How to Track an IP Address (And What You Can Actually Find)
IP address tracking is frequently misrepresented. Movies show analysts pinpointing a suspect's exact location from an IP. Reality is considerably less dramatic. An IP address can reveal useful information, but understanding the limitations is as important as understanding the techniques. This guide covers what IP tracking actually provides, how to do it, and where the boundaries are.
What an IP Address Actually Tells You
An IP address (Internet Protocol address, defined in RFC 791 for IPv4 and RFC 8200 for IPv6) is a numerical identifier assigned to every device connected to the internet. It is not a GPS coordinate. Here is what you can and cannot determine from an IP address:
What You Can Find
- Internet Service Provider (ISP): The organization that owns the IP block. This is always available via WHOIS records.
- Approximate geographic location: Typically accurate to the city or metropolitan area level. More on accuracy below.
- Organization: For business IPs, the company name associated with the block.
- Connection type: Whether the IP belongs to a residential ISP, a data center, a mobile carrier, or an enterprise network.
- Autonomous System Number (ASN): The network the IP belongs to, useful for understanding routing and ownership.
What You Cannot Find
- Exact street address or building. Consumer IP geolocation is not that precise.
- The specific person using the IP. ISPs assign IPs dynamically. Multiple people may use the same IP via NAT (Network Address Translation).
- Anything behind a VPN or proxy. You see the VPN server's IP, not the user's.
- Real-time location tracking. An IP gives you a static data point, not a moving target.
IP Geolocation: How Accurate Is It?
IP geolocation databases (MaxMind GeoLite2, IP2Location, DB-IP) map IP ranges to geographic locations using a combination of:
- WHOIS registration data
- BGP routing data
- Active network measurements (latency triangulation)
- User-submitted corrections
- Wi-Fi positioning data correlations
Accuracy varies significantly:
| Level | Typical Accuracy |
|---|---|
| Country | 95-99% |
| Region/State | 70-85% |
| City | 50-75% |
| Postal code | 20-50% |
Mobile IPs and carrier-grade NAT (CGNAT) are the least accurate. A mobile IP may geolocate to the carrier's network hub, which could be hundreds of miles from the actual user. Data center and enterprise IPs are typically more accurate because their registration data is better maintained.
Use the IP Reputation tool to look up geolocation and ownership data for any IP address.
Command Line Tools for IP Tracking
WHOIS
The whois command queries registration databases to reveal the IP block owner, registration date, and abuse contact:
whois 203.0.113.50
This returns the network name, organization, address (of the registrant, not the user), and the allocated IP range.
Traceroute
traceroute (Linux/macOS) or tracert (Windows) shows the network path from your machine to the target IP:
traceroute 203.0.113.50
Each hop reveals an intermediate router and its latency. This is useful for understanding which networks the traffic passes through and identifying the approximate geographic path. Hops with geographic identifiers in their hostnames (e.g., chi for Chicago, lax for Los Angeles) provide location clues.
Nslookup and Dig
Reverse DNS lookups can reveal the hostname associated with an IP:
dig -x 203.0.113.50
Hostnames sometimes contain geographic or organizational identifiers. For example, mail-server.company.com or host-203-0-113-50.isp-chicago.net.
Ping
While ping does not provide location data, it measures round-trip latency, which can provide rough distance estimates. Latency under 20ms suggests geographic proximity; latency over 150ms suggests intercontinental distance.
Tracing an IP Address from Email Headers
Email headers contain a chain of Received: headers that document every server the message passed through. The originating IP (the sender's mail server or, in some cases, the sender's actual IP) is typically in the earliest Received: header.
To view email headers:
- Gmail: Open the message > three-dot menu > Show original
- Outlook: Open the message > three-dot menu > View message source
- Yahoo: Open the message > three-dot menu > View raw message
Look for the bottommost Received: header (earliest in the chain). It may contain a line like:
Received: from [192.168.1.5] (unknown [203.0.113.50])
The IP in brackets is the originating IP. Run it through the IP Reputation tool to get geolocation and ownership data.
Limitations: Many email services strip or anonymize the originating IP. Gmail removes the sender's IP for messages sent through its web interface. You will see Google's server IP, not the sender's. Outlook.com does the same. This header-based tracing is more useful for messages sent through dedicated mail servers.
VPN, Proxy, and Tor Limitations
IP tracking fails against privacy tools:
- VPN: You see the VPN provider's server IP, which may be in a completely different country. There is no technical way to determine the real IP behind a VPN from the outside.
- Proxy servers: Similar to VPNs. The proxy's IP is visible, not the user's.
- Tor: Traffic is routed through multiple relay nodes. The visible IP is the exit node, which has no correlation to the user's location.
- CGNAT (Carrier-Grade NAT): Multiple users share a single public IP. The IP traces to the carrier, not to any individual subscriber.
Legal Considerations
IP tracking for legitimate purposes (security analysis, abuse investigation, network troubleshooting) is generally lawful. However:
- ISP subscriber data requires legal process. Only the ISP can map an IP to a specific subscriber, and they require a subpoena, court order, or equivalent legal instrument to disclose this information.
- GDPR and privacy laws. In the European Union, IP addresses are considered personal data under GDPR. Collecting and processing them requires a lawful basis.
- Terms of service. Many IP geolocation databases restrict use cases in their terms of service. Review them before commercial use.
- Harassment and stalking. Using IP tracking to locate or intimidate individuals is illegal in most jurisdictions.
Practical Applications
Legitimate uses of IP tracking include:
- Email deliverability analysis. Identifying the geographic location and reputation of sending IPs. The IP Reputation tool is designed for this purpose.
- Fraud detection. Comparing the claimed location of a transaction with the IP's geolocation.
- Network troubleshooting. Identifying routing issues, latency sources, and network bottlenecks.
- Security incident response. Tracing the source of attacks, unauthorized access, or abuse.
- Access control. Geo-restricting content or services based on IP location.
IP tracking provides useful but inherently imprecise data. It is one signal among many, never definitive on its own. Use it as a starting point for investigation, not as a conclusion.
Stay on top of your email deliverability. Sign up for the InboxTooling newsletter for deliverability tips, tool updates, and best practices.