How to Trace an IP Address (And Where the Trail Ends)

February 10, 2026 | 14 min read | Guides
Home / Blog / How to Trace an IP Address

You wake up to find 47,000 failed SSH login attempts in your server logs. They all originate from a single IP address. A geolocation lookup says Bucharest. But what does that actually mean? Is someone in Romania targeting your server, or is this a VPN endpoint, a rented cloud VM, or a compromised machine running as a proxy?

Tracing an IP address goes beyond typing it into a lookup tool. Geolocation tells you where an IP is registered. Traceroute shows how traffic reaches it. WHOIS reveals who controls the address block. Reverse DNS often exposes what kind of infrastructure is behind the IP. Each method answers a different question, and together they build a picture that no single lookup can provide.

This guide walks through each method with real output examples and the honest limitations that determine whether your trace leads somewhere useful or hits a wall.

Geolocation: The Instant First Step

The fastest way to get context on an unknown IP address is a geolocation lookup. Enter the IP into a service like our IP tracer tool and within seconds you'll have:

This immediately answers the most basic question: where in the world is this IP registered? But "registered" is the key word. Geolocation databases map IP blocks to the locations of ISP infrastructure, not individual users. An IP geolocating to Frankfurt might mean a residential user in Frankfurt, or a cloud server at an AWS data center in Frankfurt. The geolocation alone can't tell you which.

The connection type field is often more useful than the city name. An IP classified as "hosting" immediately tells you it's a server, not a home user — which changes the entire investigation.

This is why geolocation is the starting point of a trace, not the conclusion. The real investigation starts when you combine it with the tools below.

Traceroute: Following the Network Path

Traceroute does something fundamentally different from geolocation. Instead of checking a database, it sends packets across the live internet and maps every router they pass through on the way to the destination.

How it works

Your computer sends packets with incrementally increasing Time-To-Live (TTL) values. The first packet has TTL=1, so the first router along the path decrements it to zero and sends back an ICMP "time exceeded" message, revealing its own IP address. The second packet has TTL=2, reaching the second router before expiring. This continues until the packets arrive at the final destination, mapping every network hop along the way.

Van Jacobson wrote the original traceroute implementation in 1988, and the core mechanism hasn't changed since. It remains one of the most useful diagnostic tools in networking.

Running a traceroute

macOS and Linux

traceroute 203.0.113.45

Windows

tracert 203.0.113.45

Both commands do the same thing. The Linux/macOS version uses UDP probes by default; Windows uses ICMP echo requests. You can also traceroute to a domain name instead of an IP.

Reading the output

Here's what real traceroute output looks like:

traceroute to 185.15.59.224 (185.15.59.224), 30 hops max 1 192.168.1.1 1.2 ms 1.0 ms 0.9 ms 2 10.0.0.1 8.4 ms 8.3 ms 8.2 ms 3 ae-5.r21.nycmny01.us.bb.gin.ntt.net (128.241.1.73) 12.3 ms 12.1 ms 12.4 ms 4 ae-1.r25.amstnl06.nl.bb.gin.ntt.net (129.250.2.114) 82.5 ms 82.3 ms 82.7 ms 5 * * * 6 185.15.59.224 84.5 ms 84.3 ms 84.7 ms

Each line is one hop. The three numbers at the end are round-trip latency measurements in milliseconds.

The hostnames tell the real story:

These backbone hostnames follow semi-standardized naming conventions across major carriers. nycmny01 = New York City, NY. amstnl06 = Amsterdam, Netherlands. londen03 = London. chibbr05 = Chicago. Once you learn the patterns, you can read the geographic transit path at a glance.

~70ms
is the typical latency jump for a transatlantic crossing. Light through fiber travels at roughly two-thirds the speed of light in vacuum. New York to Amsterdam is about 5,900 km of undersea cable, which takes ~40ms one way. When you see a sudden 60–80ms latency increase between two hops, traffic is crossing an ocean.

What traceroute reveals that geolocation can't

WHOIS and RDAP: Who Controls This IP

Every public IP address belongs to a registered block allocated by one of five Regional Internet Registries (RIRs):

RegistryRegion
ARINNorth America
RIPE NCCEurope, Middle East, Central Asia
APNICAsia-Pacific
LACNICLatin America, Caribbean
AFRINICAfrica

A WHOIS query tells you who holds the allocation: the organization assigned the IP block, their abuse contact email, and when the allocation was registered. You can run this through our WHOIS lookup tool or from the command line:

whois 185.15.59.224

A typical response includes:

inetnum: 185.15.56.0 - 185.15.59.255 netname: WIKIMEDIA-EU descr: Wikimedia Foundation, Inc. country: NL admin-c: WF1234-RIPE abuse-mailbox: [email protected] created: 2012-10-22T12:41:26Z source: RIPE

This tells you the block is registered to Wikimedia Foundation in the Netherlands. The abuse-mailbox field is where you'd report malicious activity originating from this range.

WHOIS provides different information than geolocation. Geolocation tells you where the IP probably is. WHOIS tells you who controls the address block. For investigation purposes, the abuse contact is often the most actionable field — it's the path to getting a malicious server taken down.

RDAP (Registration Data Access Protocol), defined in RFC 7480, is gradually replacing WHOIS. It returns structured JSON instead of freeform text, making it machine-readable. All five RIRs now run RDAP endpoints alongside traditional WHOIS, and the underlying data is the same.

When WHOIS matters most: If geolocation identifies the connection type as "hosting" or the ISP is a cloud provider (AWS, DigitalOcean, Hetzner, OVH, Vultr), the WHOIS abuse contact is your primary escalation path. These providers investigate abuse reports and can suspend malicious VMs — often within hours for clear-cut cases like brute-force attacks or phishing.

Reverse DNS: What Is This IP Used For

Every IP address can have a reverse DNS (rDNS) record — a hostname associated with the address. While regular DNS maps names to IPs (example.com → 93.184.216.34), reverse DNS maps IPs to names (93.184.216.34 → example.com).

Running a reverse DNS lookup

dig -x 203.0.113.45 # or host 203.0.113.45 # or nslookup 203.0.113.45

Reverse DNS records are set by the IP owner, so they're self-reported. But they're still revealing:

Reverse DNS ExampleWhat It Tells You
mail.example.comMail server — this IP sends or receives email
ec2-52-14-123-45.us-east-2.compute.amazonaws.comAWS cloud server in Ohio (us-east-2)
cpe-76-168-xxx-xxx.socal.res.rr.comResidential Spectrum customer in Southern California
45.33.32.156.vultr.comVultr VPS — a rented virtual server
(no record)Common for residential IPs in some regions, or intentionally left blank

The rDNS hostname often reveals more about an IP's purpose than geolocation does. A hosting provider hostname means it's a server. A residential ISP pattern with a CPE (customer premises equipment) designation means it's a home connection. An ec2- prefix means anyone could have rented this AWS instance from anywhere in the world.

Tracing Emails Back to Their Source

Email header tracing is one of the most common reasons people need to trace an IP address. Every email accumulates Received: headers as it passes through mail servers, and reading them in reverse order (bottom to top) reveals the path from sender to your inbox.

Our email header analysis tool automates this process: paste the full headers and it extracts every IP address with geolocation data for each server hop, plus SPF, DKIM, and DMARC authentication results.

The major limitation

Gmail, Outlook.com, and Yahoo strip the sender's original IP address from outgoing email headers. If someone sends you an email from a Gmail account, the headers will only show Google's internal infrastructure — not the sender's actual IP or location. This is a deliberate privacy protection and there is no workaround.

Email header tracing works reliably when the email came from:

For a detailed walkthrough of reading email headers and understanding SPF/DKIM/DMARC authentication, see our Email Header Analysis Guide.

When the Trail Goes Cold

Not every IP trace leads to a useful result. Several common scenarios cut the trail short.

VPNs and commercial proxies

If the IP belongs to a VPN provider (NordVPN, ExpressVPN, Mullvad, etc.), every tool you run — geolocation, WHOIS, reverse DNS, traceroute — describes the VPN server, not the actual user behind it. Our VPN Detector can identify most commercial VPN IPs, which at minimum tells you the trace results are unreliable for that address.

~2B
people worldwide now use VPNs, according to estimates from Security.org and DemandSage. In several countries the majority of internet users are on VPNs: Indonesia (~55%), Qatar (~59%), UAE (~38%).

Tor exit nodes

Tor routes traffic through three encrypted relay hops, and only the final exit node's IP is visible. The exit node operator has no knowledge of who originated the traffic. Tor publishes a list of all exit nodes, so you can check whether an IP is one — but that's where the trace ends.

Carrier-grade NAT (CGNAT)

Mobile carriers and some broadband ISPs put thousands of subscribers behind a single public IP using CGNAT. Even if you trace an IP to "T-Mobile, Dallas," there could be 5,000 phones sharing that address at any given moment. Without a specific timestamp and cooperation from the carrier (which requires a court order), you cannot narrow it to an individual device.

Cloud infrastructure and CDNs

An IP belonging to AWS, Google Cloud, Azure, or a CDN like Cloudflare tells you very little about the person who rented the resource. Anyone can spin up a server in any region with a credit card. The geolocation just tells you which data center region was chosen. If you're seeing Cloudflare IPs in your server logs, that's the CDN edge server — not the actual visitor. The real IP may be in the X-Forwarded-For header, but that header can be spoofed by malicious clients.

The more sophisticated the adversary, the shorter the trail. Script kiddies leave their residential IP in your logs. Professionals use rented VMs behind VPNs, and state-level actors route through compromised infrastructure in multiple jurisdictions.

Real Cases Where IP Tracing Mattered

IP tracing rarely solves a case on its own. In real investigations, it provides one piece of a larger evidentiary puzzle.

The Mirai botnet (2016)

In September 2016, security journalist Brian Krebs' website was hit with a then-record 620 Gbps DDoS attack from the Mirai botnet — a network of hundreds of thousands of compromised IoT devices. Researchers at Akamai traced the botnet's command-and-control traffic through IP addresses and domain registrations. The FBI's investigation combined this IP evidence with code analysis, domain WHOIS records, and forum activity to identify three college students — Paras Jha, Josiah White, and Dalton Norman — who pleaded guilty in December 2017.

IP tracing found the infrastructure. Traditional investigation connected it to the people.

The Silk Road server (2013)

The FBI located the Silk Road marketplace server after a misconfigured CAPTCHA page leaked the server's real IP address rather than its Tor hidden service address. The IP traced to a data center in Reykjavik, Iceland, where Icelandic authorities imaged the server drives. That single IP address — exposed by a configuration error — was the thread that unraveled the entire operation, though connecting the server to operator Ross Ulbricht required months of additional work.

Business email compromise

The FBI's Internet Crime Complaint Center (IC3) reports that business email compromise (BEC) fraud caused $2.9 billion in losses in 2023. In these cases, IP tracing from email headers is routinely used to determine whether a "CEO" email actually originated from the company's network or from a different country entirely. When a financial controller receives a wire transfer request "from the CEO" and the email headers show an IP in Lagos rather than the company's known network, that's an immediate red flag. Combined with authentication failures (SPF/DKIM), header IP analysis is one of the fastest ways to confirm a spoofed message.

The consistent pattern across these cases: IP tracing provides leads, not proof. It narrows the geography, identifies the network infrastructure, and reveals the trail. Connecting that trail to a specific person requires additional evidence and, in most cases, ISP cooperation through legal process.

Trace an IP Address Now

Enter any IP address for instant geolocation, ISP, ASN, connection type, and map location — powered by commercial-grade geolocation data updated twice monthly.

Trace an IP Address

Frequently Asked Questions

Tracking is proactive monitoring — setting up systems like IP loggers, analytics, or server logs to capture visitor IP addresses as they connect. Tracing is reactive investigation — you already have an IP address and want to learn everything possible about it through geolocation, traceroute, WHOIS, and reverse DNS.
No. IP geolocation provides an approximate location, typically accurate to the city or metro area. It maps to where the ISP's equipment is located, not a specific building. Only the ISP can connect an IP to a subscriber, and they require a court order or subpoena to disclose that information.
Yes. Running geolocation lookups, traceroute, WHOIS queries, and reverse DNS are all legal — the information is publicly available. The legal line is crossed when IP tracing is used to harass, stalk, or threaten someone, or when you attempt to obtain subscriber identity from ISPs without proper legal authority.
Traceroute maps every router between your computer and the destination IP, showing each hop's IP address, hostname, and round-trip latency. The hostnames reveal geographic locations and backbone carriers, while latency jumps indicate long-distance links like ocean crossings.
You can trace the VPN server's IP, which reveals the VPN provider and server location. But you cannot trace through the VPN to find the real user. VPN detection tools can identify known VPN IPs, which tells you the location data describes the server rather than the actual person.

Traceroute mechanism based on Van Jacobson's 1988 implementation. WHOIS protocol: RFC 3912. RDAP: RFC 7480. Regional Internet Registries: NRO. Mirai prosecution: DOJ press release, December 2017. Silk Road: United States v. Ulbricht. BEC statistics: FBI IC3 2023 Annual Report. VPN usage: Security.org, DemandSage.

Need more lookups? View Pricing