Skip to content

ZeroTrace AirLeak

Probe Analysis

What probe-requests reveal about people

A probe-request is a tiny WiFi packet a phone (or laptop, or watch) sends to ask: "is this network nearby?" When the answer is no, the probe is harmless. But over the course of a day a phone sends dozens of probes for every network it's ever joined — and each probe is a public broadcast.

This tutorial covers reading probe-request data: what it reveals, how to spot it, and what to do about your own.

Why probes leak info

When you connect to a WiFi network for the first time, your device remembers it. From then on, your device's WiFi radio "looks for" that network whenever WiFi is on. The way it does that is by broadcasting probe-requests with the network's name embedded.

So if you've stayed at three hotels, joined two airports' free WiFi, and connected to your office and home network, your phone broadcasts those names regularly.

A passive observer with a tool like AirLeak picks all of them up.

Seeing probe leaks live

  1. Run AirLeak in Monitor mode in a busy public space (coffee shop, train station, office lobby).
  2. Wait 5 minutes for the device list to populate.
  3. Open Devices → BLE devices.
  4. Click any phone (iphone, galaxy_phone, etc.) to open its detail page.
  5. Scroll to the Probed SSIDs section. Expand it.

You'll see every SSID this phone has probed for during the capture. Each chip is colored:

  • Red — corporate (matches a corporate-naming pattern)
  • Orange — PII (contains a personal name)
  • Yellow — known location (airport / hotel / café pattern)
  • Gray — other / unrecognized

A typical urban phone reveals 10–30 SSIDs in 5 minutes.

Categories of leak

Corporate SSIDs

Pattern matches: *-Corp-Wifi, *-Corporate, *-Internal, microsoft, eduroam, plus a known list of major-corp guest networks.

What it reveals: where this person works (or has worked). Acme-Corp-WiFi says they have employer credentials for Acme. eduroam says they're affiliated with a university or research institution.

The corp_ssid_in_probe alert fires when one is observed.

Hotel SSIDs

Pattern matches: Marriott_GUEST, Hilton_HONORS, Hyatt_GUEST, IHG_GUEST, Best Western Lobby, airbnb-*, etc.

What it reveals: the hotel chain or specific property the person has stayed at.

Airport SSIDs

Pattern matches: Boingo Hotspot, LAX-WiFi, JFK-Free, _LHR_Free_WiFi, plus airline-lounge networks (_Free_Lufthansa, Cathay Pacific Lounge).

What it reveals: the airports a person has been through.

PII SSIDs

Pattern matches: <Name>'s iPhone, <Name>'s Hotspot, Mom's Wi-Fi, My Phone.

What it reveals: a first name (often the user's), and the device they personally name. Often this is the phone's own hotspot SSID being probed for.

The pii_ssid_in_probe alert fires for these.

Café SSIDs

Pattern matches: Starbucks WiFi, Costa Coffee, Pret Free WiFi, etc.

What it reveals: lifestyle / spatial pattern. Low severity because it's geographically broad.

Personal SSIDs (no pattern match)

Names that don't match any known pattern. Could be home networks, friends' networks, anything. The fact that they're being probed says they're saved networks.

Tracking by probe pattern

A phone's probed-SSID set is a fingerprint. Two captures of the same phone will share most of the SSIDs. Two different phones rarely overlap completely.

This is the basis of behavioral fingerprinting — the same person's device, observed at two different times, reveals the same set of SSIDs even when the MAC has rotated.

The desktop's fingerprinter uses this and other signals to merge MACs back into one device entity.

Auditing your own phone

The privacy fix is straightforward. Open your phone's WiFi settings and forget networks you no longer need:

  • iOS: Settings → WiFi → "i" next to network → Forget this network
  • Android: Settings → Network & Internet → Internet → "i" next to network → Forget

A clean networks list = a quiet probe footprint.

For networks you genuinely need (your home, your office), there's not much to do — they'll continue to be probed. But you can dramatically reduce the noise by removing one-time-use networks.

Bonus tip: disable auto-join on networks you don't want followed everywhere. Set them to "manual connect only" so they're not in the probe rotation.

What you can't fix

Some probes happen even when WiFi is "off":

  • Background WiFi-on for location services — modern OSes keep WiFi awake even when toggled off in the UI, for location accuracy. Probes happen anyway.
  • Connectivity check probes — phones probe for * (wildcard) just to see if any network is around. These don't reveal SSIDs but are still observable.

To fully stop probing, you'd need to disable WiFi at the firmware level (airplane mode + manual disable). Practical only when actively avoiding observation.

Detecting strangers' SSIDs in your own captures

In a busy public capture, you'll observe many strangers' probed SSIDs. This is sensitive information — somebody else's networks.

Responsible practices

  • Don't publish captured SSIDs that reveal individuals (corporate SSIDs that name a company are sensitive; hotel SSIDs reveal travel history).
  • Mark do-not-log on devices you don't want to retain detail for.
  • Anonymize before sharing any session export — replace SSIDs with index numbers or hashes.
  • Time-box retention — delete sessions you don't need after a few weeks.

See the full Privacy & Legal guide for more.

Counter-surveillance: using probe-leaks to detect surveillance devices

The flip side: surveillance / tracking devices that hide their MAC nicely may still leak via probe-requests.

A device that:

  • Has a randomized MAC
  • No friendly name (no scan response)
  • But probes for several specific SSIDs

...is interesting. The SSIDs may reveal the operator (their corporate network, their home, their hotel).

This kind of finding is rare but illustrative. Probe-requests are one of the hardest privacy leaks to suppress, even on devices designed for stealth.

Insights → Network leakage tab

The desktop has a built-in dashboard for SSID leakage:

  • Top probed SSIDs — most-probed SSIDs across all devices in the session
  • Class breakdown — counts of corporate / PII / hotel / airport / café / personal probes
  • Devices with most probes — the leakiest devices

Open Insights → Network leakage for the visualization.

Probe-request data is sensitive

Captured probe-request data is one of the more privacy-revealing things AirLeak collects. A stranger's hotel + corporate + PII SSID list is enough to identify them with high confidence. Treat the data with care: don't share it, don't publish it, retain only what you need.

Command Palette

Search for a command to run...