gsm wireshark capture over openbts system wireshark capture over openbts system cruz tovar ... gsm...

Download GSM Wireshark Capture over OpenBTS System  Wireshark Capture over OpenBTS System Cruz Tovar ... GSM phones. This report details how RTL-SDR ... The logical architecture used to capture GSM

Post on 15-Mar-2018

214 views

Category:

Documents

1 download

Embed Size (px)

TRANSCRIPT

  • ctovar@hawk.iit.edu Project Report 1

    GSM Wireshark Capture over OpenBTS System

    Cruz Tovar

    A20277095

    May 2, 2014

  • ctovar@hawk.iit.edu Project Report 2

    Abstract In the Fall and Spring semesters of 2013 and 2014, my colleague Sushma Sitaram implemented a

    GSM access point using OpenBTS that is able to use GSM-compatible phones over a VoIP

    network. To further the project, a software defined radio (SDR) device and open source

    applications were implemented to allow the capturing of GSM signals. The project report

    includes the process that was involved with implementing an Software Defined Radio (SDR)

    device and outlines how the signals traverse in the network using Wireshark.

  • ctovar@hawk.iit.edu Project Report 3

    Table of Contents

    Abstract .................................................................................................................................................... 2

    1. Introduction ....................................................................................................................................... 4

    2. RTL-SDR ............................................................................................................................................... 4

    3. Airprobe ............................................................................................................................................... 4

    4. GNU Radio ............................................................................................................................................ 4

    5. Configuration of Software .............................................................................................................. 4 5.1 Airprobe Basic Dependencies ........................................................................................................................... 5 5.2 Install libosmocore library ................................................................................................................................ 5 5.3 Clone Airprobe ........................................................................................................................................................ 5 5.4 Install gsmdecode .................................................................................................................................................. 5 5.5 Install gsm-reciever .............................................................................................................................................. 5

    6. Receiving a Live Channel ................................................................................................................ 5

    7. Logical Architecture ........................................................................................................................ 7 7.1 Base Station Subsystem (BSS) .......................................................................................................................... 7 7.2 Capture Station ....................................................................................................................................................... 7 7.3 Mobile Station (MS) .............................................................................................................................................. 7

    8. Physical Architecture ...................................................................................................................... 8

    9. Ladder Diagram ................................................................................................................................ 9

    10. Conclusion ...................................................................................................................................... 10

    References ............................................................................................................................................. 12

  • ctovar@hawk.iit.edu Project Report 4

    1. Introduction Global System for Mobile communications (GSM) initially was designed as a circuit-switched

    telecommunications system and allows a direct connection between the caller and recipient of

    the call. Overtime GSM has evolved and can now be virtualized using IP broadband

    connections, little difference is noticed with the old implementation of GSM and virtualized

    GSM systems. The GSM setup at IIT uses Open Base Transceiver Station (OpenBTS).

    OpenBTS uses software radio to become a GSM access point and allow calls to be made to other

    GSM phones. This report details how RTL-SDR hardware and other open source software were

    used to capture bearer and management signals on the GSM network. This report also gives the

    physical and logical architecture of Capture Station and how a GSM call would be transmitted

    over the network.

    2. RTL-SDR RTL-SDR is an affordable DVB-T TV tuner dongle that uses RealTeks RTL2832U chip. What

    make this device so popular in the radio frequency community is that it was found that the device

    is able to function as software defined radio receiver. By pairing RTL-SDR hardware with

    software, it is possible to implement this device to pick up various RF signals such as ham radio,

    police scanner, listening to FM radio, and many more. In this project the hardware and software

    are implemented to capture GSM signals.

    3. Airprobe Airprobe originally started from a previous project known as the GSM-Sniffer project. Airprobe

    developed further into a project that could capture GSM signals from an air interface. Airprobe

    uses various repositories to receive and decode signals. The gsm-receiver repository from

    Airprobe is used to receive the signals from the air. Currently Airprobe is only capable of

    decoding the downstream signals (GSM network to mobile phone), but is able to handle

    management channels.

    4. GNU Radio GNU Radio functions well with RF based hardware to implement software-defined radio

    devices. GNU Radio is software development tool kit that allows RF signals to be processed to a

    hardware device. On its own GNU Radio is not capable of capturing GSM signals. However,

    when paired with Airprobe it does become capable to capture GSM signals.

    5. Configuration of Software Using Kali Linux is a simple way to implement an RTL-SDR device, but there are some other

    software and dependencies that need to be installed prior to using the device. By using Kali

    Linux GNU Radio version 3.6 is already installed. Using this version of GNU Radio is essential

    as Airprobe is incompatible with version 3.7. After you have a version of Linux and GNU Radio

    3.6 installed you can then install dependencies needed by Airprobe and additional libraries that

    are needed.

  • ctovar@hawk.iit.edu Project Report 5

    5.1 Airprobe Basic Dependencies sudo apt-get y install git-core autoconf automake libtool g++

    python-dev swig libpcap0.8-dev gnuradio-dev cmake git libboost-

    all-dev libusb-1.0-0 libusb-1.0-0-dev libfftw3-dev swig python-

    numpy

    5.2 Install libosmocore library git clone git://git.osmocom.org/libosmocore.git

    cd libosmocore

    autoreconf i

    ./configure

    make

    sudo make install

    sudo ldconfig

    5.3 Clone Airprobe git clone git://git.gnumonks.org/airprobe.git

    5.4 Install gsmdecode cd airprobe/gsmdecode

    ./bootstrap

    ./configure

    make

    5.5 Install gsm-reciever cd airprobe/gsm-receiver

    ./bootstrap

    ./configure

    make

    6. Receiving a Channel After all dependencies, libraries, and additional software have been installed the RTL-SDR

    device should be able to decode a live channel. First open a terminal window and type

    wireshark and press the enter key to start wireshark.

    Next, navigate to the below directory using the terminal window.

    cd airprobe/gsm-receiver/src/python

    After navigating to the above directory enter the following code in the terminal window to

    receive a GSM channel. The s flag is used to sample at a rate of 1.0 MSPS, if you are to leave

    out this flag the default sample rate is 1.8 MSPS.

    ./gsm_receive_rtl.py -s 1e6

  • ctovar@hawk.iit.edu Project Report 6

    Figure 1: Receiving a GSM Signal [1]

    In Figure 1, there is a window titled Top Block. This is the spectrum of the GSM channel, and

    you will need to click in the middle of the GSM channel to start capturing traffic. After you have

    clicked you should start seeing traffic in Wireshark. To stop capturing traffic, go back to the

    terminal window with the gsm-receive command and break the command using ctrl + c.

  • ctovar@hawk.iit.edu Project Report 7

    7. Logical Architecture

    Figure 2: Logical Architecture of Capture Station and Test Bed Architecture

    The logical architecture used to capture GSM signals are comprised of three components: the

    Capture Station, the Base Station Subsystem (BSS), and Mobile Station (MS).

    7.1 Base Station Subsystem (BSS)

    The BSS is responsible for managing mobile subscribers over a radio interface to the network

    they are attempting to access [1]. There are two components that comprise the BSS: Open Base

    Transceiver Station (OpenBTS) and the Base Station Controller (BSC). The OpenBTS, used in

    this BSS setup is open source product and is normally called BTS. However OpenBTS functions

    in the same manner as a normal BTS. OpenBTS allows for a call to be mai

Recommended

View more >