Skip to content

ZeroTrace AirLeak

Network Survey

Surveying nearby WiFi networks for security and capability

The WiFi side of AirLeak isn't just for finding networks, it's for understanding their security posture, generation, and load. This tutorial walks through doing a deep survey of the WiFi environment around you.

When you'd want a survey

  • Auditing your own home / office network
  • Comparing nearby APs before deploying a new one (channel choice)
  • Pen-test reconnaissance (with permission)
  • Privacy research, what does this venue's WiFi look like?
  • Diagnosing slow WiFi by seeing which channels are crowded

Running the survey

  1. Connect AirLeak. Switch to Monitor.
  2. Wait 60 seconds for the channel hopper to complete a couple of full sweeps.
  3. Open Devices → WiFi networks.

Each row is one observed network. Counts grow as more APs are seen.

What each column tells you

Encryption

The condensed security label:

LabelMeaning
OPENNo encryption. Anyone connected can read everyone else's unencrypted traffic.
WEPCracked in minutes. Effectively no security.
WPA-PersonalOriginal WPA, deprecated.
WPA2-PersonalThe 2010s standard. Vulnerable to KRACK + offline PMKID extraction without MFP.
WPA3-PersonalCurrent best for home / small office. SAE handshake resists offline attack.
WPA2/3-Personal-MixedTransition mode, accepts both for compatibility.
WPA2-Enterprise802.1X authentication. Used at offices, universities, eduroam.
WPA3-Enterprise-192Highest enterprise tier (192-bit suite).
OWEOpportunistic Wireless Encryption, open networks with encryption. Used by some "open" hotspots.

Channel + Generation

  • Channel, 1–13 on 2.4 GHz. Channels 1, 6, and 11 are the non-overlapping channels; everything else interferes with neighbors.
  • Generation, WiFi 4 / 5 / 6 / 7. AirLeak captures from beacons; WiFi 5 (only used on 5 GHz historically) is rare on 2.4. WiFi 6 on 2.4 is common in newer routers.

Stations

The number of clients currently associated to that AP, as reported by the BSS Load IE. Most consumer APs broadcast this.

A "guest" network with 47 clients is busier than the receptionist would have you believe. A "private" enterprise network with 250 clients is a busy office.

Country

The country code from the country IE. Should match your actual location. A misconfigured router showing KR while you're in Berlin tells a story.

Going deeper: click a network

Click any network row to open its detail page. The WiFi-specific section shows:

  • AKM suite, PSK / SAE / 802.1X / FT-PSK / FT-SAE / OWE. The combination of cipher + AKM produces the encryption label.
  • Group cipher / Pairwise cipher, TKIP / CCMP-128 / GCMP-256, etc.
  • MFP state, required / capable / off. WPA3 mandates required; WPA2 should be at least capable.
  • 802.11r, fast-roaming support. Common at offices.
  • 802.11k, radio measurement support. Helps clients pick better APs.
  • Vendor IEs, Apple / Aruba / Cisco / Ubiquiti / TP-Link IEs may be present.

This is the deepest the firmware decodes, no further protocol layers (the data plane is encrypted on protected networks).

Reading security alerts

The WiFi tab surfaces several built-in alerts:

AlertSeverityWhat it means
open_network_nearinfoOpen WiFi in range. Anyone on it has all traffic visible.
wep_network_nearmediumWEP encryption. Effectively no security.
wpa_personal_onlylowWPA2-Personal at best, no WPA3, no MFP-required.
wps_enabledinfoWPS-PIN is brute-forceable in hours.
mfp_required_offlowMFP not enforced, vulnerable to deauth-based evil-twin attacks.
deauth_burstmedium5+ deauth frames in 10 s, possible attack or interference.

Click any alert to see the affected network and timestamp.

Hidden SSIDs

Networks with the SSID hidden show up in the table with <hidden> as the name. AirLeak can still see:

  • The BSSID (so you can identify the AP physically)
  • The encryption type
  • The channel
  • The number of associated clients

Hiding the SSID provides essentially no security, the AP still emits beacons, and any associated client's probe-request reveals the name. Hidden networks are an inconvenience-only feature.

Detecting evil-twin / rogue APs

A rogue AP is one impersonating a legitimate network, same SSID, attacker's BSSID. Symptoms:

  • Two beacons with the same SSID but different BSSIDs, both at strong signal
  • One has different encryption than the other (especially: legitimate is WPA2-Enterprise but the rogue is open or WPA2-Personal)
  • Deauth bursts observed (deauth_burst alert), common in evil-twin scenarios where the attacker disconnects clients to force them to reconnect to the rogue

Workflow:

  1. Open WiFi tab, search for the legitimate network's SSID.
  2. If multiple BSSIDs appear, click each. Compare encryption, MFP, country, vendor IEs.
  3. If one is suspiciously simpler (e.g. WPA2-Personal while the legitimate is WPA2-Enterprise), it may be rogue.
  4. Check the alert log for deauth_burst around the same time.

This isn't a definitive proof of an attack but it's a strong signal.

Mobile hotspots

Phones in hotspot mode advertise as APs. They show up classified as wifi_ap_mobile_hotspot and typically have:

  • Short uptime (no uptime IE because the "AP" only just came up)
  • Encryption WPA2 / WPA3 Personal
  • Vendor IE matching the phone's vendor (Apple / Samsung / etc.)
  • Often non-default channel (the phone picks based on what's clear)

Useful for spotting "is anyone in this room currently tethering?" Often surprising in conference settings.

Channel utilization view

The Insights → Network leakage tab shows a horizontal bar chart of how busy each channel is:

Channel  1   ▮▮▮▮▮▮▮▮  8 networks
Channel  6   ▮▮▮▮▮▮▮▮▮▮▮▮▮▮  12 networks
Channel 11   ▮▮▮▮▮▮▮▮▮  9 networks
Channel  2-5,7-10,12-13   ▮  1 each

Useful for picking a channel for your own AP. Stick to 1, 6, or 11 (the non-overlapping channels). Pick the least crowded of those three.

What you can't see

  • 5 GHz networks, AirLeak is 2.4 GHz only. Modern home APs often dual-band; you'll see the 2.4 advertisement but not the 5 GHz BSSID.
  • Encrypted data traffic, passwords, page content, emails. AirLeak only reads management frames.
  • Network passwords or PSKs, these are never broadcast.

For 5 GHz survey work, you'd need a different tool.

The audit summary

In a typical home survey: you should see your network at strong RSSI, your neighbors at weaker RSSI, and a smattering of phones / hotspots / printers. Concerns: any open / WEP networks, your own network with WPS enabled or MFP off, neighbors' networks broadcasting on the same channel as yours.