ZeroTrace AirLeak

Your First Capture

Name: ZeroTrace
Address: DE

5-minute walkthrough — connect, monitor, interpret what you see

A guided walkthrough of your first AirLeak capture. Allow ~5 minutes.

1. Get to capturing

Plug in the AirLeak. Open the desktop app.
Go to AirLeak → Overview.
Pick the COM port, click Connect.
On the Overview page, click the Monitor card.

Within ~2 seconds the status bar should show events flowing:

Devices 18  Events 88  WiFi 2  BLE 84  Alerts 1  Drop 0.0%  Heap 35K (10%)  Up 12s  Scan active

If Scan says off instead of active, head to Settings and confirm the BLE active scan toggle is on.

2. Watch the Devices page fill

Click Devices in the sidebar. You'll see two tabs:

BLE devices (N) — every BLE peer the radio has seen
WiFi networks (M) — every AP / probing client

The BLE table is the more interesting one — it'll show your phone, your AirPods, your laptop, your smart TV, the neighbor's Galaxy Watch, etc. Each row carries:

Name — friendly name + MAC + secondary identifier (vendor or class fallback)
Class — the classifier's verdict (iPhone / AirPods / Smart TV / etc.)
Signal — current and best-seen RSSI as a 4-bar mini-gauge
Dist — estimated distance in meters
Adv — advertising interval in ms (~30 ms = pairing burst, ~1280 ms = idle iPhone)
Obs — observation count and rate
Action — Apple Continuity nearby_info action (audio_or_call, screen_on, etc.)
Info — battery levels, BLE flags, TX power, iOS major version
Alerts — privacy chips (PII / Corp / AirDrop / FindMy / Rotating MAC)

Click any row to open the device's detail page.

3. The first 30 seconds — what to expect

Live captures stabilize fast. After roughly 30 seconds you should see:

Nearby phones populate (random MAC, mask=512 — Apple Continuity, no name)
Your laptop's Bluetooth name (DESKTOP-XXX for Windows, MacBook Pro for Macs)
Any AirPods in your pocket or near you (model id + battery levels if the case is open)
Smart TVs in range with names like [TV] Samsung 5 Series (49)
Trackers (AirTags, Tile, SmartTags) if any are near
WiFi tab: every router whose beacon hits the radio, with channel + generation + encryption type

A typical home / office capture sees 20–60 BLE devices and 15–40 WiFi networks within the first minute.

4. Read the heartbeat

The status bar is a live readout of firmware health. Things to look at:

Stat	Meaning	When to worry
`Devices`	Unique MACs aggregated	At 768 you've hit the cap; oldest evicted (rare in normal use)
`Events`	Total decoded events emitted	Should grow steadily
`Drop`	Fraction of events lost on USB transmit	>5 % means the stream is congested. Increase throttle
`Throttled`	Events suppressed from USB stream (still aggregated, just not streamed)	High counts here are fine — devices still update
`Heap`	Free internal RAM + percentage	Watch the % — alert below 12 % (orange), critical below 7 % (red). Below 7 % triggers safe-mode
`Up`	Firmware uptime since last boot	Resets on reboot
`Scan`	BLE scan state	`active` = solicits SCAN_RSPs. `passive` = no SCAN_REQs. `off` = mode is Setup

5. Open a device's detail page

Click any BLE row. The detail page shows:

Header card — icon + name + MAC + class badge with confidence score + score gauge + action buttons (See in Live, Pin, Mark as own, Mute)
KPIs — first seen, last seen, observation count, best RSSI
Live signal — last 60 RSSI samples as an area chart, plus current/avg/best/range/tx/distance/rate metrics
Identifiers — fingerprint, AirTag ID, OS major, BLE flags, appearance, vendor, company ID
Optional sections (only if applicable):
- Battery — AirPods L/R/case with charging indicators
- WiFi network details — for AP rows (channel, generation, encryption, AKM, MFP, country, BSS load)
- Apple state — last action, lock state, OS major, handoff sequence, linked MAC count
Linked MACs — when fingerprint matches multiple MACs (rotation tracking)
Probed SSIDs + Service UUIDs — collapsible chip lists
Why $class? — collapsible rationale: which signals voted for this classification
Notes (library record only) — label + free-form note input

Click See in Live to jump to the live event view filtered to this device.

6. Watch alerts fire

The first run usually surfaces a couple of alerts. Common ones in a typical room:

airdrop_discoverable (severity 2) — someone's iPhone has AirDrop set to "Everyone". The phone-number hash + AppleID hash are being broadcast to the world.
findmy_separated (severity 1) — an AirTag or compatible accessory broadcasting "owner not nearby" mode.
pii_ssid_in_probe (severity 1) — a phone probed for an SSID like John's iPhone Hotspot.
open_network_near (severity 0, info) — an unencrypted WiFi network in range.

Click Alerts in the sidebar to see the by-rule breakdown plus the full alert log. Each entry shows timestamp, MAC, severity, and a human-readable detail.

7. Save the session

Click Sessions in the sidebar. Your active capture appears at the top with a green recording badge.

Switch to Setup mode (Overview → click the Setup card) — this finalizes the session: device counts, event counts, alert counts, end timestamp all written. The session is now downloadable as JSON via the cloud icon next to it.

Switch back to Monitor and a new session auto-starts. Sessions are independent recordings — useful when you want to capture distinct environments and compare them later.

8. Look at Insights

Click Insights in the sidebar. Five tabs:

Distribution — class pie chart + top vendors bar list. Quick glance: are you in an Apple-heavy room or Android-heavy?
Network leakage — SSID class counts (hotel / airport / coffee / corporate / personal) + top probed SSIDs.
Trackers — AirTag count, separated AirTag count, Tile count.
Privacy — six-card grid summarizing AirDrop / unlocked / FindMy-sep / corp-SSID / PII-SSID / random-MAC counts, plus a top-10 leaky devices list.
Library — cross-session known device list. Devices land here after the 5-second tick; identity fields persist across reboots.

9. Look at Recognized

Click Recognized in the sidebar. This is the localStorage device-history — every device seen since the desktop was first installed, with full detail-blob persistence.

This list updates instantly every time a new identifying field is observed. If a Galaxy Watch flashes its name once and then drops it, the Recognized record keeps the name. Same for AirTag IDs, OS major versions, BLE flags — any field the firmware ever surfaced for a device gets remembered.

Useful for "have I seen this MAC before, ever" questions.

What to do next

Try a more detailed look at a device — see Desktop → Device Detail.
Understand how the classifier picked a class — see Detection → Device Classifier.
Run a multi-hour capture in a public space (with permission) to see the multi-hour follower alert in action — see Detection → Alerts.
Customize behavior via the firmware CLI — see Firmware → CLI Reference.

Get used to the throttle

Sustained captures throttle hard — events_throttled will dwarf events. That's fine. Devices still update every event in the aggregator; you just see fewer EV: lines on the wire. Set airleak-throttle 0 for the rare debug case where you want every single event.

Command Palette