SDR# TETRA IPv4 network decoding and capturing

Status
Not open for further replies.

polar1

Member
Joined
Mar 12, 2019
Messages
26
Greetings!

Today I am releasing an early version of TETRAMonitor SDR# plugin (property of TSSDR) with packet capturing support.

I've been testing it last night and it successfuly decoded over 200KB of IPv4 packets with 96.6% success rate (good IPv4/UDP length, good IPv4/UDP checksum). I can also confirm some of the UDP datagrams had readable text content in them. SDR# did crash after about 5 and a half hours of capturing, I have to investigate this.

I want anyone who has time and will to try it out and let me know here of any issues, high failure rates, bugs, crashes etc. TSSDR is still developing other functionalities of this plugin, I am currently focusing on getting networking support polished. Any feedback will be much appreciated.

Installation:

0. Get the latest version of SDR# if you don't have it.
1. Copy all provided DLLs into SDR# folder.
2. Add this line to plugins.xml:
XML:
<add key="Tetra1" value="SDRSharp.TetraNetMon.TetraNetMonPlugin,SDRSharp.TetraNetMon"/>
3. Install latest version of Wireshark

Usage:

1. Run SDR#
2. Adjust frequency to TETRA control channel
3. Adjust modulation to NFM
4. Adjust bandwidth to above 25kHz (Personally, I set it to 32kHz, it will probably work fine even with 25kHz)
5. If you are using RTL-SDR, I recommend lowering sample rate to 1.800-2.048 MSPS to avoid data corruption
6. Start capturing and tick "Enabled" checkbox on TETRA plugin

TETRA plugin is now capturing and sending IP packets to named pipe \\.\pipe\TETRAMonitor

Create a new Wireshark shortcut on desktop. It should have this as a target (path might be different, but notice the -ni flag and named pipe at the end):
Code:
"C:\Program Files\Wireshark\Wireshark.exe" -ni \\.\pipe\TETRAMonitor

Run Wireshark with this shortcut. You should now see \\.\pipe\TETRAMonitor in list of interfaces. Double click on it to start capturing.

Now just wait a couple of seconds and if there are any IPv4 packets going around on downlink, they should start appearing in Wireshark soon.

You can switch to other channels to see if there is any data over there (for now manually), but I recommend that you stay on control channels for now because event labels are assigned to mobile stations instead of SSI addresses over there. Plugin collects these allocations and changes them respectively. From my analysis, these allocations happen mostly, in not only on control channels. This is something that still needs to be refined. Event label to SSI relation is needed for more accurate packet reassembly.

NOTES:

- Signal must be of best possible quality for data to be captured without any errors
- this plugin works only on clear, unencrypted networks
- this plugin captures all IPv4 data it stumbles upon, it is upon end user to make sense of it, decode inner UDP datagram contents etc.
- this plugin probably won't capture any uplink (MS to BS) data
- some errors are expected in decoding, especially if signal is bad

DISCLAIMER:

Creators of this plugin are not in any way responsible for any consequences that might get you for capturing/decoding/viewing/sharing data of a private network.
Please use this plugin responsibly and with good intentions.


Download:

Download TETRAMonitor from MEGA.nz

---------------------------------------------

Have fun!
Polar
 
Last edited:

polar1

Member
Joined
Mar 12, 2019
Messages
26
New download link:

Please download plugin from here - TetraVoiceDec.dll has been replaced with newer version.
Download TETRAMonitor from MEGA.nz

IQ files:

If you can provide me with IQ recordings of various networks so I can do more tests, I would appreciate it.

Screenshot:

Some data is masked intentionally

TETRAMon_IPv4.png
 
Last edited:

molay

Member
Joined
Apr 5, 2009
Messages
46
Thanks for the relase, however I have problems to make it work.

Atempting to receiving on know TETRA network with SNDCP data error message resulted in wireshark error "The capture session on \\.\pipe\TETRAMonitor timed out during pipe open: semaphore timeout error 121"

Received is blinking in red in some freq and fixed red on others. number near "config" dont show 0.

BTW could you add a log feature both for errors and for log of network information, or at least a visual indicator of SNDCP capture operation?
 
Last edited:

polar1

Member
Joined
Mar 12, 2019
Messages
26
Thanks for the relase, however I have problems to make it work.

Atempting to receiving on know TETRA network with SNDCP data error message resulted in wireshark error "The capture session on \\.\pipe\TETRAMonitor timed out during pipe open: semaphore timeout error 121"

BTW could you add a log feature both for errors and for log of network information, or at least a visual indicator of SNDCP capture operation?

Hi,

I discussed this issue with @hamradionl today, however I couldn't reproduce it and there is very little info on it online. It seems to be quite random and related to no packets being captured for some time which causes the timeout on a named pipe. I will look into it. You could try setting up SDR# to correct TETRA channel, enabling the decoder and then running Wireshark and connecting to plugin.
Keep in mind there is also a possibility that NPDUs are compressed, in which case you probably won't get much out of it. I stil haven't implemented decompression algorithms.
Logging is 90% implemented, there will be an update, I just need to make it compatible with multiple instances of plugin running at the same time.
This log will contain only SNDCP data. I will also include CMTrace tool from Microsofts Configuration Manager Toolkit to open logs and easily follow them in real time.
 

polar1

Member
Joined
Mar 12, 2019
Messages
26
Update

- added SNDCP signal and data indicators (@molay)
- SIGNAL will blink when any SNDCP PDU is received
- DATA will blink when SN-UDATA or SN-DATA SNPDUs are received

- added logging for main plugin instance - plugin creates TETRA/LOG subdirectory structure in SDR# folder and writes logs here (@molay)
- only control SNDCP PDUs are logged to avoid having huge logfiles
- included CMTrace.exe in zip for opening logs and parsing in real time

- experimental: support multiple instances - add multiple magic lines to plugin.xml and have more than one decoder - useful for tracking of SNDCP traffic across several carriers (they should all have same main carrier) - details below

Download:

Download TETRAMonitor from MEGA.nz

Installation:

0. Get the latest version of SDR# if you don't have it.
1. Copy all provided DLLs into SDR# folder (including NLog.dll).
2. Add this line to plugins.xml:
Code:
<add key="Tetra1" value="SDRSharp.TetraNetMon.TetraNetMonPlugin,SDRSharp.TetraNetMon"/>
2.a For multiple instances, paste the line more than once and change key to Tetra2, Tetra3 etc.
3. Install latest version of Wireshark
4. Create a new Wireshark shortcut on desktop. It should have this as a target (path might be different, but notice the -ni flag and named pipe at the end):
Code:
"C:\Program Files\Wireshark\Wireshark.exe" -ni \\.\pipe\TETRAMonitor0
4.a For multiple instances, create multiple shortcuts and change "0" in pipe name to 1, 2, 3 etc. depending on how many instances of plugin you intend to run. Alternatively, you can run Wireshark from command line using same principles

Usage:

1. Run SDR#
2. Adjust frequency to TETRA control channel
3. Adjust modulation to NFM
4. Adjust bandwidth to above 25kHz (Personally, I set it to 32kHz, it will probably work fine even with 25kHz)
5. If you are using RTL-SDR, I recommend lowering sample rate to 1.800-2.048 MSPS to avoid data corruption
6. Start the capturing and tick "Enabled" checkbox on TETRA plugin (if you have more instances, enable first one)
7. Click on SET button when you change the frequency on SDR# to set the plugin to new carrier

For multiple instances:
8. Move to second carrier frequency, enable second instance of plugin and click SET. Check if all running instances have equal main carrier.
9. Repeat for every instance.
10. Run wireshark
10.a For each instance, open new wireshark and capture from correct named pipe (0 for first, 1 for second instance etc.)
10.b You can merge capture files later.

Known bugs:

- random appearance of Error 121 in Wireshark (not reproduced yet, still investigating) (@molay, @hamradionl)

NOTES:

- Multiple instances might need a lot of processing time, performance and number of possible parallel instances will probably depend on hardware. Don't overdo it, try one first, if it works add second, maybe third instance.
- Don't leave multiple instances on same frequency, this might cause crash.
- Don't run wireshark until you enable decoding.
- Signal must be of best possible quality for data to be captured without any errors
- this plugin works only on clear, unencrypted networks
- this plugin captures all IPv4 data it stumbles upon, it is upon end user to make sense of it, decode inner UDP datagram contents etc.
- this plugin probably won't capture any uplink (MS to BS) data
- some errors are expected in decoding, especially if signal is bad
- this plugin does not support reading data from compressed NPDUs yet

DISCLAIMER:

Creators of this plugin are not in any way responsible for any consequences that might get you for capturing/decoding/viewing/sharing data of a private network.
Please use this plugin responsibly and with good intentions.
 
Last edited:

digiman1

Member
Joined
Aug 9, 2018
Messages
123
Thanks for this! I love anything to do with Digital Modes, especially Tetra.

I have yet to run this and wondered what kind of data we should see? what does it capture exactly? Hopefully by the end of the day I should have this up and running anyway to find out :)
 

polar1

Member
Joined
Mar 12, 2019
Messages
26
Hi,

it captures regular old network traffic, IP packets (same ones you use every day to surf on internet :) )
Wireshark decodes these packets so you can see source and destination IP addresses, ports over which communication happens and what's most interesting, data content of packets. Now if you have luck, you will have some defined regular protocol and wireshark will decode it even further (if it is something known like, say, ping, http, smb etc..), but i would say that this is unlikely. It will probably be some custom data protocol of the software used on endpoints.
I am currently trying to reverse engineer a custom protocol my local public transportation company uses to send timetables to displays around city.
Maybe in a couple of days I won't need to come to station to see when next tram is coming :)

For everyone, please do report all bugs here, this part of decoder is only just written so I know there will be some bugs for sure. I want to make this stable. And have some patience from time to time since I code this only after 10PM when everything else goes silent :)
 
Last edited:

polar1

Member
Joined
Mar 12, 2019
Messages
26
There have been some crashes of sdr# reported. If it happens to someone, please, PM me with contents of crash.txt so I can more easily analyze what the issue could be. Thank you!
 

hamradionl

Member
Joined
Mar 23, 2014
Messages
730
Ok we wait for this wonderful new update, i got the feeling this be a trendy topic very soon :)
 
Last edited:

polar1

Member
Joined
Mar 12, 2019
Messages
26
This is related to using named pipes. Intention was to use them to send packets to wireshark in real time. There is an alternative which I can implement if error 121 keeps coming up and it is to save captured data to PCAP file with plugin and open PCAP file with wireshark. But then real time part of the story is lost, which I do not prefer. I like seeing decoded IP packets as they come in.
I will try to investigate this and fix it for next release. It still seems to be quite random.

It is a bit hard to investigate since I was unable to reproduce it for now.
 

polar1

Member
Joined
Mar 12, 2019
Messages
26
If you meant decyphering encryption, no. Encryption is proprietary and owned by TETRA organization/ETSI. I will not even try doing anything with it and whoever may do it, keep in mind how many troubles it could cause to you - all european national emergency and safety agencies use it...
 

FERRAINAELENA

Member
Joined
May 18, 2015
Messages
17
Location
ITALIA
THANK YOU, YOU'RE VERY PROFESSIONAL THANKS TO YOU. YOU HAVE PERFECTLY REASON, NO REASON FOR THIS. I WISH YOU GOOD WORK.

TO THE NEXT THANKS ,,
 

tsapers

Member
Joined
Aug 25, 2011
Messages
67
Getting this when I double click the "\\.\pipe\TETRAMonitor0" interface in Wireshark:

"The capture session on "\\.\pipe\TETRAMonitor" could not be started due to error on pipe open: The system cannot find the file specified. (error 2)."

What did I miss?
 

hamradionl

Member
Joined
Mar 23, 2014
Messages
730
Not working, polar1 is knowing he is working on a update.
When run WireShark as localhost, there is network data traffic but also notice all data like the internet connection etc etc.
(the program not use local port fwd)
Same as TTT, waiting for update show the binary data in his own window or in wireshark :)
 
Status
Not open for further replies.
Top