Project

General

Profile

Actions

What is GSMTAP?

GSMTAP is a pseudo-header that is used to transport frames from the GSM air interface (Um interface) inside UDP/IP packets

A pseudo-header is an additional header in front of a protocol message, which is not part of the actual protocol.

GSMTAP was inspired by the radiotap header, which performs a similar function for 802.11 (WiFi) messages.

The GSMTAP pseudo-header

The GSMTAP header looks like this:

struct gsmtap_hdr {
        uint8_t version;        /* version, set to 0x01 currently */
        uint8_t hdr_len;        /* length in number of 32bit words */
        uint8_t type;           /* see GSMTAP_TYPE_* */
        uint8_t timeslot;       /* timeslot (0..7 on Um) */

        uint16_t arfcn;         /* ARFCN (frequency) */
        int8_t signal_dbm;      /* signal level in dBm */
        int8_t snr_db;          /* signal/noise ratio in dB */

        uint32_t frame_number;  /* GSM Frame Number (FN) */

        uint8_t sub_type;       /* Type of burst/channel, see above */
        uint8_t antenna_nr;     /* Antenna Number */
        uint8_t sub_slot;       /* sub-slot within timeslot */
        uint8_t res;            /* reserved for future use (RFU) */

} +attribute+((packed));

The full specification can be found as part of libosmocore, in the "include/osmocore/gsmtap.h" header file.

UDP Port number

The IANA has assigned the UDP port 4729 to the GSMTAP protocol.

Software Supporting GSMTAP

A program sending GSMTAP messages (like layer23, airprobe or OpenBTS) will typically have the following structure
  • Receive a GSM Um frame (23 bytes mac block) on the air interface
  • pre-pend it with the GSMTAP header
  • send it via UDP/IP to some IP address.

layer23

The layer23 program is part of OsmocomBB and can be used to grab the messages on the CCCH/BCCH of a GSM cell as they
are received by a OsmocomBB-supported GSM phone.

airprobe

airprobe provides multiple programs implementing a software-defined-radio (SDR) receiver for GSM.
You can capture raw samples of a GSM cell using gnuradio-supported hardware (typically a USRP or USRP2), demodulate+decode
them and send the resulting GSM layer2 frames via GSMTAP.

The gsm-tvoid and gsm-receiver programs of airprobe will both generate GSMTAP messages.

wireshark

Wireshark is a general-purpose protocol analyzer. We have added a so-called dissector for
the GSMTAP pseudo-header to it.

You can use the GSMTAP dissector like you would use wireshark on any other IP-based protocol. You start a capture on the
apropriate network device where the UDP packets containing GSMTAP headers are visible, and wireshark will decode them.

The dissector will attach to all packets that are sent to the IANA-assigned UDP port 4729.

OpenBTS

OpenBTS is a 100% Free Software implementation of the BTS-side Um interface.

It can also generate GSMTAP messages:

Set following variable in OpenBTS cli:

config Control.GSMTAP.TargetIP 224.0.0.1

this will direct all gsmtap traffic to multicast address which will allow you to easily filter it and there'll be no need to use some client (netcat) on receiving end using something like:

tshark -i any -f "port 4729" -w gsm.pcap

OsmoBTS

The OsmoBTS software, also developed by the Osmocom community, is capable of forwarding messages from the GSM air interface (uplink and downlink) via GSMTAP,
please see the gsmtap-sapi command at the trx level of the VTY.

xgoldmon

xgoldmon (https://github.com/2b-as/xgoldmon) is a small program that can be used in combination with a Samsung Galaxy S2/S3 (and possibly other Samsung) phone to trace all the messages exchanged
between the mobile carrier and your phone.

Files (1)
gsmtap.h gsmtap.h 2.11 KB current version of the GSMTAP header file laforge, 08/04/2010 05:51 PM

Updated by zecke over 7 years ago · 8 revisions

Add picture from clipboard (Maximum size: 48.8 MB)