.trace
DotTraceIP
A list of IPs from access logs goes in, a report comes out; everything between fits into one run.
the essence
An async CLI for bulk IP analysis: for each address six sources, namely geolocation, ASN and BGP prefix, reverse DNS, and reputation (AbuseIPDB, Spamhaus), are queried in parallel via asyncio.gather. A single failing source never breaks the rest, and the report is written to TXT, JSON, CSV, or a self-contained HTML.
Under the hood
Not a list of fields but a live dossier on an address. Pick an IP from the brute-force logs, hit 'Trace', and see how it works inside.
Six sources are queried in parallel and turn a bare address into a dossier: country, operator, network, hostname, and a threat level. If one source goes silent, the dossier still assembles.
- Country
- Operator
- Network
- Hostname
Six sources: tap to see what each one returns:
Two mechanisms that make .след a real tool, not a toy.
The proxy hides your real IP
HTTP requests to the sources don't go out directly; they pass through a proxy pool, so the remote side sees the proxy's address, not yours. If the proxy breaks, .след won't fall back to a direct connection. It just stays silent. The real IP never leaks, even on failure.
Switch the mode and watch the 'the source sees' line.
Scan a whole list
How a single pass over thousands of log lines surfaces the most dangerous addresses.
- 185.220.101.4 DE 100
- 45.155.205.233 RU 92
- 193.32.162.7 NL 64
- 104.244.76.13 US 31
- 5.188.206.18 SC 8
scale
size and timeframe: what stands behind the product.
architecture
IP list file, line by line; validated and deduped
- CLI · TUI menu read
main.py: headless scan and a Rich menu call run_scan
- async engine run_scan
TXT live during the scan; then JSON, CSV and a self-contained HTML
Semaphore over N IPs, as_completed, Rich live dashboard
- proxy connector
- AbuseIPDB · Spamhaus
- Cymru → bgpview fan-out
- RDAP · rDNS
- TXT·JSON·CSV·HTML merge
aiohttp-socks HTTP/SOCKS; no proxy means no direct HTTP
- ip-api · geo/ASN gather
- AbuseIPDB · Spamhaus
BGP prefix and ASN: Team Cymru DNS, bgpview fallback
Owner network (RDAP) and reverse DNS; in a thread pool
ip-api over HTTP: country, city, ISP, ASN
Reputation: AbuseIPDB by key and Spamhaus DNSBL
stack
- Language 1
- Framework 3
- Data 4
- Infrastructure 3
- Client 3
Language
- Python 3.12
Framework
- asyncio
- aiohttp
- Rich
Data
- TXT
- JSON
- CSV
- HTML
Infrastructure
- GitHub Actions
- pytest
- mypy
Client
- aiohttp-socks
- dnspython
- ipwhois
what it does
the product's key capabilities right now.
6 sources per IP
Geolocation and ASN (ip-api), BGP prefix and AS name (Team Cymru, bgpview fallback), owner network (RDAP), reverse DNS, and reputation (AbuseIPDB, Spamhaus): every address gets a dossier from six independent sources.
Team Cymru answers over DNS and is barely rate-limited, so it leads; bgpview.io steps in over HTTP when DNS stays silent. Blocking resolvers (reverse DNS, RDAP, Spamhaus) run in a thread pool with a hard 6-second timeout, so a stuck lookup never clogs the pool.
Async fan-out with a semaphore
Up to 500 IPs in parallel, and per address the six sources gather in a single asyncio.gather. A failing source never drops the rest or interrupts the scan: its fields just stay at defaults.
The engine holds an asyncio.Semaphore over N addresses and yields results as they finish via as_completed. The synchronous run_scan wrapper hides all the asyncio inside, so the CLI stays plain and synchronous on the outside.
Headless or a live dashboard
The same run_scan runs both as a one-line cron job and from an interactive terminal menu. Headless streams results line by line; interactive draws a live Rich dashboard with progress and color-coded reputation.
The only difference is the use_live flag: the non-interactive mode prints lines for logs and pipes, while Rich Live shows a progress bar, a counter, and a table of the latest results with a green-yellow-red reputation cell.
A report in four formats
TXT is written during the scan itself, and the output also includes JSON, CSV, and a self-contained HTML with column sorting, without a single external dependency or CDN.
The HTML carries its own dark theme and a plain-JS sorter, the CSV neutralizes formula injection with a leading apostrophe, and every write is atomic (tmp plus os.replace) and never follows a symlink.
Proxies and privacy
HTTP, SOCKS4, and SOCKS5 with random pool rotation against rate limits and credential masking. If a proxy is set but fails to parse, HTTP sources don't fall back to a direct connection, so the real IP never leaks.
The output hides both the last IP octet and the proxy password. A liveness check culls dead proxies before the scan and keeps only the working ones in the file.
Resilience and backoff
A failing source never breaks the report, and on 429 ip-api backs off while respecting the X-Ttl header. Repeated IPs in logs are deduped before the scan even starts.
dedup_preserve removes duplicates while keeping first-seen order (in access logs one address shows up hundreds of times). The config survives garbage: broken JSON falls back to defaults, threads clamp into the 1..500 range, and paths stay inside the working directory.
timeline
how the product grew from its first version.
-
15 Mar 2026
Start: an async core in a day
The first commit and a working core right away: an asyncio.gather fan-out with a semaphore, a live Rich dashboard, HTTP/SOCKS proxies with credential masking, six sources per IP, and four export formats.
-
23 Jun 2026
Headless, resilience, and CI
A non-interactive scan for cron and log parsing, 429 backoff that respects X-Ttl, IP dedup before the scan, and a ruff plus coverage pipeline on GitHub Actions.
-
1 Jul 2026
Publication and audit
DotCore-standard docs, a license, and a cover; the pre-deploy audit passes clean and earns a green badge. Verified: CSV formula-injection guarding, atomic writes, and keeping paths inside the working directory.