💾 Archived View for gemini.spam.works › mirrors › textfiles › hamradio › nigelden.ham captured on 2020-10-31 at 18:29:10.
-=-=-=-=-=-=-
A LAYMAN'S GUIDE TO TRAFFIC ANALYSIS By Nigel Ballard. 28 Maxwell Road Winton Bournemouth Dorset BH9 1DL England. 23 July 1990 The question you are now asking is 'what is Traffic Analysis'? And what possible use is it to me? READ ON: Basically, if you monitor a single channel over a set period of say 24 hours and the squelch breaks for a grand total of 15 minutes. As you now have two numeric figures to work with. Therefore you now have the means to calculate the density of traffic on that specific channel. Which is proportional to the number of users. What possible use is this? You may well ask. Well if I offer up some of the mechanics suitable to achieve this analysis, then the answer may well be forthcoming. WHAT INFO YOU HOPE TO EXTRACT (1) TYPE OF TRAFFIC: who are they? what is being passed over the channel (2) CONTROL: which unit is obviously in charge of the net (3) CALLSIGNS: quantity,type, is there any apparent structure to them, has an unusual callsign appeared on the net, if so why? (4) MODE: what is the preferred mode? AM/FM DVP and/or clear (5) CODES: are they being used? if so, log them all and try and work out their meaning. The easy ones will usually be the most used. HOW I CURRENTLY DO IT! Take one AOR-2002, link it to an EMP (Embedded Microprocessor Products) SCANMASTER. The Scanmaster among many other things will print out a hardcopy record of every time the squelch breaks, the exact time, signal strength and the time the squelch makes. And also if required an explanation of the user on this channel (not required in this instance as we are only sat on one specific, and not scanning or searching a whole bunch). After 24 hours I tear off the printout and calculate the totals. In this example, we will say this channel was active for a total of 15 minutes in a given 24 hour period. Working out that 1,440 minutes make up a 24 hour period, I can now say that the density of the traffic on this frequency is 1.04%. STILL DOUBLE-DUTCH? Well if I was inclined to break up the day into hourly blocks I could further work out when the density of traffic was high and when it was low. If I monitored this allocation for a month, I could then calculate the mean activity over the period, and also the times of the day when activity is usually higher. BIG DEAL and ISN'T THIS HEAVY GOING you mutter. RIGHT YOU SCEPTICS Suppose you worked for the FCC, or in the UK the DTI, somebody applies for an extra customer on their community repeater, you say their license shows they already have a large amount of users. The client says that most of his users are only on between 9 till 5, whereas his prospective new client is a security company and will only be working after 5pm. Being a distrusting sort you set up your SCANMASTER or similar and let technology do all the hard work for you. ALRIGHT, THAT'S HUNKY DORY FOR THE FCC, BUT I DON'T WORK FOR THEM! Suppose you consider yourself a fanatical knob twiddler (SCANNER FREAK), you live to achieve excellence in your field, and second best efforts just don't cut it. HERE'S THE SCENARIO-INTERCEPTING THE NET Somebody gives you a frequency, so discrete that it appears on NO listing, official or otherwise that you have ever seen. You may be further told that this discrete is in DVP or some other method of HOT encryption. Not daunted by this, you have several approaches to gaining valuable info: [1] Regardless of wether you can make out what they are saying, if there is traffic on this secret spot frequency, what is the signal strength? if all carriers are of equal strength, are you listening to a single user (one way talk or two frequency simplex). If so, then try and find the input by taking other users in this band and trying out popular frequency splits. Remember, the output from a repeater will NOT indicate how close they are to you, only the respective inputs will tell you this. Inputs, meaning the mobiles transmit frequency INTO the repeater. Remember that repeaters can be both fixed installations and covertly mounted in vans or cars, and then parked in high open ground. Most close range covert work is conducted via low power single frequency simplex radio's, thus ensuring a low probability of intercept and an all informed net. LPI or Low Probability of Intercept simply means your RF carrier is localised, thus reducing the possibility of radio intercept by outside parties. AIN All Informed Net, this means that by using single frequency simplex, everybody on that particular net can hear everybody else. This is vital in important tactical situations. [2] If the signal strengths are different, then it could be a base talking to a mobile, or even a near station talking to a distant one. Or in fact two mobiles talking to each other. [3] And how strong is the strongest signal? compare the readings with other known users in this band. The radiated output of a specific user will vary dependent on the RF output, antenna height and gain, however it still remains a useful tool in determining the approximate distance to the target transmission. DVP OR CLEAR, YOU ARE ALREADY GAINING VALUABLE INFORMATION If the net is not in a secure mode, then you can start your SIGINT analysis. SIGINT, a much used military term standing for Signals Intelligence, this is the gathering of information gained from information passed by users over the net. NOW TO WHERE EMITTER DENSITY COMES IN Suppose traffic is normally 1% in every 24 hrs, all of a sudden the traffic goes up to 50%, what can we assume from this. Well tie this to the signal strength readings, if traffic goes up and so does the signal strength then you might rightly assume that something interesting is happening, and it could be in your neighbourhood! Even if they are using DVP 100% you are still not totally in the dark. Experience has shown me that DVP operators often screw things up by chatting on other clear mode systems, or even the cellular phone telling loved ones that they are downtown on a big operation, and to please put their dinner in the microwave. HINT Often a long burst followed by a shorter burst of less signal intensity indicates a base or control giving out instructions followed by a 'roger' or 'received' from a mobile unit. While on the subject of the superb Motorola DVP (expensive as it is), A particular case in point comes to mind. One such very little known discrete suddenly comes alive, after many attempts, the correct input was located. Hours and hours of the familiar bursts of white noise with the tell-tale feint synch tone near the end were duly heard. Boredom and earache was setting in nicely, until one of the units on the net comes up in the clear, gives sufficient info away in one over for yours truly to have their location. About an hour later the same unit comes up in the clear again and fills in the rest of the picture for me. Very nice of him to inform me who they were, where they were and who and obviously what they were after. Now I ask you, what's the damn point in having the best radio kit the budget can stretch to when some prat is hell bent on giving the game away. UP TO NO GOOD? Now then, if I was a bad lad, had some brains and some rudimentary equipment, I could run traffic analysis checks on all known interesting allocations. Scan the inputs and the outputs to get signal readings. Add to this a Doppler D.F. to locate the rough directions (rough being the operative word), the information gained could be used to my great advantage. ANALYSIS Traffic analysis will give you an immense amount of information about a specific net, even before you even start to analyse the information send on that net, particularly if that net is encrypted. SIGINT Only of any use if the net is unencrypted or clear traffic is sent on an otherwise encrypted net. DF Direction finding, A much overated science at the best of times, and with the best kit available, results can be spectacularly misleading often giving a solid bearing of a target transmission, only to be a bearing of a reflected signal from a completely different direction, and not a line of site bearing from the target. This is particularly the case in urban areas where high obstructions abound. The hobbyist with his little circle of red led's, and a four aperture antenna set-up, stands very little chance of getting an accurate bearing in a built up area. Well there you have it, more pearls (who's he kidding) of wisdom from the UK. This article was written at several locations when time permitted, I apologise if it is disjointed, But in amongst the gravy you should find some meat. Any comments on this article should be left on this BBS, or sent to my home address. More to follow when time permits. Best Regards Nigel.