Your First Capture

A guided walkthrough of your first AirLeak capture. Allow ~5 minutes.

---

1. Get to capturing

1. Power the AirLeak over USB-C. Open the ZeroTrace mobile app.
2. Pair the unit (AL-XXXX in the scan list) and activate its license if you haven't.
3. Open the device's Modes tab and tap Monitor.
4. Switch to the Live tab.

Within a second or two the Live list starts populating. The header shows a live count, the total seen, the current mode, and an events-per-second readout.

If nothing appears, confirm you're in Monitor (not Setup), and that you're not in an empty area.

---

2. Watch the Live list fill

The Live tab is a single live table of every BLE device the unit has heard. Each row carries:

• Name + MAC, the BLE friendly name (when broadcast) plus the address and a random-MAC badge
• Class, the classifier's verdict (iPhone / AirPods / Smart TV / etc.)
• Signal, RSSI bars
• Severity, a color bar reflecting the device's leakage score
• Last seen, "Xs ago"

Use the search field (name / MAC / vendor) and the filter chips (All, Trackers, Leaks, Apple, Android, Audio, Named, Close, Find My, Severe) to narrow the list. The sort menu offers Last seen, Signal (RSSI), Distance, Severity, and Observations.

Tap any row to open its detail page.

---

3. The first 30 seconds, what to expect

Live captures stabilize fast. After roughly 30 seconds you should see:

• Nearby phones (often random MAC, Apple Continuity, no name)
• Laptops and TVs that broadcast a name
• Any AirPods near you (model + battery levels when the case is open)
• Trackers (AirTags, Tile, SmartTags) if any are near

A typical home or office sees a few dozen BLE devices within the first minute.

---

4. Read the header

The Live header is a live readout of the capture stream:

The device's deeper health figures (heap, scan-duty estimate, drop count) are surfaced in the app's status/detail readouts and come from the unit's state.read.

---

5. Open a device's detail page

Tap any row to open the per-device view. It shows the decoded fields AirLeak has accumulated for that device: signal history, identifiers (fingerprint, vendor, company ID, appearance), Apple state and battery where applicable, Find My state, advertised service UUIDs, and a leakage score.

---

6. Watch alerts fire

The first run usually surfaces a couple of privacy signals. The firmware's alert engine evaluates each observation and raises alerts such as:

• airdrop_discoverable (severity 2), a nearby iPhone has AirDrop set to "Everyone", broadcasting Apple ID / phone-number hash prefixes.
• findmy_separated (severity 1), an AirTag or Find My accessory in "owner not nearby" mode.
• unknown_tracker_near (severity 1), a separated tracker beacon observed repeatedly.

Alerts drive the on-device threat-indicator LED (when enabled) and a red row highlight. See Alert Rules for the full list.

---

7. Try Hunt and Insights

• Hunt lets you lock onto one captured device and turn its live RSSI into a proximity gauge (with a radar dial) you can walk toward to physically locate it, useful for chasing down an unknown tracker.
• Insights is a calm dashboard over the same live table: device-class breakdown, proximity spread, severity distribution, top vendors.

---

8. Try a wardrive

Open Drive and tap Start. The app switches the unit to Wardrive (max-rate scan), records your GPS track, and stamps each device at the location where it was heard strongest. End the session to save it to Drive History and export a WiGLE CSV. Community wardriving maps and leaderboards live on the dashboard.

---

What to do next

• Try a deeper look at a device, see Features → Single Device View.
• Understand how the classifier picked a class, see What AirLeak Sees.
• Run a longer capture in a public space (with permission) to see the multi-hour follower alert in action, see Features → Alerts in Practice.