ZeroTrace AirLeak
Sessions
Recording, replaying, and exporting captures
Every Monitor-mode capture is a session — a self-contained record of devices, events, alerts, and a time range. Sessions are how AirLeak turns ephemeral capture into something you can review later, compare, share, or export.
How sessions get created
Switching to Monitor mode automatically starts a new session. The session begins recording immediately — every device added to the aggregator, every event emitted, every alert fired is folded into the session record.
Switching back to Setup finalizes the session: counts are written, end timestamp set, the session moves from "recording" to "finalized."
Switching to Monitor again starts a new session.
Where sessions live
Sessions are stored as JSON files on your local computer in the desktop app's data directory. They never leave your machine — no cloud, no upload, no automatic sharing.
You can browse and manage them from the Sessions page in the AirLeak sidebar.
What's in a session
A session record contains:
| Section | Content |
|---|---|
| Header | Session ID, start/end timestamps, device count, event count, alert count |
| Devices | Every device aggregated during the session, with full detail (identifiers, classifications, RSSI history, alerts, linked MACs) |
| Events | Every event emitted during the session (as opposed to throttled) |
| Alerts | Every alert that fired |
| Heartbeats | A condensed history of heartbeat status for the duration |
| Settings snapshot | The unit's configuration at session start (mode, throttle, channels, scan timing) |
A typical session is 10–500 MB depending on duration and density.
Sessions list page
Open Sessions in the sidebar. You'll see a table of every session ever recorded:
| Column | What it shows |
|---|---|
| Status | recording (active) / finalized |
| Started | Local time the session began |
| Duration | How long it ran |
| Devices | Unique aggregated devices |
| Events | Total events |
| Alerts | Total alerts |
| Size | JSON file size on disk |
The active session has a green recording badge and is always at the top.
Per-session actions
Click the menu on any session for:
- Open — view the session in the desktop's session-replay UI
- Download JSON — export the raw data as JSON
- Download summary — a Markdown summary suitable for sharing
- Rename — give it a meaningful label (
Coffee Shop Audit,Conference Day 1) - Delete — permanent removal
You can multi-select sessions to bulk-delete or bulk-export.
Replay mode
Open a finalized session and the desktop loads it into a special replay view. The session's data populates the same UI as a live capture — Devices, Live, Alerts, Insights — but everything is frozen at the session's final state.
You can:
- Browse the device list as it was at session end
- Click into device detail pages with full history
- Filter, search, sort
- Open the alerts log
- See the Insights dashboards as computed from the session
The status bar at the top reads Replay: <session-name> to make it clear you're not in live mode.
To exit replay, click Close session or click another nav item that takes you back to live data.
Comparing two sessions
Open two sessions in two browser tabs of the desktop. Side-by-side comparison is the easiest way to see "what was different about the office today vs yesterday" or "what's in this conference room vs that one."
You can also use the Sessions → Compare view if available, which highlights:
- Devices in session A but not B
- Devices in both
- Devices in B but not A
- SSID overlap
- Alert overlap
Exporting for analysis
The JSON export contains everything the desktop knows about the session. Format is human-readable JSON, suitable for:
- Loading into Python / Pandas for analysis
- Importing into other security tools
- Long-term archival
The structure is:
{
"session_id": "...",
"start_ms": ...,
"end_ms": ...,
"settings": { ... },
"devices": [ ... ],
"events": [ ... ],
"alerts": [ ... ],
"heartbeats": [ ... ]
}
Each device record includes its full detail blob (identifiers, RSSI history, linked MACs, classification, alerts).
Markdown summary export
For sharing a session in human-readable form, export the summary. Format:
# Session: Conference Day 1
Recorded: 2026-05-07 14:23:00 → 16:55:22
Duration: 2h 32m
Devices: 142 Events: 4823 Alerts: 18
## Top device classes
1. iphone (38)
2. galaxy_phone (24)
3. macbook (12)
...
## Top alerts
- airdrop_discoverable: 4 occurrences
- pii_ssid_in_probe: 6 occurrences
...
## Notable devices
[device list with notable findings]
The summary intentionally redacts identifying details (MAC addresses are hashed, SSIDs anonymized) so it's safe to share.
Privacy: what you keep, what you delete
Sessions accumulate. Periodically prune them:
- Delete sessions you no longer need
- Use Sessions → Bulk delete by age to remove anything older than N days
- Mark sensitive devices
do_not_logso they're excluded from session retention
A reasonable default retention: 30 days for personal use. Longer for ongoing security research where the historical record matters.
Restoring from a session export
If you re-import a session JSON via Sessions → Import, the desktop loads it as a finalized session you can replay. This is useful for:
- Backing up a session before deleting locally
- Sharing a forensic capture with a colleague (with appropriate care for sensitive data)
- Restoring sessions after reinstalling the desktop app
Import doesn't write to your firmware-side state — it's purely a desktop-side data load.
What sessions don't record
- The unit's own log lines (
LOG:outputs to USB) — those are diagnostic only - Heartbeat field-level granularity for every 2 seconds (only condensed)
- Per-alert payload state at firing time (the alert-engine's internal counters)
If you need that level of forensic detail, capture the device log alongside via AirLeak → Settings → Device log → Export.
Sessions default to timestamp-based names. Renaming them as soon as you finalize (Office WiFi audit, Walk to grocery store, Hotel lobby check-in) makes the sessions list immediately scannable. Future-you will thank present-you.