ZeroTrace Companion
Live View
Real-time stream of every Wi-Fi and BLE observation, with charts, filters, and pause / resume.
The live view is what you see when you first connect an AirLeak. It shows the real-time event stream — every Wi-Fi probe request, every BLE advertisement, every state update — as it arrives from the device.
It is the right view for active investigation: walking around, tuning the device's mode, watching for specific behaviour, or simply confirming the device is working.
What the live view shows
The view is split horizontally:
- Top — a rolling chart of event rate over time. One line per category (Wi-Fi probes, BLE advertisements, alerts).
- Middle — the per-device table. One row per active device, updating in real time as new observations arrive.
- Bottom — the most-recent-events list. Streaming log of every event with a timestamp.
Each region can be expanded full-window for focused viewing.
The events chart
Shows event rate per second, broken down by event type. Useful for:
- Confirming the device is healthy — flat-line zero means something's wrong.
- Spotting bursts — a sudden spike often correlates with a real-world event (someone walking by with a phone, a device powering up).
- Tuning the AirLeak's mode — when you switch to a more aggressive scan mode, the chart shows the impact.
The device table
One row per device the current view has observed:
| Column | What it shows |
|---|---|
| MAC address | Hardware address, with randomisation indicator |
| Vendor | OUI-derived vendor name |
| Device type | Wi-Fi station, Wi-Fi AP, BLE device, AirTag, etc. |
| Best RSSI | Strongest signal observed (dBm) |
| Channel | Wireless channel currently observed on |
| Observations | Count of events for this device in the current view |
| First seen | When the device was first observed |
| Last seen | Most-recent observation (live) |
| Class label | The device-class classification, when assigned |
Click any row for the per-device detail panel — full event history, RSSI over time, channel hopping, payload breakdowns.
Filtering
The filter bar above the table filters by:
- MAC address pattern — partial-prefix match.
- Vendor — multi-select from the OUI catalog.
- Device type — Wi-Fi / BLE / specific subtypes.
- Class label — multi-select from observed classes.
- Channel — multi-select.
- RSSI range — sliders for min / max signal strength.
Filters compose. "Apple BLE devices on channel 37 with RSSI > -70" is one filter expression.
The chart and the events log respect the same filters — focus the entire live view on a slice of the traffic.
Pause and resume
Space pauses live updates. The chart freezes; the table stops updating. Useful when the data rate is high enough that things scroll past faster than you can read them.
Resume with Space again. Buffered events from the pause window are reconciled into the table on resume.
The recently-active card
A small card on the side highlights the last device observed. Useful for confirming "did this device just send a probe?" — walk past with your phone, watch the card update.
The recently-active card is the fastest way to associate an unknown MAC with a known physical device. Take the device, walk in and out of the AirLeak's range; observe which MAC's "last seen" updates accordingly.
Channel heatmap
A small heatmap shows event count per channel over the last N seconds. Useful for spotting:
- Crowded channels — most Wi-Fi traffic on 1, 6, 11 (the non-overlapping 2.4 GHz channels).
- 5 GHz activity — depends on your AirLeak's hardware.
- BLE primary channels — 37, 38, 39 carry advertising traffic.
The heatmap colour-codes by event density.
Status bar
The bottom of the live view shows:
- Device connection state — connected / dropped.
- Current AirLeak mode — active scan / passive / mixed.
- Events per second — current and 60-second average.
- Lines read / events parsed / parse errors — diagnostic counters.
Parse errors are a useful health indicator. A non-trivial parse-error rate suggests a firmware mismatch, a corrupted serial connection, or a noisy USB cable.
Mode picker
The AirLeak has multiple capture modes. The mode picker (top of the live view) lets you switch on the fly:
| Mode | What it does |
|---|---|
| Wi-Fi only | Focus capture on Wi-Fi traffic |
| BLE only | Focus capture on BLE advertising and connection traffic |
| Mixed | Both, with the device alternating |
| Active scan | Send probe requests and capture responses (regulated in some jurisdictions) |
| Passive | Listen only |
Switching modes restarts the device's capture but preserves the current session. Configure default mode in Settings → AirLeak.
When to leave the live view
- For per-device deep dives → click a row, see the device-detail panel.
- For aggregate patterns across the session → switch to insights.
- For the historical record → switch to devices (current session) or library (all-time).
- For replay of a finished capture → switch to sessions and load a saved session.