Project

General

Profile

GSMTAP » History » Version 7

zecke, 09/02/2016 06:50 PM
Remove link

1 6 laforge
{{>toc}}
2 1 laforge
3
4 6 laforge
h1. What is GSMTAP?
5
6
7 1 laforge
GSMTAP is a pseudo-header that is used to transport frames from the GSM air interface (Um interface) inside UDP/IP packets
8
9
A pseudo-header is an additional header in front of a protocol message, which is not part of the actual protocol.
10
11 6 laforge
GSMTAP was inspired by the "radiotap":http://www.radiotap.org/ header, which performs a similar function for 802.11 (WiFi) messages.
12 1 laforge
13
14 6 laforge
h2. The GSMTAP pseudo-header
15
16
17 1 laforge
The GSMTAP header looks like this:
18 6 laforge
<pre>
19 1 laforge
struct gsmtap_hdr {
20
        uint8_t version;        /* version, set to 0x01 currently */
21
        uint8_t hdr_len;        /* length in number of 32bit words */
22
        uint8_t type;           /* see GSMTAP_TYPE_* */
23
        uint8_t timeslot;       /* timeslot (0..7 on Um) */
24
25
        uint16_t arfcn;         /* ARFCN (frequency) */
26
        int8_t signal_dbm;      /* signal level in dBm */
27
        int8_t snr_db;          /* signal/noise ratio in dB */
28
29
        uint32_t frame_number;  /* GSM Frame Number (FN) */
30
31
        uint8_t sub_type;       /* Type of burst/channel, see above */
32
        uint8_t antenna_nr;     /* Antenna Number */
33
        uint8_t sub_slot;       /* sub-slot within timeslot */
34
        uint8_t res;            /* reserved for future use (RFU) */
35
36 6 laforge
} +attribute+((packed));
37
</pre>
38 1 laforge
39 6 laforge
The full specification can be found as part of [[libosmocore]], in the "include/osmocore/gsmtap.h" header file.
40 1 laforge
41
42 6 laforge
h2. UDP Port number
43
44
45 1 laforge
The IANA has assigned the UDP port 4729 to the GSMTAP protocol.
46
47
48
49 6 laforge
h1. Software Supporting GSMTAP
50 1 laforge
51
52 6 laforge
A program sending GSMTAP messages (like [[layer23]], airprobe or [[OpenBTS]]) will typically have the following structure
53
* Receive a GSM Um frame (23 bytes mac block) on the air interface
54
* pre-pend it with the GSMTAP header
55
* send it via UDP/IP to some IP address.
56 1 laforge
57
58 6 laforge
h2. [[layer23]]
59
60
61
The [[layer23]] program is part of [[OsmocomBB]] and can be used to grab the messages on the CCCH/BCCH of a GSM cell as they
62
are received by a [[OsmocomBB]]-supported GSM phone.
63
64
65
h2. airprobe
66
67
68
"airprobe":http://airprobe.org/ provides multiple programs implementing a software-defined-radio (SDR) receiver for GSM.
69 1 laforge
You can capture raw samples of a GSM cell using gnuradio-supported hardware (typically a USRP or USRP2), demodulate+decode
70
them and send the resulting GSM layer2 frames via GSMTAP.
71
72
The gsm-tvoid and gsm-receiver programs of airprobe will both generate GSMTAP messages.
73
74
75 6 laforge
h2. wireshark
76
77
78
"Wireshark":http://www.wireshark.org/ is a general-purpose protocol analyzer.  We have added a so-called _dissector_ for
79 1 laforge
the GSMTAP pseudo-header to it.
80
81
You can use the GSMTAP dissector like you would use wireshark on any other IP-based protocol.  You start a capture on the
82
apropriate network device where the UDP packets containing GSMTAP headers are visible, and wireshark will decode them.
83
84
The dissector will attach to all packets that are sent to the IANA-assigned UDP port 4729.
85
86
87 6 laforge
h2. [[OpenBTS]]
88 1 laforge
89 6 laforge
90
[[OpenBTS]] is a 100% Free Software implementation of the BTS-side Um interface.
91
92 2 laforge
It can also generate GSMTAP messages:
93 3 laforge
94 6 laforge
Set following variable in [[OpenBTS]] cli:
95 3 laforge
96 2 laforge
config Control.GSMTAP.TargetIP 224.0.0.1
97 3 laforge
98 4 laforge
this will direct all gsmtap traffic to multicast address which will allow you to easily filter it and there'll be no need to use some client (netcat) on receiving end using something like:
99
100
tshark -i any -f "port 4729" -w gsm.pcap
101 5 laforge
102
103 7 zecke
h2. The OsmoBTS software, also developed by the Osmocom community, is capable of forwarding messages from the GSM air interface (uplink and downlink) via GSMTAP,
104 6 laforge
please see the _gsmtap-sapi_ command at the trx level of the VTY.
105 5 laforge
106 6 laforge
107
h2. xgoldmon
108
109 5 laforge
110
xgoldmon (https://github.com/2b-as/xgoldmon) is a small program that can be used in combination with a Samsung Galaxy S2/S3 (and possibly other Samsung) phone to trace all the messages exchanged
111 1 laforge
between the mobile carrier and your phone.
Add picture from clipboard (Maximum size: 48.8 MB)