A command-line tool to quickly determine if IP addresses are likely from bots/datacenters or legitimate human users. Analyzes WHOIS data, ASN information, and network ownership patterns to classify traffic sources.
╦ ╦╔╦╗╔═╗ ╦╔═╗
║║║ ║ ╠╣ ╔╦╝║╠═╝
╚╩╝ ╩ ╚ ╩ ╩╩
- 🔍 Automated WHOIS Lookups - Queries WHOIS for each IP automatically
- 🌍 Geolocation - Extracts country information with flag emojis (🇺🇸 🇬🇧 🇩🇪 etc.)
- 🏢 ASN Analysis - Identifies the Autonomous System Number and owner
- 🤖 Bot Detection - Classifies IPs as likely bot/datacenter vs human/residential
- 🧠 Smart Classification - Enhanced detection with multiple data sources and heuristics
- 📊 Summary Statistics - Aggregates results showing bot vs human traffic percentages
- 📋 Clipboard Copy - Press 'c' to copy the report to clipboard (macOS)
- 🎯 Batch Processing - Analyze multiple IPs in one run
- 📈 Progress Indicator - Visual progress bar for 4+ IPs with percentage completion
LIKELY BOT 🤖 (Cloud/Hosting)
- Major cloud providers: AWS, Azure, GCP, DigitalOcean, Linode, Vultr, etc.
- Hosting companies and datacenters
- VPS and dedicated server providers
- CDN networks
LIKELY HUMAN 👤 (ISP/Residential)
- Cable, DSL, and fiber ISPs
- Mobile and wireless carriers
- Residential broadband providers
- Telecommunications companies
- Python 3.6+
whoiscommand-line tool (usually pre-installed on Unix systems)
# Clone or download the script
cd wtf-ip
# Make executable
chmod +x wtf-ip.py
# Optionally, link to your PATH
ln -s $(pwd)/wtf-ip.py /usr/local/bin/wtf-ip./wtf-ip.pyThen paste your IP addresses with counts and press Ctrl+D (Unix/Mac) or Ctrl+Z (Windows) when done.
The tool accepts IP addresses in two formats:
Option 1: IP addresses only (one per line - count defaults to 1):
169.47.39.105
188.241.60.103
104.153.67.10
Option 2: IP addresses with request counts (tab or space-separated):
169.47.39.105 148
188.241.60.103 123
104.153.67.10 122
Mixed format (both formats in same input):
206.72.194.37 120
45.147.231.82 107
169.63.169.229
$ ./wtf-ip.py
╦ ╦╔╦╗╔═╗ ╦╔═╗
║║║ ║ ╠╣ ╔╦╝║╠═╝
╚╩╝ ╩ ╚ ╩ ╩╩
IP Address Bot/Human Analyzer
==================================================
Paste your IP addresses with counts (format: IP<tab>count)
Press Ctrl+D (Unix) or Ctrl+Z (Windows) when done:
169.47.39.105 148
52.39.83.163
1.1.1.1
8.8.8.8
^D
Found 4 IP addresses to analyze...
[1/4] ██████░░░░░░░░░░░░░░░░░░░░░░░░ 25% | 169.47.39.105...
[2/4] ████████████░░░░░░░░░░░░░░░░░░ 50% | 52.39.83.163...
[3/4] ██████████████████░░░░░░░░░░░░ 75% | 1.1.1.1...
[4/4] ██████████████████████████████ 100% | 8.8.8.8...
Analysis complete!
====================================================================================================
IP ADDRESS ANALYSIS REPORT
====================================================================================================
1. 169.47.39.105 (Count: 148)
Classification: 🤖 LIKELY BOT
Organization: SoftLayer
Country: 🇺🇸 US
ASN: AS36351 - SOFTLAYER
Type: CLOUD/HOSTING
2. 52.39.83.163 (Count: 1)
Classification: 🤖 LIKELY BOT
Organization: Amazon Technologies Inc.
Country: 🇺🇸 US
ASN: AS16509 - AMAZON-02
Type: CLOUD/HOSTING
====================================================================================================
SUMMARY
====================================================================================================
Total IPs: 2
Likely Bots: 2 (100.0%)
Likely Humans: 0 (0.0%)
Unknown: 0 (0.0%)
Total Requests: 211
Bot Requests: 211 (100.0%)
Human Requests: 0 (0.0%)
Unknown: 0 (0.0%)
====================================================================================================
Press 'c' to copy report to clipboard, or any other key to exit: c
✅ Report copied to clipboard!Clipboard Feature: After the report is generated, press c to copy the entire report to your clipboard, or press any other key to exit.
After the analysis completes, you can copy the entire report to your clipboard (macOS only):
- Review the report on screen
- Press
cwhen prompted - Report is copied to clipboard via
pbcopy - Paste anywhere you need it!
You can also pipe data directly:
cat ip_list.txt | ./wtf-ip.py
# Or from a web server log
tail -n 100 access.log | awk '{print $1}' | uniq -c | ./wtf-ip.pyNote: When piping input, the clipboard prompt will still work since it reads from /dev/tty.
The tool generates a detailed report containing:
-
Individual IP Analysis
- IP address and request count
- Classification (Bot/Human/Unknown)
- Organization/ISP name
- Country code
- ASN number and name
- Organization type
-
Summary Statistics
- Total unique IPs analyzed
- Percentage breakdown by classification
- Total requests by source type
You can extend the detection patterns by editing the lists in the script:
KNOWN_CLOUD_PROVIDERS- Add cloud/hosting provider keywordsKNOWN_RESIDENTIAL_INDICATORS- Add ISP/residential keywords
- Requires active internet connection for WHOIS lookups
- WHOIS rate limiting may affect large batches
- Classification is heuristic-based, not 100% accurate
- Some VPN services may be classified as hosting/cloud
- WHOIS format varies by registry (ARIN, RIPE, APNIC, etc.)
- Security Analysis - Identify suspicious bot traffic
- Traffic Analysis - Understand your visitor sources
- DDoS Investigation - Quickly classify attack sources
- Log Analysis - Batch process server logs
- Network Monitoring - Categorize inbound connections
MIT License - feel free to modify and distribute
Suggestions and improvements welcome! Key areas for enhancement:
- Additional cloud provider patterns
- IPv6 support improvements
- Caching for repeated lookups
- API integration options (MaxMind, IPinfo, etc.)
- Export formats (JSON, CSV)
Created for edwilde - November 2025
WTF-IP - Because sometimes you just need to know "Who's That From?"