[srslte-users] Downlink sniffer

Patrick Mayer dashaus417 at yahoo.de
Wed Jul 21 19:43:14 UTC 2021 

Hi,
to answer your questions.
1) You have to create a new thread in main.cc which takes over the task, 
this then executes the content of pdsch_ue.c. Then comment out the 
uplink functions in cc_worker.cc starting at line 576 , since you don't 
need them and you only want to sniff.

2) As I understand it CellScan manually creates the header which 
Wireshark then interprets correctly and thus displays the SIB packets 
correctly. You have to adapt the header for C-RNTI. Replace the SI-RNTI 
value with a C-RNTI value and make sure that you use the decimal value 
of the C-RNTI and not the hex value. Then the incorrectly formatted 
packets will be displayed correctly.

3) Yes, if you first call FalconEye and then pdsch_ue then you miss all 
C-RNTI in between.

I hope this helps.
Best,
Patrick

Am Donnerstag, 08.07.2021 um 11:34 schrieb nauga+srsran at mailbox.org:
> Hi,
>
> my goal is to use srsran as downlink sniffer.
>
> Used HW & SW:
>     • srsran 21.04
>     • Ubuntu 18.04.5 LTS
>     • Laptop Intel i5 CPU 8th generation
>     • USRP B200mini
>
> What is working already:
>     • Using example pdsch_ue
>         ◦ with small changes and CellScan [1] with also some minor 
> changes (e.g. renaming srslte to srsran) capturing packages with 
> Wireshark
>         ◦ sending packages to localhost with -u and -U in command line 
> & capturing with Wireshark
>         ◦ decoding Channel BCCH & capturing with Wireshark 
> SIB1,2,3,5,6,7,8 (Using SI_RNTI to call function 
> srsran_ue_dl_find_and_decode())
>         ◦ decoding Channel PCCH & capturing with Wireshark Paging 
> Channel with addressed TMSIs (Using P_RNTI)
>       → this all works at the same time
>     • Using FalconEye [2] to capture C-RNTIs
>       → this works fine on its own
>
> Goal:
>     • Capture all at once & additionally to above RRC Connection setup 
> (Downlink) to map C-RNTI to TMSI (I’m referring to this paper [3]), 
> because currently only Falcon or pdsch_ue works
>
> What I tried already:
>     • Using srsue instead of pdsch_ue for sniffing, but I struggle 
> where to find, intercept and modify srsue
>     • Using FalconEye instead of pdsch_ue for sniffing, but I struggle 
> where to find, intercept and modify
>     • using RA-RNTI in pdsch_ue to sniff RAR works ok
>     • using all C-RNTI in pdsch_ue is to much to call 
> srsran_ue_dl_find_and_decode()
>     • using all C-RNTIs form FalconEye in pdsch_ue doesn’t works, I 
> can decode Channel DL_CCCH, but I can only capture RRC Connection 
> Reestablishment and some weird formatted other ones in Wireshark, but 
> not RRC Connection Setup
>     • Found this master thesis [4] (chapter 4) which is using srsue, 
> but as mentioned above I’m struggling where to intercept and modify
>     • Capturing RRC Connection Setup with srsue for my connection 
> works, but I want also to sniff all others too
>
> Questions:
>     • Where to intercept or modify srsue?
>     • How to capture/ sniff RRC Connection setup with pdsch_ue? Or 
> with srsue of other UEs?
>     • If using FalconEye first and then pdsch_ue then I’m missing to 
> many C-RNTIs right?
>
> Many thanks in advance.
>
> Regards,
> Dom
>
> [1] https://github.com/xu753x/cellScan
> [2] https://github.com/falkenber9/falcon
> [3] 
> https://www.syssec.ruhr-uni-bochum.de/media/infsec/veroeffentlichungen/2018/06/28/breaking_lte_on_layer_two.pdf
> [4] https://doi.org/10.3929/ethz-b-000462184
> _______________________________________________
> srslte-users mailing list
> srslte-users at lists.softwareradiosystems.com
> https://lists.softwareradiosystems.com/mailman/listinfo/srslte-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.srsran.com/pipermail/srsran-users/attachments/20210721/63e80459/attachment.htm>

More information about the srsran-users mailing list