4G/LTE  

 

 

 

Sniffer

A sniffer is a tool used to capture and analyze the wireless traffic exchanged between a mobile device (UE - User Equipment) and the base station (eNB - evolved NodeB or gNB - next generation NodeB). Essentially, it's like a "network eavesdropper" that allows you to see the raw data being transmitted over the air.

Key Features of Sniffers

There are several key features of sniffers in the context of LTE/NR networks, but it's important to understand that not every sniffer supports all of them. The specific features and the degree to which they are supported depend largely on the intended purpose and use case of a particular sniffer. Some sniffers might be designed for a simple task, such as sniffing only a few physical channels to monitor basic network activity. Others are designed with full-fledged functionality, capturing all physical channels (both uplink and downlink) and decoding those channels to reconstruct complete packets and messages across the entire protocol stack. This range of capabilities allows for diverse applications, from basic signal monitoring to in-depth protocol analysis and security assessments.

Followings are some of the features of Sniffers. I think the item 'Passive Monitoring' would apply to all sniffers but other features may or may not be supported depending the specific sniffers.

  • Passive Monitoring: Sniffers operate discreetly, capturing data "over the air" without actively transmitting any signals. This non-intrusive approach allows them to observe network traffic without interfering with its normal operation or being detected by the network itself or the users being monitored. This is crucial for real-world analysis and security assessments, as it provides an accurate picture of the network's behavior without any artificial influences.
  • Protocol Analysis:  LTE/NR sniffers are designed to understand the complex structure of cellular communications. They go beyond simply capturing raw data by decoding and interpreting the various protocol layers used in these technologies. This includes Layer 1 (the physical layer where signals are modulated and transmitted), Layer 2 (which handles tasks like media access control, radio link control, and packet data convergence protocol), and Layer 3 (responsible for radio resource control). By dissecting these layers, sniffers can provide valuable insights into the network's operation, identify potential vulnerabilities, and analyze performance bottlenecks.
  • Frequency Support:  LTE/NR networks operate across a range of frequency bands globally. For a sniffer to be effective, it must be compatible with the specific frequencies deployed in the target network. This requires the sniffer's hardware to be capable of tuning to and receiving signals on those specific frequencies. Without the correct frequency support, the sniffer would be unable to capture any data at all.
  • Demodulation and Decoding:  LTE/NR utilize sophisticated modulation techniques to efficiently transmit data over the air. These techniques involve encoding information onto radio waves by varying their amplitude and phase. Sniffers must be equipped with demodulation capabilities to reverse this process, extracting the encoded information from the received signals.  They need to handle various modulation schemes like QPSK, 16-QAM, 64-QAM (and even higher orders like 256-QAM for NR) to accurately recover the transmitted data. After demodulation, the sniffer further decodes the raw data to reconstruct the higher-layer protocol messages, making the captured information interpretable and analyzable.
  • Bandwidth Support:  LTE/NR networks can operate with different channel bandwidths, impacting the amount of data that can be transmitted at a given time.  A sniffer must be able to accommodate this variability, handling bandwidths ranging from 1.4 MHz to 20 MHz in LTE and up to 400 MHz in NR. This ensures that the sniffer can capture and analyze data from networks with different configurations and capacity requirements.
  • Multi-Cell Support: Modern LTE/NR networks often employ multiple cells and layers to enhance capacity and coverage.  This includes techniques like Carrier Aggregation (CA) in LTE and the use of multiple gNB components in NR.  An effective sniffer should be capable of capturing and analyzing data from multiple cells simultaneously, providing a comprehensive view of the network's performance and behavior in a multi-cell environment. This is essential for understanding complex interactions between cells and identifying potential issues related to handover, interference, and resource allocation.

Implementation Example : LTE Sniffer

The LTE Sniffer is an open-source tool designed to capture, decode, and analyze LTE traffic in both the uplink and downlink directions. Developed to overcome the limitations of existing tools, it leverages unencrypted control information within LTE signals to decode traffic. The tool supports researchers in analyzing LTE networks for security, performance optimization, and traffic analysis. It relies on the SRSRAN library for its downlink functionality and utilizes specialized hardware like the USRP X-series SDR for uplink operations.

NOTE : LTE Sniffer is implemented by Tuan Dinh Hoang and team with research tool for cellular security as a major use case. I strongly recommend the readers to watch this presentation provided by Tuan and refer to this paper as well.

Features/Capabilities

Followings are features and capabilities of LTE Sniffer. Even though it is provided as an open source (free), the overall capability is impressive especially for the fact that it can capture/decode both downlink and uplink (most of open source sniffer decode only downlink or uplink based on the major use case of the sniffer).

  • Dual-Direction Traffic Decoding:
    • Decodes downlink control and data channels (PDCCH, PDSCH).
    • Decodes uplink control and data channels (PUCCH, PUSCH).
  • Open Source:
    • Fully open, enabling customization and integration into research projects.
  • Advanced Decoding Techniques:
    • Utilizes unencrypted Downlink Control Information (DCI) to decode data.
    • Dynamically learns radio configurations and stores decoding parameters for subsequent packets.
  • Security API: Enables researchers to analyze LTE security vulnerabilities, including:
    • Identity Mapping (IMSI to RNTI).
    • Permanent Identity Collection (IMSI tracking).
    • UE Capability Profiling.
  • Data Export:
    • Stores decoded traffic as PCAP files, enabling further analysis using tools like Wireshark.
  • Performance:
    • Handles up to 256 users concurrently for uplink and downlink traffic.

How it works ?

The ultimate objective of the LTE Sniffer is to successfully decode both downlink and uplink data channels, specifically the Physical Downlink Shared Channel (PDSCH) and the Physical Uplink Shared Channel (PUSCH). These channels carry the actual user data, such as internet traffic or voice packets, making them crucial for understanding the network's operation and analyzing communication between the User Equipment (UE) and the base station.

Decoding these channels, however, relies heavily on accessing the Downlink Control Information (DCI), which serves as the blueprint for how the data in these channels is structured and transmitted. DCI provides essential details such as resource block allocations, modulation and coding schemes, and the instructions needed for the UE to decode downlink data or transmit uplink data. Despite LTE's overall security design, the DCI itself is transmitted in the Downlink Control Channel (PDCCH) without encryption. This lack of encryption in the DCI is critical for the sniffer's operation, as it allows the tool to intercept and interpret the control information necessary for decoding both downlink and uplink data channels. By leveraging this unencrypted control data, the LTE Sniffer can effectively demodulate and decode the user data that flows through these key channels

Image Source : LTESniffer: An Open-source LTE Downlink/Uplink Eavesdropper

Following shows at which point the LTE sniffer get involved. The LTE Sniffer works by decoding DCI sent over the PDCCH, which provides instructions for locating and decoding user data on the PDSCH (downlink) and PUSCH (uplink). The RNTI (Radio Network Temporary Identifier) plays a crucial role in this process because it acts as a unique identifier for each user within a cell. Since multiple UEs communicate with the base station simultaneously, the RNTI allows the sniffer to distinguish which DCI belongs to which UE.

In the downlink, the sniffer captures the DCI along with the associated RNTIs to identify user-specific data in the PDSCH. The DCI tells the sniffer where the data for a particular RNTI (and thus a particular user) is located. In the uplink, the sniffer uses uplink-specific DCI to determine how and where a user sends data on the PUSCH. By mapping the RNTI to the control information, the sniffer can track and decode uplink and downlink traffic for individual users accurately.

The RNTI is essential because, without it, the sniffer cannot associate the DCI instructions with the correct user data. By capturing the unencrypted DCI and linking it to the corresponding RNTI, the LTE Sniffer can reconstruct communication flows between UEs and the base station. This process allows it to decode traffic for multiple users within the cell efficiently, even as resource allocations dynamically change.

Image Source : LTESniffer: An Open-source LTE Downlink/Uplink Eavesdropper

This diagram provides a detailed view of the LTE Sniffer's workflow at signal processing level, illustrating the process of decoding both downlink (DL) and uplink (UL) LTE traffic. The workflow involves multiple stages, starting from signal processing and ending with the final decoding of data channels. Each stage plays a crucial role in handling the complexities of LTE communication, including synchronization, configuration extraction, and decoding.

NOTE : [A1], [A2],[A3] in this diagram is where various challenges are met and solved by LTEsniffer which is described in Challenges(Problems) and Solutions below.

Image Source : LTESniffer: An Open-source LTE Downlink/Uplink Eavesdropper

Followings are break downs of this process step by step

  • At the beginning of the process, the Signal Processor captures LTE signals from the air interface for both downlink (DL) and uplink (UL).
  • These raw signals are passed to the Synchronizer, where the following steps occur:
    • DL sync (downlink synchronization).
    • UL sync (uplink synchronization).
  • Synchronization ensures that the sniffer aligns accurately with the LTE subframe timing, which is critical for correct signal interpretation.
  • Once synchronized, the signals move to the Configuration Extractor:
    • The sniffer extracts and decodes the PDCCH (Physical Downlink Control Channel).
    • The PDCCH contains DCI (Downlink Control Information), which provides instructions for locating and decoding data channels.
    • The MCS Table Verifier determines the correct Modulation and Coding Scheme (MCS) to decode data with the appropriate modulation settings.
    • The Radio Configuration Parser extracts dynamic radio parameters, including resource block allocations and channel settings, necessary for interpreting downlink and uplink traffic.
  • In the Data Channel Decoder phase:
    • For downlink, the sniffer uses the DCI from the PDCCH to decode the PDSCH (Physical Downlink Shared Channel), which carries user-specific data sent from the base station to the UE.
    • For uplink, the sniffer applies uplink radio configurations and decodes the PUSCH (Physical Uplink Shared Channel), which contains data sent from the UE to the base station.
  • The final output is the decoded downlink and uplink traffic, which can be further analyzed or stored for research purposes.
    • The process relies on:
      • Extracting DCI from the unencrypted control channel.
      • Synchronizing timing.
      • Adapting to dynamic radio configurations.
    • By following this workflow, the LTE Sniffer effectively reconstructs LTE communication and provides insights into both user-specific and network-level data exchanges.

Advantages Over Other Products

  • Improved Capabilities:
    • Unlike other sniffers like srsLTE's SCOPE, which only supports downlink, LTE Sniffer handles uplink traffic as well.
    • Offers a higher decoding success rate compared to older versions of commercial sniffers.
  • Cost-Effective:
    • Open-source nature makes it accessible for researchers without high costs associated with commercial tools like WaveJudge.
  • Customizable:
    • Open-source code allows researchers to modify and extend functionality to meet specific needs.
  • Research-Oriented:
    • Designed with researchers in mind, providing APIs to explore LTE security issues like location tracking and fingerprinting.

Challenges(Problems) and Solutions

LTE traffic decoding involves several complexities due to the dynamic and partially encrypted nature of the LTE protocol. LTE Sniffer overcomes these challenges through innovative techniques, but the process is far from straightforward. Below is an in-depth explanation of the major challenges and their solutions

Unknown Modulation Schemes Due to Encryption : A1

LTE dynamically adjusts the modulation and coding scheme (MCS) for each user based on channel conditions. The MCS determines how bits are modulated (e.g., QPSK, 16-QAM, 64-QAM) and encoded. The specific MCS information is transmitted in encrypted control messages(e.g, RRCConnectionReconfiguration), making it inaccessible to the sniffer.

  • Why It's Hard:
    • Without the MCS, the sniffer cannot correctly decode the data packets, as it won't know how to interpret the signal constellation.
  • Solution in LTE Sniffer:
    • Brute-Force Decoding: The sniffer attempts multiple possible MCS configurations to decode the first packet.
    • Learning and Storing: Once the correct MCS is identified, it is stored in a database and reused for subsequent packets from the same UE. This reduces computational overhead for later packets.

Dynamic Radio Configurations for Different UEs : A2

LTE networks optimize radio parameters for each UE based on its channel quality (e.g., signal-to-noise ratio, interference). These configurations include:

  • Resource Block (RB) allocation.
  • Power control settings.
  • Timing advance adjustments.

The base station continuously updates these configurations, and the sniffer must identify them in real time to decode packets correctly.

  • Why It's Hard:
    • Each UE's configuration is unique and changes frequently, requiring the sniffer to adapt dynamically.
  • Solution in LTE Sniffer:
    • Monitoring Radio Setup Procedures: The sniffer captures unencrypted downlink control information (DCI) during initial setup and reconfiguration phases.
    • Configuration Database: Stores detected configurations for each UE, allowing the sniffer to adapt to changes efficiently.
    • Continuous Updates: Monitors base station messages that signal configuration updates and applies them on the fly.

Signal Delay Compensation for Uplink Traffic  : A3

In uplink traffic, signals from UEs arrive at the base station with varying delays due to differences in their physical distances. This delay affects the timing of uplink transmissions, causing potential misalignment and incorrect decoding if not compensated.

  • Why It's Hard:
    • The delay varies per UE and is influenced by mobility and environmental factors. A precise estimation of the delay is crucial for accurate decoding.
  • Solution in LTE Sniffer:
    • Using Uplink Reference Signals: LTE requires UEs to send Uplink Reference Signals (UL RS), which the sniffer uses to estimate time delays through channel estimation.
    • General Equalization: Once the delay is calculated, the sniffer applies equalization techniques to align the uplink signals with the correct timing.
    • Real-Time Adjustments: Continuously recalibrates the delay compensation as the UE's position changes or the network configuration is updated.

Reference

YouTube

OpenSource