses over time, which is useful for ongoing abuse investigations where you need to track patterns rather than make one-off lookups.
IP Tracking in Email Headers
One of the most common reasons people want to trace an IP address is to find out where an email came from. The method works, but with important caveats that depend entirely on which email service the sender used.
How email headers reveal IP addresses
Every email contains headers that record the path the message took from sender to recipient. These headers include "Received:" lines showing which mail servers handled the message, and sometimes the originating IP address of the sender's device.
Received: from [192.168.1.15] (pool-72-83-201-47.washdc.fios.verizon.net [72.83.201.47])
by mail.example.com (Postfix) with ESMTPSA id A1B2C3D4
for <[email protected]>; Wed, 12 Feb 2026 10:23:45 -0500
In this header, 72.83.201.47 is the sender's public IP address.
Running it through InfoSniper shows: Verizon FiOS, Washington DC area.
The webmail problem
Here is the critical caveat: major webmail providers — Gmail, Outlook.com, Yahoo Mail — strip the sender's IP address from outgoing email headers. They replace it with their own server IPs. If someone sends you an email from Gmail, the headers will show Google's mail server IPs, not the sender's personal IP. Only Google knows the sender's IP, and they will only disclose it through a legal process (subpoena or court order).
Email IP tracing is most reliable when the sender uses a desktop email client (Outlook, Thunderbird) connected to a corporate or ISP-provided mail server. In those cases, the originating IP is typically preserved in the headers and can be traced to a geographic region and ISP.
| Email Service | Sender IP in Headers? | What You See Instead |
|---|---|---|
| Gmail (web) | No | Google server IPs |
| Outlook.com (web) | No | Microsoft server IPs |
| Yahoo Mail (web) | No | Yahoo server IPs |
| Corporate Exchange | Often yes | Sender's network IP (if not stripped by admin) |
| Desktop client via ISP SMTP | Usually yes | Sender's ISP-assigned IP preserved |
| Self-hosted mail server | Yes | Server's public IP (sender if single-user) |
Legal and Ethical Boundaries
IP tracing is legal. Using the results to harass, stalk, or intimidate someone is not. The distinction matters, and it is worth understanding the legal landscape before acting on IP data.
What is legal
Looking up publicly available information about an IP address — geolocation, ISP, WHOIS registration, reputation — is legal in virtually every jurisdiction. This data is either public by definition (WHOIS records are published by the Regional Internet Registries) or derived from commercially available databases. Website owners logging and analyzing IP addresses in their own server logs is standard practice, and forming the basis of web analytics has been legal since the internet began.
Where it gets complicated
The legal nuance comes from how you use the data and where you operate:
- GDPR (EU) — The EU's General Data Protection Regulation classifies IP addresses as personal data when they can be linked to an individual. This does not make IP lookups illegal, but it means businesses processing EU visitors' IP addresses need a lawful basis (legitimate interest is common for security logging) and must include IP processing in their privacy policy.
- CCPA (California) — California's consumer privacy law similarly classifies IP addresses as personal information. Businesses collecting them must disclose this in their privacy policy and honor opt-out requests where applicable.
- Harassment and stalking laws — Using IP tracing results to locate someone for the purpose of harassment, threats, or intimidation is illegal under stalking and cyberstalking statutes in most countries, regardless of whether the IP data itself is public.
For law enforcement
Law enforcement agencies can obtain the subscriber information behind an IP address by serving a legal order (subpoena, court order, or warrant) on the ISP. This is the process the FBI used in the Mirai case: IP tracing identified the hosting accounts and networks involved, then subpoenas to those hosting companies revealed the account holders' identities. Public IP lookup tools provide the intelligence that directs investigators where to serve those legal orders.
Limitations of IP Tracking: VPNs, Proxies, and the Gaps
IP tracing is only as good as the assumption that the IP address accurately represents the user's location and identity. Several common technologies break that assumption.
VPNs (Virtual Private Networks)
A VPN routes your traffic through a server in a different location, replacing your real IP with the VPN server's IP. An IP trace shows the VPN server — which might be in Amsterdam, Singapore, or Sao Paulo — not the user's actual location. There is no reliable way to "see through" a VPN from the outside, though you can often detect that an IP belongs to a known VPN provider through reputation data.
Proxy servers
Proxies function similarly to VPNs for the purpose of IP tracing: the proxy's IP is what you see, not the user's. Some proxies add "X-Forwarded-For" headers that include the original IP, but malicious users strip those. Residential proxies are particularly difficult to detect because they route traffic through real residential IP addresses, making the traffic appear to come from ordinary home internet connections.
Tor (The Onion Router)
Tor bounces traffic through multiple encrypted relays before exiting through a random exit node. The IP you see is the exit node, which changes frequently and has no geographic relationship to the actual user. Tor exit nodes are well-documented (lists are publicly available), so they are easy to identify — but knowing that traffic came from Tor tells you nothing about where the user actually is.
CGNAT (Carrier-Grade NAT)
Due to IPv4 address exhaustion, many ISPs share a single public IP address among hundreds or thousands of customers using CGNAT. An IP trace shows the NAT device's location and the ISP, but that single IP could represent any of thousands of different users across a wide geographic area. This is increasingly common with mobile carriers.
Dynamic IP addresses
Most residential ISPs assign dynamic IP addresses that change periodically — sometimes daily, sometimes on each router reboot. An IP address that was used by person A last Tuesday might belong to person B today. This makes historical IP-to-person attribution unreliable without ISP cooperation and specific timestamps.
IP Tracking Tools: When to Use What
Different tools serve different purposes. Here is a practical comparison of when to use each one.
| Tool | Best For | What You Get |
|---|---|---|
| InfoSniper IP Lookup | Quick geolocation trace of a single IP | Country, city, ISP, ASN, coordinates, timezone, interactive map |
| Locate IP on Map | Visual mapping of an IP's location | Map-centered view with geolocation data overlay |
| WHOIS Lookup | Finding the registered owner and abuse contacts | Organization, allocation dates, abuse email, network range |
| IP Reputation Checker | Checking if an IP is flagged for malicious activity | Blacklist status, threat categories, proxy/VPN detection |
| Bulk IP Upload | Analyzing many IPs at once from logs or alerts | Batch geolocation for up to 100 IPs |
| InfoSniper API | Automated lookups integrated into your applications | JSON/XML responses for programmatic IP enrichment |
| IP Tracker Online | Logging and monitoring IPs over time | Persistent tracking links, visit logging, IP history |
For most investigations, the workflow is: start with a geolocation lookup to get the quick picture, add WHOIS if you need ownership details, add reputation if you are assessing a threat, and use bulk tools when dealing with multiple IPs. The accuracy of IP geolocation varies by region and IP type, so understanding the confidence level of your results is part of effective analysis.
1. Extract source IPs from your auth failure logs
$ grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort -u
2. Submit the list to InfoSniper Bulk Upload (up to 100 IPs)
→ infosniper.net/bulk-upload/
3. Analyze the results:
- All from one country/ASN? → Targeted attack, consider geo-blocking
- Globally distributed? → Botnet, blocking individual IPs won't help
- All from hosting/datacenter IPs? → Automated tool, rate-limit or CAPTCHA
4. Check high-activity IPs against the Reputation Checker
→ infosniper.net/ip-reputation-checker/
5. Use WHOIS to identify the network operators
→ Report abuse to abuse@ contacts in WHOIS records
Trace Any IP Address Now
Enter an IP address and get instant geolocation data, ISP details, ASN information, and an interactive map — all in one lookup.
Look Up an IP AddressFrequently Asked Questions
Sources
- U.S. Department of Justice — "Justice Department Announces Charges and Guilty Pleas in Three Computer Crime Cases Involving Significant DDoS Attacks" (2017) — justice.gov
- IBM Security — "Cost of a Data Breach Report 2024" — ibm.com
- Akamai — "DDoS Attack Trends in 2024" — akamai.com
- Surfshark — "VPN Usage Statistics" — surfshark.com
- MaxMind — "GeoIP2 City Accuracy" — maxmind.com
- IEEE Spectrum — "The Strange Story of the Teens Behind the Mirai Botnet" — spectrum.ieee.org
- RIPE NCC — "How IP Addresses Are Allocated and Managed" — ripe.net