ZeroTrace Companion
Sessions
Capture, save, label, replay, and export AirLeak capture sessions — disk-backed, no practical event-count limit.
A session is a capture window. You start it, the AirLeak streams events, you stop it. Every event in that window is saved to disk. Sessions can be replayed, exported, labelled, deleted, and shared.
This page covers the session lifecycle. For the persistent device catalog that sessions feed, see library.
Why sessions
Live monitoring is great for "what's happening right now." Sessions are for "what happened then" — when you want to come back to a capture window later, share it with someone, or reference it in a long-running investigation.
Use cases:
- Periodic survey — daily / weekly capture of a known location's wireless environment.
- Event-window capture — capture during a conference, a meeting, an incident.
- Reproduction — capture a confusing pattern to share with a teammate or a vendor.
- Evidence — capture under-authorisation observations for legal or compliance purposes.
Starting a session
From the live view or any AirLeak workspace view: click Start Session (or Ctrl+N).
The session prompt asks for:
- Label — a human-readable name. Be specific: "office-floor-3-2026-05-07" beats "test."
- Mode — which AirLeak capture mode to use (Wi-Fi only / BLE only / mixed / etc.). Defaults to whatever the live view is currently using.
After confirming, the session begins. The status bar shows "session recording" with the elapsed time and event count.
Stopping a session
Click Stop Session (or Ctrl+Shift+S). The session closes:
- Final event count is recorded.
- The session file is finalised on disk.
- The session appears in the sessions list with its full metadata.
Sessions can also auto-stop on a timer (configure in Settings → AirLeak), but explicit stop is the default.
The sessions list
The sessions view is the table of every session you have captured (across all time, not just the current connection). Each row shows:
| Column | What it shows |
|---|---|
| Label | Your chosen name |
| Started | Start timestamp |
| Ended | End timestamp (or "still recording" if active) |
| Duration | Elapsed time |
| Mode | Capture mode used |
| Devices | Unique device count |
| Events | Total event count |
| Alerts | Number of alerts that fired during the session |
| Size | Disk space the session occupies |
Click any row to open the session detail.
Session detail
The detail view of a session shows:
- Full devices table — same view as the live workspace's devices view, but for this session's data.
- Insights — aggregate patterns for this session.
- Alerts — rule firings that happened during this session.
- Replay — step through the events in time order.
Replay is particularly useful — it shows the events as they arrived during the original capture. You can scrub through the timeline, slow down, speed up, or pause at specific moments.
Labels and notes
Each session can be re-labelled, tagged, and annotated with free-text notes. Useful for:
- Tagging by purpose ("compliance-survey", "incident-XYZ", "casual-test").
- Annotating findings ("captured the suspect device at 14:32:11").
- Cross-referencing with external systems (ticket numbers, case files).
Labels and notes are stored alongside the session data and survive restarts.
Export
Top-right of the session detail:
- CSV — table-shaped event log.
- JSON — structured per-event format.
- PCAP — packet-capture file format, openable in Wireshark.
Export respects any filters applied to the session detail. Apply filters first to export a subset.
PCAP exports are particularly useful for sharing with teammates who use traditional packet analysis tools. The format is the lingua franca of wireless analysis.
Deleting sessions
The sessions list supports per-row delete and bulk-delete via multi-select. Deleting a session:
- Removes the session file from disk.
- Removes the session entry from the index.
- Does not remove the session's contributions to the library — those are persistent.
For a complete reset, delete the session and purge the library; that's a deliberate two-step.
Disk usage
Sessions are stored under your application data directory. Practical sizing:
- Short capture (few minutes) — typically a few KB to a few MB.
- Hour-long capture in a busy environment — tens of MB.
- Multi-hour capture in a busy environment — hundreds of MB.
Sessions are stored as JSON files. They compress well if you want to archive old captures — gzip typically reduces them 5-10x.
When to capture and when not to
Capture when:
- You want to come back to the data.
- You want to share or export it.
- You're investigating something specific and need an audit trail.
Don't capture when:
- You're testing the device or a setting.
- You're casually watching live without a follow-up purpose.
- The data is too sensitive to write to disk (capture is on disk, not encrypted at rest).
For sensitive captures, store the session file on an encrypted disk and consider purging it after the investigation completes.