The best tools and methods to track down suspect IP addresses and URLs

Jack Wallen provides some basic recon tools and methods for finding IP addresses and URLs that you may need to track down for purposes of blocking, contacting, or satisfying simple curiosity.

There are many reasons why you might need to track down an IP address. You might have discovered a hacking attempt in one of your logs. You might think you have found a spammer that you want to add to a black list. The "why" are as many as are the "how." Every operating system has different tools for helping you track down an IP address. Compounded with this is that any tool that makes use of an IP address also has different tools for this purpose. So where do you start? What's the easiest way to find IP addresses and help locate their sources?

I'm assuming you know what an IP address is and what it does, but that's about it. Much of this information will be common knowledge to the seasoned administrator., but new administrators or support techs might glean some useful information here.

Finding the URL for an IP address

Let's say whatever application you are using gives you a URL for an address that you want to block or track (for whatever reason). If you need the IP address of that URL there is a very simple way to do that - use ping. Let's use as an example. To find the IP address of that URL I would open up a command prompt in Windows (launch Terminal in Mac or from the command line in Linux) and type:


From that command you should see something like:

64 bytes from icmp_seq=1 ttl=52 time=29.0

As you can see, the ping tool locates the IP address associated with the URL In this example the address Now this can be a bit misleading because that IP address might be only one address of many associated with the domain. You can find out all of the IP addresses associated with a URL using the nslookup command like so:


The above command should report something similar to:

Non-authoritative answer:

From the above information you should notice that the answers received are non-authoritative, which means none of those addresses are in charge of the domain. Let's use the same tool to find the authoritative address for the domain. To do this ,first issue the command nslookup with no arguments. This will bring you a prompt that looks like:


Now set the querytype like so:

> set querytype=soa

and then enter the domain:

You will then see output that looks like that shown in Figure A.

Figure A

Now you can see the IP address in charge of the domain com is

Finding the URL for an IP address

If you ping an IP address you will not receive a domain back. I know, I's unfair, but it's the way it goes. So, how can you get the URL from an IP address? Simple, you take advantage of nslookup again. To do this, issue the command:


And you will see something like:

Non-authoritative answer:    name =

You instantly know that the IP address is associated with Of course you could also just enter the IP address in your web browser and, if that IP address is associated with a web server, you will see the results instantly. If the IP address is not associated with a web browser you will have to do more research.

You can find out even more information using the whois command like so:


The above command will report something like this:

NetRange: -



NetName:        GOOGLE

NetHandle:      NET-216-239-32-0-1

Parent:         NET-216-0-0-0-0

NetType:        Direct Allocation

NameServer:     NS2.GOOGLE.COM

NameServer:     NS3.GOOGLE.COM

NameServer:     NS4.GOOGLE.COM

NameServer:     NS1.GOOGLE.COM

RegDate:        2000-11-22

Updated:        2001-05-11


OrgName:        Google Inc.

OrgId:          GOGL

Address:        1600 Amphitheatre Parkway

City:           Mountain View

StateProv:      CA

PostalCode:     94043

Country:        US

RegDate:        2000-03-30

Updated:        2009-08-07


OrgTechHandle: ZG39-ARIN

OrgTechName:   Google Inc

OrgTechPhone:  +1-650-253-0000



RTechHandle: ZG39-ARIN

RTechName:   Google Inc

RTechPhone:  +1-650-253-0000




# ARIN WHOIS data and services are subject to the Terms of Use

# available at:

Now, if you have someone (either URL or IP address) attacking you or sending you spam that you want to discover, or you need to block, report, or contact  them, you can get the information you need.

You have neither an IP nor URL

What if you are sure you're being attacked, but you have no idea by whom or what. The first place to look is your server's log files. But if those escape you (you either have no idea where to find them or they don't give you the information you need), you might need to employ a network monitoring tool. There are plenty of tools available for this task. One of my favorites is Wireshark. This is a very powerful, open source, cross-platform tool that can monitor your PC or your entire network. From this monitor you will see any and all traffic flowing through your network. Should anything look suspicious, you have the IP address that will then help you gain valuable information.

Sometimes "they" are just too good

There are times when you will be attacked, spammed, spoofed, etc. and you simply will not be able to track down the source. This is an unfortunate truth in the world of a networked computer. And when/if that time comes you will have to do your best to tighten down your security to make sure each and every computer is safe. Just remember, if a computer is attached to the network, no matter what operating system is on it, it is insecure. No machine, no operating system, no firewall, no anti-virus, no anti-malware is perfect.

The most important thing you can do is arm yourself with the tools and knowledge that will allow you to track down an address should you need to. And once you have the address (be it URL or IP address) you can always report the address to your service provider as well as sites like LiveIPMap.

Final thoughts

If you can get the IP address of someone doing nefarious deeds to your system or network you need to have the tools to enable you to gather the information in order to report the suspected address or culprit. Although the most challenging task in this process is actually locating the address, half of the battle is in the information recon. With the tools and methods outlined here, you should have everything you need.

By Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic, The New Stack, and Linux New Media. He's covered a variety of topics for over twenty years and is an avid promoter of open source. For more news about Jack Wallen, visit his website jackwallen....