ZeroTrace Companion
Tutorial — capture and review an AirLeak session
From a wireless question to a reviewed session with insights pinned in thirty minutes.
You have an AirLeak device and a question about a wireless space — "what devices are around right now," "what was happening last night," "is this Wi-Fi network being probed by unexpected devices." This tutorial walks through the standard capture-and-review loop.
Setup
- Plug the AirLeak into your computer.
- Open Companion. The picker shows "ZeroTrace AirLeak" at high-speed baud.
- Click Connect. Companion switches to the AirLeak workspace, live view by default.
If the live view shows zero events: check the AirLeak troubleshooting section. Don't proceed until events are flowing.
For this tutorial, pick an environment where you have authorisation to capture wireless traffic — your own home, your own office, a test bench. Don't run extended capture in spaces where you don't have authorisation.
Step 1 — Confirm the live view
Watch the live view for 30 seconds. You should see:
- Events accumulating in the events log.
- Devices appearing in the device table.
- The events chart showing a non-flat line.
This is your "the AirLeak is working" baseline. Note the rough event rate; you'll compare against it later.
Step 2 — Pick a capture mode
Use the mode picker at the top of the live view to choose:
| Mode | When useful |
|---|---|
| Wi-Fi only | You care about networks and Wi-Fi devices |
| BLE only | You care about smartphones, AirTags, wearables |
| Mixed | You want both, accept slightly less detail per type |
For a first capture, start with Mixed. You can switch later to focus on the more interesting traffic.
Step 3 — Start a session
Ctrl+N (or click Start Session). The label dialog opens.
Pick a label that's specific:
- ✓ "office-floor-3-2026-05-07"
- ✓ "home-evening-baseline"
- ✗ "test"
- ✗ "x"
Specific labels pay off when you have ten sessions and need to find the right one. Confirm and the session begins. The status bar shows "session recording" with elapsed time and event count.
Step 4 — Let it run
For a meaningful baseline, capture for at least 5-15 minutes. For a short check, even 1-2 minutes is enough. You don't need to actively watch — Companion captures regardless.
Things you can do during capture:
- Walk around the space (RSSI changes for moving devices reveal more).
- Power on / off your own devices (confirm you can identify them).
- Note the time when you do anything specific (so you can correlate later).
Step 5 — Stop the session
Ctrl+Shift+S (or click Stop Session). The session closes:
- Final event count is recorded.
- The session file is finalised on disk.
- The session moves into the saved-sessions list.
Step 6 — Review the devices
Switch to the Devices view. You see every device the session observed, deduplicated:
- Wi-Fi tab — stations, access points.
- BLE tab — phones, watches, AirTags, headphones, smart-home devices.
For each tab:
- Sort by observation count to see the noisy devices first (your AirLeak's neighbours).
- Sort by first seen to see what showed up early (often closest to the device).
- Filter by vendor to spot patterns (lots of Apple = consumer environment; lots of Cisco = enterprise; etc.).
Step 7 — Look at insights
Switch to Insights. The view shows aggregate patterns:
- Total devices, new vs. returning split.
- Vendor distribution.
- Channel usage.
- Probed-SSID popularity.
The behaviour-summary block at the top is a one-paragraph human-readable digest. Skim it.
Step 8 — Identify your own devices
Open your phone's Wi-Fi / Bluetooth settings, note its MAC if visible. Search the devices view for that MAC.
If found: tag it as "self / mine" so it doesn't pollute future analyses.
If not found: your phone is using random MACs (common). Check the BLE tab; phones broadcast Apple Continuity / similar identifiers that survive randomisation. Find the right phone, tag it.
This is a one-time exercise. Your tags persist across sessions; future captures know which device is yours.
Step 9 — Pin notable findings
In the devices view, click any device that looks interesting:
- A new vendor you didn't expect.
- A device with high RSSI (close-proximity).
- An AirTag.
- A device probing for an unfamiliar SSID.
Click Pin to live view to add it to your watch list. Pinned devices appear in a permanent panel on the live view, regardless of filters.
Step 10 — Review alerts
Switch to Alerts. For your first session, there may be no alerts (you haven't configured rules yet) or only the default rules' fires.
If you want alerts on subsequent sessions, configure them now:
- "Alert when an AirTag appears" (info severity).
- "Alert when a new device appears with high RSSI" (medium severity).
- "Alert when a device probes for [your SSID]" (high severity).
See alerts for the full rule reference.
Step 11 — Export
For sessions you want to share or preserve outside Companion:
- CSV — table-shaped event log.
- JSON — structured per-event format.
- PCAP — for Wireshark.
The session detail view's Export button surfaces all three.
For a "what changed since last week" analysis, run two sessions a week apart and compare the insights manually. Future Companion releases will add automated session diffing.
What you have at the end
- A captured, reviewed session.
- Your own devices tagged.
- Pinned devices to watch in future sessions.
- Configured alerts for known patterns.
- An exported file (if you wanted one) for external sharing.
This is the standard AirLeak workflow. After three or four cycles, the rhythm becomes muscle memory.
Where to go next
- AirLeak workspace overview — the full feature set.
- Library — what your captures aggregate over time.
- Tracking — for cases where you want to follow a device across sessions.