Insights

The insights view is the aggregated patterns view. Where the devices view is "every device individually" and the live view is "every event as it happens," insights answers the higher-order questions: what does the aggregate of this session look like?

What insights show

The view is organised into stat cards, distribution charts, and a library tab.

Stat cards (top of the view)

Vendor distribution

Bar chart of devices by OUI vendor. Useful for understanding the device mix:

• Many Apple devices = consumer-rich environment.
• Many enterprise vendors (HP, Dell, Lenovo) = office environment.
• Many IoT vendors (Samsung, LG, Philips, Sonos) = home environment.
• Many obscure vendors = potentially research / industrial.

Click any vendor bar to filter the devices view to that vendor.

Channel usage

Bar chart of event count per wireless channel.

For Wi-Fi: most action on 1, 6, 11 (the non-overlapping 2.4 GHz channels), some on 5 GHz channels depending on hardware.

For BLE: most action on 37, 38, 39 (the advertising channels).

Useful for spotting:

• Crowded channels — more devices than usual.
• Quiet channels — unexpected absence.
• Anomalies — traffic on channels that shouldn't have any.

Device-class distribution

Pie chart of device classes:

• Phone / smartphone.
• Wearable (watch, earbuds, headphones).
• AirTag / tracker.
• IoT (lights, switches, sensors).
• Computer (laptop, desktop, server).
• Other / unknown.

Class assignments come from the AirLeak's behavioural classification — based on advertising patterns, not just OUI vendor.

SSID popularity (Wi-Fi)

Bar list of the most-probed SSIDs in the session. Devices probe for SSIDs they remember being connected to; aggregating across many devices gives you a "what networks does this airspace know about" view.

For a corporate office, the SSID list is dominated by the corporate Wi-Fi. For a coffee shop, it's a mix of local networks and travel hotspots. For a residential area, it's a mix of home networks (sometimes including embarrassingly identifiable ones).

Apple Continuity model breakdown

A separate card aggregates Apple devices by model identifier:

• iPhone (with model variant when distinguishable).
• iPad.
• MacBook.
• AirPods (Pro / Max / Gen 2 / etc.).
• Apple Watch.
• AirTag.

Useful for "what Apple devices are around" snapshots in environments dominated by Apple hardware.

Behaviour summary

A computed summary block at the top of the view that combines several signals into one paragraph:

"This session captured 247 unique devices over 1 hour 12 minutes. 68% are Apple. The most-probed SSID is corp-wifi (42 devices). Channel usage is concentrated on 6 (Wi-Fi) and 37 (BLE). 3 AirTags were observed. 12 devices are new since the last session."

The summary is generated locally; no LLM is involved (though the AI assistant can produce a richer narrative if you ask it).

Library tab

A second tab inside the insights view focuses on the library cross-section:

• Library coverage — what fraction of session devices have library entries.
• Per-library-tag breakdown — for tagged devices, the aggregate.
• First-time-in-library count — devices that this session promoted into the library.

Useful for monitoring how much of the captured environment is "known" vs. "unknown" — a high known-fraction implies a well-mapped airspace, a high unknown-fraction implies novelty.

Comparing insights across sessions

The session detail view shows the same insights for that session alone. Across multiple sessions, you can:

• Open two sessions side by side.
• Read the insights for each.
• Compare manually (no automated diff yet).

For longer-term analysis, export the per-session insights to JSON / CSV and chart them externally.

What insights do not show

• Per-event detail — the live view and the events log are for that.
• Per-device deep dive — click into the devices view.
• Behavioural alerts — see alerts.
• Cross-session library aggregation — the library tab here is session-scoped; the library view is the all-time aggregate.