ZeroTrace Companion
AirLeak Workspace
Companion's full live workspace for ZeroTrace AirLeak — live monitoring, devices, sessions, library, alerts, insights, and tracking.
When a ZeroTrace AirLeak device is connected, Companion replaces the HID dashboard with the AirLeak workspace — a full-featured live view of everything the AirLeak device is observing.
The workspace is built around the principle that wireless investigation produces a lot of data fast, and that data needs to be filterable, savable, replayable, and pivot-able into a known-device library that survives MAC randomisation.
What's in the workspace
| View | What it covers |
|---|---|
| Live | The real-time event stream — every Wi-Fi and BLE observation as it arrives, with chart-based summaries |
| Devices | Aggregated table view of every device the current session has seen, sortable and filterable |
| Sessions | Saved capture sessions — start, stop, label, replay, export |
| Library | The persistent known-device catalog across all sessions |
| Known devices | The merged-identity view of devices seen across MAC randomisation |
| Alerts | Rule-based alerts firing in real time |
| Insights | Aggregated patterns across the current session — channel usage, device classes, vendor distributions |
| Tracking | Multi-vantage device tracking and movement reconstruction |
The data flow
AirLeak device → USB serial → Companion → Live view → optional Session capture → Library
↓
Alerts
Insights
Tracking
When you connect, data starts streaming immediately. Whether or not you are capturing a session, the live view shows everything — capturing is the act of saving the stream to disk so you can replay or export it later.
When to capture a session vs. just watch
- Watch live (no capture) — quick checks, walking around with a portable AirLeak, testing the device, tuning rules.
- Capture a session — when you want to come back to the data later, share it, replay it, or pin findings to a long-running investigation.
Sessions live as files on disk, in your application data directory. You can move them between machines.
Library vs. session
A session is one capture window — start, observe, stop. It contains every event from that window.
The library is the persistent catalog of devices (not events) that the application has ever seen. Sessions feed the library; deleting a session does not delete the library entries derived from it.
This split is deliberate. Sessions answer "what happened during the capture window." The library answers "what devices have I ever seen, anywhere, ever."
Performance
The AirLeak workspace is designed for long captures with high event rates. Practical guidance:
- Live view — handles thousands of events per second.
- Active session — disk-backed, no practical event-count limit. Long captures with hundreds of thousands of events work fine.
- Library — millions of historical observations supported; the library is paged from disk so memory stays bounded.
For multi-hour captures, start a session, name it descriptively, and walk away. Companion keeps writing to disk reliably; come back to the saved session in the library when you're ready.
Privacy and ethics
AirLeak surfaces wireless devices in the airspace around the AirLeak hardware. That airspace contains real people's devices. A few principles:
- Local-only. Capture data never leaves your machine unless you export it.
- Authorisation matters. Wireless capture is subject to local law — many jurisdictions restrict who may operate passive monitoring and what may be done with the data. Confirm your scope before extended capture.
- MAC randomisation is partly a privacy feature. The library's known-device merging — useful for investigations — also defeats some of that privacy. Use the merging in scope and within authorisation.
For the deeper discussion, see the AirLeak product privacy page.