A LAYMAN'S GUIDE TO TRAFFIC ANALYSIS

By Nigel Ballard. 28 Maxwell Road Winton Bournemouth Dorset
BH9 1DL England. 23 July 1990


The question you are now asking is 'what is Traffic Analysis'? And
what possible use is it to me?

READ ON:
Basically, if you monitor a single channel over a set period of say 24
hours and the squelch breaks for a grand total of 15 minutes. As you now
have two numeric figures to work with. Therefore you now have the means
to calculate the density of traffic on that specific channel. Which is proportional to the number of users.

What possible use is this? You may well ask. Well if I offer up some of the mechanics suitable to achieve this analysis, then the answer may well be forthcoming.

WHAT INFO YOU HOPE TO EXTRACT
(1) TYPE OF TRAFFIC: who are they? what is being passed over the channel
(2) CONTROL: which unit is obviously in charge of the net
(3) CALLSIGNS: quantity,type, is there any apparent structure to them,
has an unusual callsign appeared on the net, if so why?
(4) MODE: what is the preferred mode? AM/FM DVP and/or clear
(5) CODES: are they being used? if so, log them all and try and work out
their meaning. The easy ones will usually be the most used.

HOW I CURRENTLY DO IT!
Take one AOR-2002, link it to an EMP (Embedded Microprocessor Products) SCANMASTER. The Scanmaster among many other things will print out a
hardcopy record of every time the squelch breaks, the exact time,
signal strength and the time the squelch makes. And also if required an explanation of the user on this channel (not required in this instance
as we are only sat on one specific, and not scanning or searching a
whole bunch). After 24 hours I tear off the printout and calculate the
totals. In this example, we will say this channel was active for a total of
15 minutes in a given 24 hour period. Working out that 1,440 minutes
make up a 24 hour period, I can now say that the density of the traffic
on this frequency is 1.04%.

STILL DOUBLE-DUTCH?
Well if I was inclined to break up the day into hourly blocks I could
further work out when the density of traffic was high and when it was
low. If I monitored this allocation for a month, I could then calculate
the mean activity over the period, and also the times of the day when
activity is usually higher. BIG DEAL and ISN'T THIS HEAVY GOING you mutter.

RIGHT YOU SCEPTICS
Suppose you worked for the FCC, or in the UK the DTI, somebody
applies for an extra customer on their community repeater, you say their license shows they already have a large amount of users. The client says
that most of his users are only on between 9 till 5, whereas his
prospective new client is a security company and will only be working
after 5pm. Being a distrusting sort you set up your SCANMASTER or
similar and let technology do all the hard work for you.

ALRIGHT, THAT'S HUNKY DORY FOR THE FCC, BUT I DON'T WORK FOR THEM!
Suppose you consider yourself a fanatical knob twiddler (SCANNER FREAK),
you live to achieve excellence in your field, and second best efforts
just don't cut it.

HERE'S THE SCENARIO-INTERCEPTING THE NET
Somebody gives you a frequency, so discrete that it appears on NO
listing, official or otherwise that you have ever seen. You may be further
told that this discrete is in DVP or some other method of HOT
encryption. Not daunted by this, you have several approaches to gaining valuable info:
[1] Regardless of wether you can make out what they are saying, if there
is traffic on this secret spot frequency, what is the signal strength?
if all carriers are of equal strength, are you listening to a single user
(one way talk or two frequency simplex). If so, then try and find the
input by taking other users in this band and trying out popular
frequency splits. Remember, the output from a repeater will NOT indicate
how close they are to you, only the respective inputs will tell you this. Inputs, meaning the mobiles transmit frequency INTO the repeater.
Remember that repeaters can be both fixed installations and covertly
mounted in vans or cars, and then parked in high open ground.
Most close range covert work is conducted via low power single frequency simplex radio's, thus ensuring a low probability of intercept and an all informed net.
LPI or Low Probability of Intercept simply means your RF carrier is
localised, thus reducing the possibility of radio intercept by outside
parties.
AIN All Informed Net, this means that by using single frequency simplex, everybody on that particular net can hear everybody else. This is vital
in important tactical situations.
[2] If the signal strengths are different, then it could be a base
talking to a mobile, or even a near station talking to a distant one. Or
in fact two mobiles talking to each other.
[3] And how strong is the strongest signal? compare the readings with
other known users in this band. The radiated output of a specific user
will vary dependent on the RF output, antenna height and gain, however
it still remains a useful tool in determining the approximate distance
to the target transmission.

DVP OR CLEAR, YOU ARE ALREADY GAINING VALUABLE INFORMATION

If the net is not in a secure mode, then you can start your SIGINT
analysis. SIGINT, a much used military term standing for Signals
Intelligence, this is the gathering of information gained from
information passed by users over the net.

NOW TO WHERE EMITTER DENSITY COMES IN
Suppose traffic is normally 1% in every 24 hrs, all of a sudden the
traffic goes up to 50%, what can we assume from this. Well tie this to
the signal strength readings, if traffic goes up and so does the signal strength then you might rightly assume that something interesting is
happening, and it could be in your neighbourhood! Even if they are using
DVP 100% you are still not totally in the dark.

Experience has shown me that DVP operators often screw things up by
chatting on other clear mode systems, or even the cellular phone telling
loved ones that they are downtown on a big operation, and to please put
their dinner in the microwave.

HINT
Often a long burst followed by a shorter burst of less signal intensity indicates a base or control giving out instructions followed by a
'roger' or 'received' from a mobile unit.

While on the subject of the superb Motorola DVP (expensive as it is), A particular case in point comes to mind. One such very little known
discrete suddenly comes alive, after many attempts, the correct input was located. Hours and hours of the familiar bursts of white noise with the tell-tale feint synch tone near the end were duly heard. Boredom and
earache was setting in nicely, until one of the units on the net comes
up in the clear, gives sufficient info away in one over for yours truly
to have their location. About an hour later the same unit comes up in
the clear again and fills in the rest of the picture for me. Very nice of him to inform me who they were, where they were and who and obviously what
they were after. Now I ask you, what's the damn point in having the best
radio kit the budget can stretch to when some prat is hell bent on giving
the game away.

UP TO NO GOOD?
Now then, if I was a bad lad, had some brains and some rudimentary
equipment, I could run traffic analysis checks on all known interesting allocations. Scan the inputs and the outputs to get signal readings. Add
to this a Doppler D.F. to locate the rough directions (rough being the operative word), the information gained could be used to my great
advantage.

ANALYSIS
Traffic analysis will give you an immense amount of information about a specific net, even before you even start to analyse the information send
on that net, particularly if that net is encrypted.

SIGINT
Only of any use if the net is unencrypted or clear traffic is sent on an otherwise encrypted net.

DF
Direction finding, A much overated science at the best of times,
and with the best kit available, results can be spectacularly misleading
often giving a solid bearing of a target transmission, only to be a
bearing of a reflected signal from a completely different direction,
and not a line of site bearing from the target. This is particularly
the case in urban areas where high obstructions abound. The hobbyist with
his little circle of red led's, and a four aperture antenna set-up, stands
very little chance of getting an accurate bearing in a built up area.

Well there you have it, more pearls (who's he kidding) of wisdom from
the UK. This article was written at several locations when time
permitted, I apologise if it is disjointed, But in amongst the gravy
you should find some meat.

Any comments on this article should be left on this BBS, or sent to my
home address.

More to follow when time permits.

Best Regards Nigel.


--- Mystic BBS v1.12 A43 (Linux/32)
* Origin: HAMRADIO telnet lu9dce.dynu.com (21:5/101)