GUIDE TO TRAFFIC ANALYSIS By Nigel

```                   A LAYMAN'S GUIDE TO TRAFFIC ANALYSIS
```

```By Nigel Ballard.  28 Maxwell Road Winton Bournemouth Dorset
```
```                   BH9 1DL England.    23 July 1990
```

```The question you are now asking is 'what is Traffic Analysis'? And
```

```READ ON:
```
```Basically, if you monitor a single channel over a set period of say 24
```
```to calculate the density of traffic on that specific channel. Which is
```

```What possible use is this? You may well ask. Well if I offer up some of the
```
```mechanics suitable to achieve this analysis, then the answer may well be
```
```forthcoming.
```

```WHAT INFO YOU HOPE TO EXTRACT
```
```(1) TYPE OF TRAFFIC: who are they? what is being passed over the channel
```
```(2) CONTROL: which unit is obviously in charge of the net
```
```(3) CALLSIGNS: quantity,type, is there any apparent structure to them,
```
```(4) MODE: what is the preferred mode? AM/FM DVP and/or clear
```
```(5) CODES: are they being used? if so, log them all and try and work out
```
```their meaning. The easy ones will usually be the most used.
```

```HOW I CURRENTLY DO IT!
```
```Take one AOR-2002, link it to an EMP (Embedded Microprocessor Products)
```
```SCANMASTER. The Scanmaster among many other things will print out a
```
```explanation of the user on this channel (not required in this instance
```
```as we are only sat on one specific, and not scanning or searching a
```
```totals. In this example, we will say this channel was active for a total of
```
```make up a 24 hour period, I can now say that the density of the traffic
```
```on this frequency is 1.04%.
```

```STILL DOUBLE-DUTCH?
```
```Well if I was inclined to break up the day into hourly blocks I could
```
```further work out when the density of traffic was high and when it was
```
```low. If I monitored this allocation for a month, I could then calculate
```
```the mean activity over the period, and also the times of the day when
```
```activity is usually higher. BIG DEAL and ISN'T THIS HEAVY GOING you mutter.
```

```RIGHT YOU SCEPTICS
```
```Suppose you worked for the FCC, or in the UK the DTI, somebody
```
```applies for an extra customer on their community repeater, you say their
```
```license shows they already have a large amount of users. The client says
```
```that most of his users are only on between 9 till 5, whereas his
```
```after 5pm. Being a distrusting sort you set up your SCANMASTER or
```

```ALRIGHT, THAT'S HUNKY DORY FOR THE FCC, BUT I DON'T WORK FOR THEM!
```
```Suppose you consider yourself a fanatical knob twiddler (SCANNER FREAK),
```
```you live to achieve excellence in your field, and second best efforts
```

```HERE'S THE SCENARIO-INTERCEPTING THE NET
```
```Somebody gives you a frequency, so discrete that it appears on NO
```
```listing, official or otherwise that you have ever seen. You may be further
```
```told that this discrete is in DVP or some other method of HOT
```
```encryption. Not daunted by this, you have several approaches to gaining
```
```valuable info:
```
```[1] Regardless of wether you can make out what they are saying, if there
```
`s traffic on this secret spot frequency, what is the signal strength?`
`f all carriers are of equal strength, are you listening to a single user`
```(one way talk or two frequency simplex). If so, then try and find the
```
`nput by taking other users in this band and trying out popular`
```frequency splits. Remember, the output from a repeater will NOT indicate
```
```Remember that repeaters can be both fixed installations and covertly
```
```mounted in vans or cars, and then parked in high open ground.
```
```Most close range covert work is conducted via low power single frequency
```
`nformed net.`
```LPI or Low Probability of Intercept simply means your RF carrier is
```
```localised, thus reducing the possibility of radio intercept by outside
```
```AIN All Informed Net, this means that by using single frequency simplex,
```
```everybody on that particular net can hear everybody else. This is vital
```
`n important tactical situations.`
```[2] If the signal strengths are different, then it could be a base
```
```talking to a mobile, or even a near station talking to a distant one. Or
```
`n fact two mobiles talking to each other.`
```[3] And how strong is the strongest signal? compare the readings with
```
```other known users in this band. The radiated output of a specific user
```
`t still remains a useful tool in determining  the approximate distance`
```to the target transmission.
```

```DVP OR CLEAR, YOU ARE ALREADY GAINING VALUABLE INFORMATION
```

```analysis. SIGINT, a much used military term standing for Signals
```
`nformation passed by users over the net.`

```NOW TO WHERE EMITTER DENSITY COMES IN
```
```Suppose traffic is normally 1% in every 24 hrs, all of a sudden the
```
```traffic goes up to 50%, what can we assume from this. Well tie this to
```
```the signal strength readings, if traffic goes up and so does the signal
```
```DVP 100% you are still not totally in the dark.
```

```Experience has shown me that DVP operators often screw things up by
```
```chatting on other clear mode systems, or even the cellular phone telling
```
```loved ones that  they are downtown on a big operation, and to please put
```
```their dinner in the microwave.
```

```HINT
```
```Often a long burst followed by a shorter burst of less signal intensity
```
`ndicates a base or control giving out instructions followed by a`
```'roger' or 'received' from a mobile unit.
```

```While on the subject of the superb Motorola DVP (expensive as it is), A
```
```located. Hours and hours of the familiar bursts of white noise with the
```
```tell-tale feint synch tone near the end were duly heard. Boredom and
```
```earache was setting in nicely, until one of the units on the net comes
```
```up in the clear, gives sufficient info away in one over for yours truly
```
```to have their location. About an hour later the same unit comes up in
```
```the clear again and fills in the rest of the picture for me. Very nice of him
```
```to inform me who they were, where they were and who and obviously what
```
```they were after. Now I ask you, what's the damn point in having the best
```
```the game away.
```

```UP TO NO GOOD?
```
```Now then, if I was a bad lad, had some brains and some rudimentary
```
```equipment, I could run traffic analysis checks on all known interesting
```
```allocations. Scan the inputs and the outputs to get signal readings. Add
```
```to this a Doppler D.F. to locate the rough directions (rough being the
```
```operative word), the information gained could be used to my great
```
```advantage.
```

```ANALYSIS
```
```Traffic analysis will give you an immense amount of information about a
```
```on that net, particularly if that net is encrypted.
```

```SIGINT
```
```Only of any use if the net is unencrypted or clear traffic is sent on an
```
```otherwise encrypted net.
```

```DF
```
```Direction finding, A much overated science at the best of times,
```
```and with the best kit available, results can be spectacularly misleading
```
```often giving a solid bearing of a target transmission, only to be a
```
```bearing of a reflected signal from a completely different direction,
```
```and not a line of site bearing from the target. This is particularly
```
```the case in urban areas where high obstructions abound. The hobbyist with
```
```very little chance of getting an accurate bearing in a built up area.
```

```Well there you have it, more pearls (who's he kidding) of wisdom from
```
```the UK. This article was written at several locations when time
```
```you should find some meat.
```

```Any comments on this article should be left on this BBS, or sent to my
```

```More to follow when time permits.
```

```Best Regards Nigel.
```

``