[srslte-users] Downlink sniffer

nauga+srsran at mailbox.org nauga+srsran at mailbox.org
Thu Jul 8 09:34:42 UTC 2021 

Hi,

my goal is to use srsran as downlink sniffer.

Used HW & SW:
     • srsran 21.04
     • Ubuntu 18.04.5 LTS
     • Laptop Intel i5 CPU 8th generation
     • USRP B200mini

What is working already:
     • Using example pdsch_ue
         ◦ with small changes and CellScan [1] with also some minor 
changes (e.g. renaming srslte to srsran) capturing packages with Wireshark
         ◦ sending packages to localhost with -u and -U in command line 
& capturing with Wireshark
         ◦ decoding Channel BCCH & capturing with Wireshark 
SIB1,2,3,5,6,7,8 (Using SI_RNTI to call function 
srsran_ue_dl_find_and_decode())
         ◦ decoding Channel PCCH & capturing with Wireshark Paging 
Channel with addressed TMSIs (Using P_RNTI)
       → this all works at the same time
     • Using FalconEye [2] to capture C-RNTIs
       → this works fine on its own

Goal:
     • Capture all at once & additionally to above RRC Connection setup 
(Downlink) to map C-RNTI to TMSI (I’m referring to this paper [3]), 
because currently only Falcon or pdsch_ue works

What I tried already:
     • Using srsue instead of pdsch_ue for sniffing, but I struggle 
where to find, intercept and modify srsue
     • Using FalconEye instead of pdsch_ue for sniffing, but I struggle 
where to find, intercept and modify
     • using RA-RNTI in pdsch_ue to sniff RAR works ok
     • using all C-RNTI in pdsch_ue is to much to call 
srsran_ue_dl_find_and_decode()
     • using all C-RNTIs form FalconEye in pdsch_ue doesn’t works, I can 
decode Channel DL_CCCH, but I can only capture RRC Connection 
Reestablishment and some weird formatted other ones in Wireshark, but 
not RRC Connection Setup
     • Found this master thesis [4] (chapter 4) which is using srsue, 
but as mentioned above I’m struggling where to intercept and modify
     • Capturing RRC Connection Setup with srsue for my connection 
works, but I want also to sniff all others too

Questions:
     • Where to intercept or modify srsue?
     • How to capture/ sniff RRC Connection setup with pdsch_ue? Or with 
srsue of other UEs?
     • If using FalconEye first and then pdsch_ue then I’m missing to 
many C-RNTIs right?

Many thanks in advance.

Regards,
Dom

[1] https://github.com/xu753x/cellScan
[2] https://github.com/falkenber9/falcon
[3] 
https://www.syssec.ruhr-uni-bochum.de/media/infsec/veroeffentlichungen/2018/06/28/breaking_lte_on_layer_two.pdf
[4] https://doi.org/10.3929/ethz-b-000462184

More information about the srsran-users mailing list