We are developing an intrusion detection agent system called IDA. Not only can the IDA detect an intrusion, it can also trace the route of the intrusion in a local area network. It is very important for administrators to know where an intruder is coming from and which machines the intruder hopped and compromised in the LAN because the administrators must restore the compromised systems, especially the system attacked first, in order to help prevent intrusions again. When a mark is detected indicating that an intruder might leave, the IDA starts collecting information related to the mark as it traces the candidate. The system analyzes the information and decides whether an intrusion has occurred. In the IDA, mobile agents collect information from the target systems across the network and trace the intruder. The mobile agents collect information only related to the intrusion. Therefore, the IDA can reduce analyzing overhead and network bandwidth loss.