Skip to content

ZeroTrace AirLeak

Network Survey

Surveying nearby WiFi networks for security and capability

The WiFi side of AirLeak isn't just for finding networks — it's for understanding their security posture, generation, and load. This tutorial walks through doing a deep survey of the WiFi environment around you.

When you'd want a survey

  • Auditing your own home / office network
  • Comparing nearby APs before deploying a new one (channel choice)
  • Pen-test reconnaissance (with permission)
  • Privacy research — what does this venue's WiFi look like?
  • Diagnosing slow WiFi by seeing which channels are crowded

Running the survey

  1. Connect AirLeak. Switch to Monitor.
  2. Wait 60 seconds for the channel hopper to complete a couple of full sweeps.
  3. Open Devices → WiFi networks.

Each row is one observed network. Counts grow as more APs are seen.

What each column tells you

Encryption

The condensed security label:

LabelMeaning
OPENNo encryption. Anyone connected can read everyone else's unencrypted traffic.
WEPCracked in minutes. Effectively no security.
WPA-PersonalOriginal WPA, deprecated.
WPA2-PersonalThe 2010s standard. Vulnerable to KRACK + offline PMKID extraction without MFP.
WPA3-PersonalCurrent best for home / small office. SAE handshake resists offline attack.
WPA2/3-Personal-MixedTransition mode — accepts both for compatibility.
WPA2-Enterprise802.1X authentication. Used at offices, universities, eduroam.
WPA3-Enterprise-192Highest enterprise tier (192-bit suite).
OWEOpportunistic Wireless Encryption — open networks with encryption. Used by some "open" hotspots.

Channel + Generation

  • Channel — 1–13 on 2.4 GHz. Channels 1, 6, and 11 are the non-overlapping channels; everything else interferes with neighbors.
  • Generation — WiFi 4 / 5 / 6 / 7. AirLeak captures from beacons; WiFi 5 (only used on 5 GHz historically) is rare on 2.4. WiFi 6 on 2.4 is common in newer routers.

Stations

The number of clients currently associated to that AP, as reported by the BSS Load IE. Most consumer APs broadcast this.

A "guest" network with 47 clients is busier than the receptionist would have you believe. A "private" enterprise network with 250 clients is a busy office.

Country

The country code from the country IE. Should match your actual location. A misconfigured router showing KR while you're in Berlin tells a story.

Going deeper: click a network

Click any network row to open its detail page. The WiFi-specific section shows:

  • AKM suitePSK / SAE / 802.1X / FT-PSK / FT-SAE / OWE. The combination of cipher + AKM produces the encryption label.
  • Group cipher / Pairwise cipher — TKIP / CCMP-128 / GCMP-256, etc.
  • MFP staterequired / capable / off. WPA3 mandates required; WPA2 should be at least capable.
  • 802.11r — fast-roaming support. Common at offices.
  • 802.11k — radio measurement support. Helps clients pick better APs.
  • Vendor IEs — Apple / Aruba / Cisco / Ubiquiti / TP-Link IEs may be present.

This is the deepest the firmware decodes — no further protocol layers (the data plane is encrypted on protected networks).

Reading security alerts

The WiFi tab surfaces several built-in alerts:

AlertSeverityWhat it means
open_network_nearinfoOpen WiFi in range. Anyone on it has all traffic visible.
wep_network_nearmediumWEP encryption. Effectively no security.
wpa_personal_onlylowWPA2-Personal at best, no WPA3, no MFP-required.
wps_enabledinfoWPS-PIN is brute-forceable in hours.
mfp_required_offlowMFP not enforced — vulnerable to deauth-based evil-twin attacks.
deauth_burstmedium5+ deauth frames in 10 s — possible attack or interference.

Click any alert to see the affected network and timestamp.

Hidden SSIDs

Networks with the SSID hidden show up in the table with <hidden> as the name. AirLeak can still see:

  • The BSSID (so you can identify the AP physically)
  • The encryption type
  • The channel
  • The number of associated clients

Hiding the SSID provides essentially no security — the AP still emits beacons, and any associated client's probe-request reveals the name. Hidden networks are an inconvenience-only feature.

Detecting evil-twin / rogue APs

A rogue AP is one impersonating a legitimate network — same SSID, attacker's BSSID. Symptoms:

  • Two beacons with the same SSID but different BSSIDs, both at strong signal
  • One has different encryption than the other (especially: legitimate is WPA2-Enterprise but the rogue is open or WPA2-Personal)
  • Deauth bursts observed (deauth_burst alert) — common in evil-twin scenarios where the attacker disconnects clients to force them to reconnect to the rogue

Workflow:

  1. Open WiFi tab, search for the legitimate network's SSID.
  2. If multiple BSSIDs appear, click each. Compare encryption, MFP, country, vendor IEs.
  3. If one is suspiciously simpler (e.g. WPA2-Personal while the legitimate is WPA2-Enterprise), it may be rogue.
  4. Check the alert log for deauth_burst around the same time.

This isn't a definitive proof of an attack but it's a strong signal.

Mobile hotspots

Phones in hotspot mode advertise as APs. They show up classified as wifi_ap_mobile_hotspot and typically have:

  • Short uptime (no uptime IE because the "AP" only just came up)
  • Encryption WPA2 / WPA3 Personal
  • Vendor IE matching the phone's vendor (Apple / Samsung / etc.)
  • Often non-default channel (the phone picks based on what's clear)

Useful for spotting "is anyone in this room currently tethering?" Often surprising in conference settings.

Channel utilization view

The Insights → Network leakage tab shows a horizontal bar chart of how busy each channel is:

Channel  1   ▮▮▮▮▮▮▮▮  8 networks
Channel  6   ▮▮▮▮▮▮▮▮▮▮▮▮▮▮  12 networks
Channel 11   ▮▮▮▮▮▮▮▮▮  9 networks
Channel  2-5,7-10,12-13   ▮  1 each

Useful for picking a channel for your own AP. Stick to 1, 6, or 11 (the non-overlapping channels). Pick the least crowded of those three.

What you can't see

  • 5 GHz networks — AirLeak is 2.4 GHz only. Modern home APs often dual-band; you'll see the 2.4 advertisement but not the 5 GHz BSSID.
  • Encrypted data traffic — passwords, page content, emails. AirLeak only reads management frames.
  • Network passwords or PSKs — these are never broadcast.

For 5 GHz survey work, you'd need a different tool.

The audit summary

In a typical home survey: you should see your network at strong RSSI, your neighbors at weaker RSSI, and a smattering of phones / hotspots / printers. Concerns: any open / WEP networks, your own network with WPS enabled or MFP off, neighbors' networks broadcasting on the same channel as yours.

Command Palette

Search for a command to run...