ZeroTrace AirLeak
Live Monitoring
Reading the live event stream and the heartbeat status bar
Live Monitoring is what you spend most of your AirLeak time doing — watching events flow in, watching devices appear, watching the unit's own health.
The status bar
The strip at the top of every AirLeak page is your live readout. It updates every 2 seconds.
AirLeak [emerald dot] Devices 18 Events 88 WiFi 2 BLE 84 Alerts 1
Drop 0.0% Heap 35K (10%) Up 12s Scan active
Each chip is a live KPI:
| Chip | What it tells you |
|---|---|
| Devices | How many unique devices the unit has aggregated |
| Events | Total decoded events streamed to the desktop |
| WiFi / BLE | Per-radio breakdown |
| Alerts | How many privacy alerts have fired |
| Drop % | Fraction of events lost on USB transmit. Zero is healthy. |
| Heap | Free internal RAM on the unit. Color-coded: green > 12 %, orange 7–12 %, red below 7 %. |
| Up | How long the unit has been running |
| Scan | active (capturing with active BLE scan) / passive / off (Setup mode) |
A glance tells you the whole story. Devices growing slowly + Events growing fast = a dense environment with the throttle doing its job. Devices growing fast + Heap dropping = lots of new MACs, getting full. Drop % climbing = USB stream is congested, time to raise the throttle.
The live event view
In the AirLeak sidebar, click Live. This is the raw event-by-event stream.
Every event flowing from the unit appears here as a row:
- Timestamp
- Event type (BLE Apple Continuity, WiFi probe-req, etc.)
- Source device (MAC + friendly name if known)
- Payload chips (decoded fields specific to the event type)
- RSSI
The page holds the most recent 200 events in a ring. Older events scroll off as new ones arrive.
The Live view is best for:
- Watching a specific behavior unfold in real time (e.g. you turned on AirDrop on your phone — you should see the new event appear)
- Validating that capture is healthy
- Capturing a screenshot of an interesting moment for forensics
- Debugging your own device's broadcasting (turn AirPods on / off, see the lid-open events arrive)
It's NOT the right view for:
- Browsing devices over time (use Devices)
- Forensic analysis after the fact (use Sessions export)
- Counting things (use Insights)
Reading the heartbeat in detail
Open AirLeak → Settings → Device log for a more detailed view. The log tab shows every line the unit emits, including heartbeats:
HB: mode=monitor scan=active devices=18 events=88 ...
You can filter by tag (HB / EV / AL / LOG) to focus on one stream.
The heartbeat is also the source of truth for:
- Per-task CPU usage (when troubleshooting)
- Heap minimum-ever ("how low has the heap dropped?")
- Channel histogram ("which channels have traffic?")
- Per-stream counters (
events_throttled,usb_dropped, ...)
For the full field reference, see the Heartbeat page.
What "healthy" looks like
In typical Monitor-mode operation, you should expect:
- Heap free between 10–15 % during sustained capture
- Drop % at 0 the entire time
- Events per second between 20 and 100 depending on environment density
- Events_throttled growing roughly proportional to events (the throttle absorbing pressure)
- Scan: active continuously
- Heartbeat arriving every 2 seconds without skipping
If any of those drift, see Troubleshooting for the specific fix.
When the unit goes quiet
If you stop seeing events, check in this order:
- Status bar still updating? If the heartbeat is frozen, the connection dropped — re-plug the cable.
- Mode set to Setup? Switch to Monitor on the Overview page.
- Scan: off? Turn on Active BLE Scan in AirLeak Settings.
- Empty environment? Move the unit closer to known devices to confirm the radio is alive.
Most "quiet" reports are mode-related (someone left the unit in Setup) or active-scan-related.
Heap %. It tells you everything in one number. If it stays above 12 % through a long capture, you're healthy. If it dips into the orange, the throttle is matched right but you're at the edge. If it goes red, raise the throttle and consider trimming the channel list.