ZeroTrace AirLeak
Single Device View
Reading every detail AirLeak knows about one device
Click any row in the device list and AirLeak opens that device's detail page. This is the densest view in the whole app — everything the unit has learned about that device, organized into compact sections.
What you'll find on the page
The page is laid out top-to-bottom with the most important info first:
- Header card — icon, friendly name, MAC, class badge, score gauge
- KPI strip — first-seen, observation count, best signal
- Live signal — last 60 RSSI samples plus current/avg/best/worst/TX/distance/rate
- Identifiers — fingerprint, OS major, BLE flags, appearance, vendor, company ID
- Optional sections — only appear when applicable (Battery, WiFi network, Apple state)
- Linked MACs — MAC rotation history (when fingerprinting merged multiple)
- Probed SSIDs + Service UUIDs — collapsible chip lists
- Why this class? — collapsible breakdown of how the device got its class
- Notes — your own labels and free-form notes
The header card
Three things to glance at:
- Icon + name — class icon plus the device's friendly name (or
Unknown <class>fallback) - Class badge — the classifier's verdict with confidence:
iPhone (94)means 94 % confident - Score gauge — visual indicator of confidence; greener as you go right
Action buttons in the header:
| Button | What it does |
|---|---|
| See in Live | Jump to the Live view filtered to this MAC |
| Pin | Pin in the device table |
| Mark as own | Tag as one of your devices |
| Mute | Hide from main table |
| Copy MAC | Clipboard copy |
| Export JSON | Download all known data about this device |
The KPI strip
Three numbers always visible:
- First seen — relative time since first observation
- Observation count — total events
- Best RSSI — strongest signal ever observed
A 2-hour-old device with 1247 observations and a best RSSI of -54 has been close, repeatedly. A 5-second-old device with 2 observations and a best RSSI of -91 just walked past once at the edge of range.
Live signal section
A small chart of the last 60 RSSI samples — about 60 seconds of history at typical capture rates. Watch this while moving the device or yourself: you'll see signal fluctuation, walls attenuating, and approach / depart patterns.
Six numbers below the chart:
| Metric | Description |
|---|---|
| Cur | Current RSSI |
| Avg | Average over last 60 samples |
| Best | Strongest RSSI ever seen |
| Worst | Weakest RSSI ever seen |
| TX | Device's transmit power (when broadcast) |
| Rate | Observations per second over the last minute |
| Distance | Estimated meters, from RSSI + TX |
Distance is approximate — RSSI is noisy and surroundings affect it. Treat ±50 % as the typical confidence.
Identifiers
Every stable identifier extracted for this device:
- Fingerprint — a stable hash combining payload-stable fields (used for tracking across MAC rotation)
- OS major — for Apple devices that broadcast it (iOS 17, iOS 18)
- BLE flags — discoverability flags
- Appearance — GAP appearance code with interpretation (
1344 (Phone)) - Vendor — manufacturer name from MAC OUI
- Company ID — Bluetooth SIG company identifier
Empty fields are hidden — only what AirLeak has actually observed shows up.
Optional sections (only when relevant)
Battery (AirPods, Beats, AirTags, wearables)
For AirPods you'll see:
Left: 80% ⚡ (charging)
Right: 80%
Case: 75%
For AirTags: low / medium / full. For headphones with battery service: a single percentage.
WiFi network details (for AP rows)
Full network breakdown:
- SSID, BSSID
- Channel, generation
- Encryption (e.g.
WPA3-Personal-MFP) - AKM suite (e.g.
SAE) - Country IE
- Associated stations + utilization
- 802.11r / 802.11k support
Apple state (for iPhones / iPads / Macs)
- Last action:
screen_on (5s ago) - Action history: last 5 transitions
- Lock state
- OS major version
- Handoff sequence number
- Linked MACs count
The action history is one of the most engaging things to watch — you can literally see when someone unlocks their phone, takes a call, or puts it to sleep, in real time.
Linked MACs
When the fingerprinter has merged multiple MACs into one device, this section shows the MAC history:
Current: 6a:b1:88:5d:0f:11 (24 obs in last 15 min)
Previous: 16:9c:a3:7e:f5:b2 (2h 14m ago, 14 obs)
Previous: 56:f8:4a:91:3e:c7 (1h 30m ago, 22 obs)
This is how MAC randomization is defeated for fingerprintable devices. iPhones, AirPods, and most modern devices rotate their MAC every ~15 minutes — the fingerprinter ties them back together so you see one device, not five.
Probed SSIDs
A collapsible chip list of every SSID this device has probed for. Each chip is colored by alert category:
- Red — corporate
- Orange — PII (
Sarah's iPhone) - Yellow — known location (airport, hotel, café)
- Gray — other / unrecognized
Over time a phone reveals its travel history, employer, home network name, and more. See Probe Analysis for what to do with this data.
Service UUIDs
A collapsible chip list of every service the device has advertised. Each chip shows the UUID with a well-known short-name when matched (0x180F (Battery), 0xFD9F (Tile), 0xFEE7 (Tuya)).
Why this class?
The classifier's audit trail. Every signal that voted for the current classification, with score contributions:
apple_continuity_nearby_info ×4 +40
name_contains_iphone +15
apple_continuity_airdrop +5
probe_request_pii_pattern +5
ios_version_bonus +5
─────────────────────────────────
Total 70
If the classification ever surprises you, this section explains why. It's the most useful debugging view in the app.
Notes
For devices in the cross-session library, you can attach:
- A label —
mine,family,coworker,unknown,suspicious,do_not_log - A free-form note — short text
These persist in the library and re-appear next time the device is observed.
Notes are NOT exported in session JSON exports for privacy — they stay local.
Real-time updates
While the page is open and the device is being observed:
- RSSI chart updates with new samples
- Action chip updates on Apple state changes
- Battery values update as the device reports
- Linked MACs grows when new MACs get fingerprint-merged
- Why-class panel updates as new votes accumulate
The page is fully reactive — no manual refresh needed.
Persistence: nothing gets lost
Every detail field shown here is saved to the desktop's local device-history-store the moment it's observed. If a device flashed its name once 30 minutes ago and never again, the detail page still shows the name when you re-open it later.
This is what makes AirLeak's per-device memory feel reliable — fields accumulate across observations and persist across sessions.
Open Devices, click on your own iPhone in the table. Walk around the room. Watch the RSSI chart, the action history, the linked MACs as the phone rotates. Within 30 minutes you'll have a strong intuition for what every signal means.