IP Diagnosis
Perform detailed network diagnosis on
and output O&M reports with a fixed structure.
Applicable Scenarios
Use this skill when users request the following tasks:
- Check current public network /
- Determine if there is region split between
- Check if VPN/proxy only takes over part of the traffic
- Check if the browser side exposes extra addresses
- Compare command line egress results with results seen on browser pages
- Output a detailed reviewable network diagnosis report
This skill runs on the current machine by default, no confirmation prompt will be sent before execution.
Implementation Principles
- Install missing dependencies first before diagnosis
- Check local network stack first, then external egress, then browser cross-validation
- Cross-validate with at least two external sources, do not rely on a single site
- Clearly distinguish in the report:
- Verified facts
- Judgments
- Suggestions
- Public IP seen in does not equal browser leak by itself
- Only when extra private network or abnormal public network addresses are exposed via , it is judged as browser-side leakage risk
0. Dependency Check and Installation
Check first:
bash
command -v curl
command -v dig
command -v jq
command -v python3
command -v npm
command -v playwright-cli
command -v brew
open -Ra "Google Chrome"
Default dependencies:
Installation rules:
- If is missing, does not exist and is available:
- If is missing:
bash
npm install -g playwright-cli
- Verify immediately after installation:
bash
playwright-cli open --help
- If does not exist, clearly state the blocking item and stop; do not automatically downgrade to other browsers
- If can run but the chrome browser channel cannot be opened, try:
bash
playwright-cli install-browser --browser chrome
- If is missing and is available:
- If is missing and is available:
If key dependencies cannot be installed, clearly state the blocking item in the report and stop, do not forge conclusions.
1. Local Network Stack Check
Execute in order:
bash
route -n get default
route -n get default | awk '/interface:/{print $2}'
networksetup -listallhardwareports
netstat -rn -f inet6 | sed -n '1,80p'
scutil --dns
ifconfig | grep -E -A3 '^(en0|en1|utun[0-9]+):'
Then:
- Extract the current default interface from first, e.g.
- Map the interface to the corresponding network service name with
networksetup -listallhardwareports
- Only execute after mapping to a clear service name:
bash
networksetup -getinfo "<actual service name>"
- If mapping fails, write
networksetup service unresolved
Objectives:
- Check the direction of the default route
- Check if the default route goes through
- Check if there is an active
- Check if the local interface has native
- Check if DNS is a tunnel private resolver or local direct resolver
2. Local Command Confirmation of Public Egress
Execute at least:
bash
curl --connect-timeout 8 --max-time 15 -4sS https://api.ipify.org
curl --connect-timeout 8 --max-time 15 -6sS https://api64.ipify.org
curl --connect-timeout 8 --max-time 15 -4sS https://ipinfo.io/json
curl --connect-timeout 8 --max-time 15 -6sS https://ipinfo.io/json
curl --connect-timeout 8 --max-time 15 -4sS https://ifconfig.co/json
curl --connect-timeout 8 --max-time 15 -6sS https://ifconfig.co/json
curl --connect-timeout 8 --max-time 15 -4sS https://api.ip.sb/geoip
curl --connect-timeout 8 --max-time 15 -6sS https://api.ip.sb/geoip
dig +short txt ch whoami.cloudflare @1.1.1.1
Requirements:
- Confirm and separately
- Try to get for both:
- IP
- Country/Region
- ASN
- Organization
- If query fails, do not immediately judge "no IPv6"
- If the result is and other addresses, do not treat it as an independent public
3. Chrome Browser Cross-Validation
Must use:
Recommended execution order:
bash
playwright-cli open --browser=chrome https://webbrowsertools.com/ip-address/
playwright-cli eval "document.title"
playwright-cli eval "document.body.innerText"
playwright-cli snapshot
If needed, you can read additionally:
bash
playwright-cli console
playwright-cli network
If any of the following occurs:
- Page title or body contains
- Page title or body contains
- Page title or body contains
- The page content is obviously a challenge page
- or console shows main page request returns
- Key groups such as , , are missing on the page
Perform a limited retry:
bash
playwright-cli close
playwright-cli open --browser=chrome --headed --persistent https://webbrowsertools.com/ip-address/
playwright-cli eval "document.title"
playwright-cli eval "document.body.innerText"
playwright-cli snapshot
If it is still a challenge page, 403, or missing key groups after retry:
- Do not fail the entire diagnosis
- Write the browser cross-validation status as
blocked by challenge / partial / unavailable
- Clearly record the title, error, 403 or challenge page prompt seen
- Continue to complete the report for the local network stack and external egress parts
- Mark as "browser-side verification blocked, manual review required"
Record these dynamic result groups in as much detail as possible in the report:
If specific lines are visible on the page, list them item by item as much as possible, do not make simple summaries.
Key fields usually include:
4. Report Output Format
Must output according to the following structure.
Conclusion
- Network status:
Normal / Risk pending confirmation / Obviously abnormal
- One-sentence summary of the most critical problem
Conclusion judgment requirements:
- If the active network service clearly shows , and:
- Command line egress is consistent with browser side
- No extra addresses via
- No evidence of independent public
Write
Normal (IPv6 is turned off)
- In the above scenario, do not write
Risk pending confirmation
- Only upgrade to
Risk pending confirmation
Evidence
Local Check
- :
- :
- :
- :
- :
<exists / does not exist + brief description>
- Local interface :
External Egress
-
- IP
- Country/Region
- ASN
- Organization
- Source 1
- Source 2
-
- IP
- Country/Region
- ASN
- Organization
- Source 1
- Source 2
If a source fails, clearly write:
No evidence of independent public IPv6
If the active network service clearly shows
, and the local interface has no global
:
- evidence is preferentially written as
No evidence of independent public IPv6 (IPv6 is turned off)
- Do not preferentially write
- The here is subject to the returned by
networksetup -getinfo "<actual service name>"
Browser Cross-Validation
- Page: webbrowsertools IP Address
- Browser cross-validation status:
success / partial / blocked by challenge / unavailable
- All items of
- All items of
- All items of
- All items of
Judgment
Must explicitly answer:
- Is there region split:
Yes / No / To be verified
- Is the command line egress consistent with the browser side:
Yes / No / Partially consistent
- Is there browser-side leak:
Yes / No / To be verified
- Is the public address seen in just a normal phenomenon of direct connection to the website:
- Is the existence of independent public confirmed:
Yes / No / To be verified
- Is browser cross-validation blocked by challenge page or 403:
Solution
Each suggestion should include:
- Applicable conditions
- Action
- Why it works
Suggestions are sorted in descending order of priority.
If the country/region of
and
are inconsistent, you must give the specific method to turn off
on
:
bash
networksetup -listallnetworkservices
networksetup -setv6off "Wi-Fi"
If recovery is needed, supplement:
bash
networksetup -setv6automatic "Wi-Fi"
And clearly prompt the user: if the currently used network service is not
, first find the correct service name from the output of
networksetup -listallnetworkservices
before execution.
If it is observed that
exposes extra private network or abnormal public network addresses, you can use Chrome extension as one of the browser-side mitigation options:
Description points:
- This extension reduces private and public network address exposure by adjusting the browser's routing and privacy settings
- It may affect audio/video or real-time communication sites that rely on
- Only applicable to exposure problems, does not solve the seen by the website through normal direct connection requests
If it is observed that the
/
displayed by some sites is inconsistent with the attribution of the current
egress
, add a low-priority suggestion:
- Applicable conditions: egress is consistent with most external sources, but the / displayed by a site points to another organization or operator
- Action: Clearly tell the user that this is usually the attribution of the resolver, not an extra public leak; the user decides whether to continue processing on their own
- Why it works: Some sites detect both egress and resolver at the same time, the on the page may reflect the of the recursive resolver, not the of the current web page connection egress
If the user decides to continue processing this problem, only use the following actions as options, do not recommend them as mandatory fixes by default:
- Manually modify system
- Switch to accessible in the proxy/VPN client
- Switch to a client or mode that can stably take over system
And clearly explain:
- Separate exposure is usually not treated as high risk
- Whether to process depends on the user's tolerance for operator exposure, resolution link consistency and maintenance cost
Review Links
Include at least:
- webbrowsertools IP Address
- Links or domain names of external query sources used this time
If the specific public IP has been confirmed, it is recommended to additionally provide review links that directly include the IP:
https://ping0.cc/ip/<detected-ip>
https://iplark.com/<detected-ip>
https://ipinfo.io/<detected-ip>
The
here should be replaced with the actual
or
confirmed in the report, do not hardcode it as a historical example value.
When
exposure is part of the problem, provide together:
5. Interpretation Rules
- Public IP seen in :
- This is naturally visible for direct website connection, do not automatically judge it as browser leak
- Only when extra private network or abnormal public network addresses are exposed via :
- Judge it as browser-side leakage risk
- Different country/region for and :
- Judge as region split risk
- The solution preferentially includes the specific command to turn off on
- query fails, but local interface and routing table still show :
- Write
IPv6 status to be verified
- If the active network service clearly shows , the local interface has no global , and external sources have no evidence of independent public :
- Write for
Is the existence of independent public IPv6 confirmed
- Write for
Is there IPv4/IPv6 region split
- Do not upgrade the conclusion to
Risk pending confirmation
- on , link-local addresses, or residual routes cannot overturn this conclusion alone
- Conflicts in ASN/organization/region among multiple sources:
- Clearly write
Sources are inconsistent, review required
- If the / displayed by the site conflicts with the attribution of the egress , but the egress itself is consistent on most sources:
- First judge whether the site also detects the resolver
- Preferentially write
DNS ASN is inconsistent with HTTP egress ASN
- Do not directly write or
Extra public IP leak occurred
- Treat as low-risk information exposure by default, and leave it to the user to decide whether to continue convergence
- No evidence of independent public :
- Can only write
Independent public IPv6 not confirmed
- Do not write
6. Recommended External Sources
Prioritize these sources for cross-validation:
Among them,
is only used as a browser cross-validation page, not as the only source of truth.
7. Prohibited Items
- Do not quote only one IP query site
- Do not only check
- Do not skip browser cross-validation
- Do not directly write as browser leak
- Do not treat the failure of a single external site as the final conclusion
- Do not make hasty conclusions before confirming the status