GSMTAP » History » Version 3
Anonymous, 02/19/2016 10:48 PM
1 | 1 | laforge | [[PageOutline]] |
---|---|---|---|
2 | |||
3 | = What is GSMTAP? = |
||
4 | |||
5 | GSMTAP is a pseudo-header that is used to transport frames from the GSM air interface (Um interface) inside UDP/IP packets |
||
6 | |||
7 | A pseudo-header is an additional header in front of a protocol message, which is not part of the actual protocol. |
||
8 | |||
9 | GSMTAP was inspired by the [http://www.radiotap.org/ radiotap] header, which performs a similar function for 802.11 (WiFi) messages. |
||
10 | |||
11 | == The GSMTAP pseudo-header == |
||
12 | |||
13 | The GSMTAP header looks like this: |
||
14 | {{{ |
||
15 | struct gsmtap_hdr { |
||
16 | uint8_t version; /* version, set to 0x01 currently */ |
||
17 | uint8_t hdr_len; /* length in number of 32bit words */ |
||
18 | uint8_t type; /* see GSMTAP_TYPE_* */ |
||
19 | uint8_t timeslot; /* timeslot (0..7 on Um) */ |
||
20 | |||
21 | uint16_t arfcn; /* ARFCN (frequency) */ |
||
22 | int8_t signal_dbm; /* signal level in dBm */ |
||
23 | int8_t snr_db; /* signal/noise ratio in dB */ |
||
24 | |||
25 | uint32_t frame_number; /* GSM Frame Number (FN) */ |
||
26 | |||
27 | uint8_t sub_type; /* Type of burst/channel, see above */ |
||
28 | uint8_t antenna_nr; /* Antenna Number */ |
||
29 | uint8_t sub_slot; /* sub-slot within timeslot */ |
||
30 | uint8_t res; /* reserved for future use (RFU) */ |
||
31 | |||
32 | } __attribute__((packed)); |
||
33 | }}} |
||
34 | |||
35 | The full specification can be found as part of [wiki:libosmocore], in the "include/osmocore/gsmtap.h" header file. |
||
36 | |||
37 | == UDP Port number == |
||
38 | |||
39 | The IANA has assigned the UDP port 4729 to the GSMTAP protocol. |
||
40 | |||
41 | |||
42 | = Software Supporting GSMTAP = |
||
43 | |||
44 | A program sending GSMTAP messages (like [wiki:layer23], airprobe or OpenBTS) will typically have the following structure |
||
45 | * Receive a GSM Um frame (23 bytes mac block) on the air interface |
||
46 | * pre-pend it with the GSMTAP header |
||
47 | * send it via UDP/IP to some IP address. |
||
48 | |||
49 | == [wiki:layer23] == |
||
50 | |||
51 | The [wiki:layer23] program is part of OsmocomBB and can be used to grab the messages on the CCCH/BCCH of a GSM cell as they |
||
52 | are received by a OsmocomBB-supported GSM phone. |
||
53 | |||
54 | == airprobe == |
||
55 | |||
56 | [http://airprobe.org/ airprobe] provides multiple programs implementing a software-defined-radio (SDR) receiver for GSM. |
||
57 | You can capture raw samples of a GSM cell using gnuradio-supported hardware (typically a USRP or USRP2), demodulate+decode |
||
58 | them and send the resulting GSM layer2 frames via GSMTAP. |
||
59 | |||
60 | The gsm-tvoid and gsm-receiver programs of airprobe will both generate GSMTAP messages. |
||
61 | |||
62 | == wireshark == |
||
63 | |||
64 | [http://www.wireshark.org/ Wireshark] is a general-purpose protocol analyzer. We have added a so-called ''dissector'' for |
||
65 | the GSMTAP pseudo-header to it. |
||
66 | |||
67 | You can use the GSMTAP dissector like you would use wireshark on any other IP-based protocol. You start a capture on the |
||
68 | apropriate network device where the UDP packets containing GSMTAP headers are visible, and wireshark will decode them. |
||
69 | |||
70 | The dissector will attach to all packets that are sent to the IANA-assigned UDP port 4729. |
||
71 | |||
72 | == OpenBTS == |
||
73 | |||
74 | OpenBTS is a 100% Free Software implementation of the BTS-side Um interface. |
||
75 | |||
76 | 2 | laforge | It can also generate GSMTAP messages: |
77 | 3 | laforge | |
78 | 2 | laforge | Set following variable in OpenBTS cli: |
79 | 3 | laforge | |
80 | 2 | laforge | config Control.GSMTAP.TargetIP 224.0.0.1 |
81 | 3 | laforge | |
82 | 2 | laforge | this will direct all gsmtap traffic to multicast address which will allow you to easily filter it and there'll be no need to use some client (netcat) on receiving end. |