Utility · runs in your browser

IP extractor

Paste a log file, configuration dump, email header, or any block of text — get back every valid IPv4 and IPv6 address, deduplicated and normalized. Pure regex, runs in your browser.

What an IP extractor is good for

The IP extractor is the daily-driver tool when you have a wall of text and need the addresses out of it. Common cases:

  • Log analysis. Web server access logs, application logs, syslog streams. You want the unique source IPs to feed into a fraud check or a rate-limit decision. Paste the log, hit copy, you have the list.
  • Incident response. A security alert dumps connection records, mail headers, or a JSON blob of network events. You need every IP it touched so you can run them against threat-intel sources.
  • Firewall / allowlist building. Documentation gives you a list of IPs in prose ("services originate from 198.51.100.10, 203.0.113.50, and 2001:db8::1"). You need them as a clean newline-separated list to paste into your firewall management UI.
  • Bulk WHOIS / reverse-DNS prep. Strip a list of IPs out of any format, then feed it into Bulk reverse DNS or a WHOIS automation. The extractor normalizes IPv6 forms so duplicates collapse.
  • Documentation generation. You're writing up a network or a service spec and you want every IP that came up in the design document collected.

How the matching works

IPv4

IPv4 is the easy case. The regex matches four dot-separated octets where each octet is 0-255. False positives are rare on real text — phone numbers, version strings, and product codes rarely look like four small numbers with dots. The tool runs the regex against your input, deduplicates exact matches, and preserves first-seen order for readability.

IPv6

IPv6 is much harder. The text format allows:

  • Full 8-group form: 2001:0db8:0000:0000:0000:0000:0000:0001
  • Compressed form with ::: 2001:db8::1
  • IPv4-mapped form: ::ffff:192.0.2.1
  • Zone ID for link-local: fe80::1%eth0
  • Various edge cases: leading zeros, all-zero groups, ::1 (loopback), :: (unspecified).

A single regex that catches every valid form without false positives is essentially impossible. The tool uses a permissive regex to find candidates, then validates each candidate by re-parsing it through a strict IPv6 parser. Candidates that don't parse are silently dropped. Valid matches are then normalized to their compressed canonical form before deduplication, so the same address in two different text forms collapses to one entry.

Deduplication

For IPv4 we deduplicate on exact string match — there's only one canonical form. For IPv6 we deduplicate on the canonical compressed form, so equivalent addresses don't show up multiple times. Order is first-seen, not alphabetical: useful for log analysis where you often want to see which IP showed up first.

What this tool is NOT

  • Not a port extractor. If your input has 10.0.0.1:8080, you get back 10.0.0.1 only. Ports are stripped.
  • Not a CIDR extractor. Inputs like 10.0.0.0/24 yield 10.0.0.0; the prefix is dropped. If you need CIDR-aware extraction, use the CIDR aggregator instead.
  • Not a hostname resolver. Domain names in the input are ignored — only literal IP addresses are matched. To resolve names to IPs, use theDNS lookup tool.

Privacy

The whole tool runs in your browser. The text you paste is never transmitted to IPFerret servers, never logged, never stored. Open your browser's DevTools Network tab and run an extraction to confirm: zero outbound network activity. That's by design — these tools deal with potentially sensitive log data and shipping that off-machine would defeat the purpose.

Adjacent tools