Cyber Metadata · 分流与泄漏诊断

分流出口诊断

对比同一浏览器在多区域目标上的出口 IP：哪些走代理、哪些直连暴露真实 IP，并比对 WebRTC 泄漏。

等待检测

HTTP 出口观测

尚未检测

目标出口 IPASN / 国家路径 / 类型判定

点击开始检测后，会在这里显示各目标看到的出口 IP。

出口分组

无数据

开始诊断后，这里按出口 IP / ASN / 国家把各测量目标归并：同一组的目标走了同一出口。

WebRTC 泄漏检测

等待检测

点击「开始诊断」后自动运行：发现本地 IP 与 STUN 映射地址，与 HTTP 出口比对，判断是否 VPN 泄漏。

想要完整诊断？

这只是单项检测。运行深度检测，一次跑完分流出口、DNS / WebRTC 泄漏、VPN/代理识别、AI/流媒体可达性与测速。

运行深度检测 →

分流与出口检测——你的代理 / VPN 是否对所有目标都生效，还是部分流量「裸奔」直连？这个检测用多区域回显实测你访问不同目标时的真实出口 IP，判断分流拓扑并识别真实 IP 泄漏。

什么是分流（split routing）

规则代理（Clash / Surge / 等）按规则决定哪些流量走代理、哪些直连——国内站点直连求快、国外走代理。好处明显，但风险是：规则配错或某些目标走了直连，会把你的真实 IP 暴露给那个目标。

这个工具怎么检测

它让你的浏览器向多个区域的目标发起请求，由我们的回显端点记录每个目标实际看到的你的出口 IP，再按网络类型分类、推断拓扑：

把每个出口分为 direct（住宅 / 移动＝你的真实网络）或 proxy（机房 / 云 / VPN / 代理）；
全部 proxy → 全局代理，一致；全部 direct → 没走代理（裸连）；既有 direct 又有 proxy → 分流；
真实 IP 泄漏：当同一协议栈里同时出现 direct 和 proxy 出口，说明本应走代理的流量漏成了直连。注意——IPv4 走代理、IPv6 直连（或反之）是双栈的两条出口，不算泄漏。

分流泄漏有什么风险

真实 IP 暴露给本应隐藏的目标；
地区判定 / 风控按你的真实 IP 来；
规则配置盲区，你以为全走了代理，其实没有。

如何修复

检查代理规则，确认目标命中代理而非直连；
注意 IPv6：很多规则只覆盖 IPv4，IPv6 直连泄漏——确认 IPv6 也走代理，或禁用 IPv6；
必要时用全局模式，避免分流泄漏（代价是国内直连变慢）。

常见问题

分流泄漏和 DNS 泄漏是一回事吗？

不是。分流泄漏是你的部分流量直连暴露了真实出口 IP；DNS 泄漏是域名解析这一步绕过隧道。可独立发生，建议都查——DNS 泄漏检测。

想一次看全出口、泄漏、纯净度？

运行完整深度检测，一次跑完出口汇总、DNS / WebRTC 泄漏、VPN / 代理识别、AI 可达性与测速。

Split routing & exit check — does your proxy / VPN apply to every destination, or does some traffic go "bare" (direct)? This check uses multi-region echo to measure your real exit IP toward different targets, infers the routing topology, and identifies real-IP leaks.

What is split routing

Rule-based proxies (Clash / Surge / etc.) decide per rule which traffic goes through the proxy and which goes direct — domestic sites direct for speed, foreign sites via the proxy. Useful, but the risk is: a misconfigured rule or a destination that goes direct exposes your real IP to that target.

How this tool detects it

It makes your browser request targets in several regions, has our echo endpoints record the exit IP each target actually sees, then classifies and infers the topology:

each exit is classed as direct (residential / mobile = your real network) or proxy (datacenter / cloud / VPN / proxy);
all proxy → global proxy, consistent; all direct → no proxy (bare); both direct and proxy → split;
real-IP leak: when one address family carries both a direct and a proxy exit, traffic that should have gone through the proxy leaked out direct. Note — IPv4 via proxy and IPv6 direct (or vice versa) are the two exits of a dual stack and are not a leak.

Risks of a split-routing leak

your real IP is exposed to targets it should have been hidden from;
region / risk-control decisions are made on your real IP;
a rule blind spot — you think everything goes through the proxy, but it does not.

How to fix

review proxy rules and confirm targets hit the proxy rather than going direct;
mind IPv6: many rule sets only cover IPv4 while IPv6 leaks direct — confirm IPv6 goes through the proxy, or disable it;
use global mode when needed to avoid split leaks (at the cost of slower domestic direct access).

FAQ

Is a split-routing leak the same as a DNS leak?

No. A split-routing leak is some of your traffic going direct and exposing your real exit IP; a DNS leak is the name-resolution step bypassing the tunnel. They are independent — check both with the DNS leak test.

Want exits, leaks, and cleanliness in one pass?

Run the full deep check — exit summary, DNS / WebRTC leaks, VPN / proxy detection, AI reachability, and speed in one go.