network-user
back to all projects
Tool 15 Mar 2026 in production

.trace

DotTraceIP

A list of IPs from access logs goes in, a report comes out; everything between fits into one run.

the essence

An async CLI for bulk IP analysis: for each address six sources, namely geolocation, ASN and BGP prefix, reverse DNS, and reputation (AbuseIPDB, Spamhaus), are queried in parallel via asyncio.gather. A single failing source never breaks the rest, and the report is written to TXT, JSON, CSV, or a self-contained HTML.

Under the hood

Not a list of fields but a live dossier on an address. Pick an IP from the brute-force logs, hit 'Trace', and see how it works inside.

Six sources are queried in parallel and turn a bare address into a dossier: country, operator, network, hostname, and a threat level. If one source goes silent, the dossier still assembles.

An address from SSH/RDP brute-force logs: pick any
subject 185.220.101.4 not assembled
Country
Operator
Network
Hostname
Threat level -

Six sources: tap to see what each one returns:

Save the dossier The same result in any format: for the eye, spreadsheets, or a browser.
results.txt
 

Two mechanisms that make .след a real tool, not a toy.

The proxy hides your real IP

HTTP requests to the sources don't go out directly; they pass through a proxy pool, so the remote side sees the proxy's address, not yours. If the proxy breaks, .след won't fall back to a direct connection. It just stays silent. The real IP never leaks, even on failure.

Switch the mode and watch the 'the source sees' line.

Scan a whole list

How a single pass over thousands of log lines surfaces the most dangerous addresses.

  • 185.220.101.4 DE 100
  • 45.155.205.233 RU 92
  • 193.32.162.7 NL 64
  • 104.244.76.13 US 31
  • 5.188.206.18 SC 8

scale

size and timeframe: what stands behind the product.

1 день from first commit to a working async core
~2.4k lines of Python with tests
82 pytest-asyncio tests, green CI
500 IPs in parallel: the semaphore ceiling
6 data sources per IP

architecture

per-IP · asyncio.gather read run_scan gather fan-out merge target_ips.txt CLI · TUI menu async engine proxy connector ip-api · geo/ASN AbuseIPDB · Spamhaus Cymru → bgpview RDAP · rDNS TXT·JSON·CSV·HTML

IP list file, line by line; validated and deduped

  • CLI · TUI menu read

main.py: headless scan and a Rich menu call run_scan

  • async engine run_scan

TXT live during the scan; then JSON, CSV and a self-contained HTML

Semaphore over N IPs, as_completed, Rich live dashboard

  • proxy connector
  • AbuseIPDB · Spamhaus
  • Cymru → bgpview fan-out
  • RDAP · rDNS
  • TXT·JSON·CSV·HTML merge

aiohttp-socks HTTP/SOCKS; no proxy means no direct HTTP

  • ip-api · geo/ASN gather
  • AbuseIPDB · Spamhaus

BGP prefix and ASN: Team Cymru DNS, bgpview fallback

Owner network (RDAP) and reverse DNS; in a thread pool

ip-api over HTTP: country, city, ISP, ASN

Reputation: AbuseIPDB by key and Spamhaus DNSBL

Tap a module to see its role in the system.

stack

stack by layer · 14
  • Language 1
  • Framework 3
  • Data 4
  • Infrastructure 3
  • Client 3

Language

  • Python 3.12

Framework

  • asyncio
  • aiohttp
  • Rich

Data

  • TXT
  • JSON
  • CSV
  • HTML

Infrastructure

  • GitHub Actions
  • pytest
  • mypy

Client

  • aiohttp-socks
  • dnspython
  • ipwhois

what it does

the product's key capabilities right now.

6 sources per IP

Geolocation and ASN (ip-api), BGP prefix and AS name (Team Cymru, bgpview fallback), owner network (RDAP), reverse DNS, and reputation (AbuseIPDB, Spamhaus): every address gets a dossier from six independent sources.

Team Cymru answers over DNS and is barely rate-limited, so it leads; bgpview.io steps in over HTTP when DNS stays silent. Blocking resolvers (reverse DNS, RDAP, Spamhaus) run in a thread pool with a hard 6-second timeout, so a stuck lookup never clogs the pool.

Async fan-out with a semaphore

Up to 500 IPs in parallel, and per address the six sources gather in a single asyncio.gather. A failing source never drops the rest or interrupts the scan: its fields just stay at defaults.

The engine holds an asyncio.Semaphore over N addresses and yields results as they finish via as_completed. The synchronous run_scan wrapper hides all the asyncio inside, so the CLI stays plain and synchronous on the outside.

Headless or a live dashboard

The same run_scan runs both as a one-line cron job and from an interactive terminal menu. Headless streams results line by line; interactive draws a live Rich dashboard with progress and color-coded reputation.

The only difference is the use_live flag: the non-interactive mode prints lines for logs and pipes, while Rich Live shows a progress bar, a counter, and a table of the latest results with a green-yellow-red reputation cell.

A report in four formats

TXT is written during the scan itself, and the output also includes JSON, CSV, and a self-contained HTML with column sorting, without a single external dependency or CDN.

The HTML carries its own dark theme and a plain-JS sorter, the CSV neutralizes formula injection with a leading apostrophe, and every write is atomic (tmp plus os.replace) and never follows a symlink.

Proxies and privacy

HTTP, SOCKS4, and SOCKS5 with random pool rotation against rate limits and credential masking. If a proxy is set but fails to parse, HTTP sources don't fall back to a direct connection, so the real IP never leaks.

The output hides both the last IP octet and the proxy password. A liveness check culls dead proxies before the scan and keeps only the working ones in the file.

Resilience and backoff

A failing source never breaks the report, and on 429 ip-api backs off while respecting the X-Ttl header. Repeated IPs in logs are deduped before the scan even starts.

dedup_preserve removes duplicates while keeping first-seen order (in access logs one address shows up hundreds of times). The config survives garbage: broken JSON falls back to defaults, threads clamp into the 1..500 range, and paths stay inside the working directory.

timeline

how the product grew from its first version.

  1. 15 Mar 2026

    Start: an async core in a day

    The first commit and a working core right away: an asyncio.gather fan-out with a semaphore, a live Rich dashboard, HTTP/SOCKS proxies with credential masking, six sources per IP, and four export formats.

  2. 23 Jun 2026

    Headless, resilience, and CI

    A non-interactive scan for cron and log parsing, 429 backoff that respects X-Ttl, IP dedup before the scan, and a ruff plus coverage pipeline on GitHub Actions.

  3. 1 Jul 2026

    Publication and audit

    DotCore-standard docs, a license, and a cover; the pre-deploy audit passes clean and earns a green badge. Verified: CSV formula-injection guarding, atomic writes, and keeping paths inside the working directory.