[CONTACT]

[ABOUT]

[POLICY]

GUIDE TO TRAFFIC ANALYSIS By Nigel

Found at: 0x1bi.net:70/textfiles/file?hamradio/nigelden.ham








                   A LAYMAN'S GUIDE TO TRAFFIC ANALYSIS

By Nigel Ballard.  28 Maxwell Road Winton Bournemouth Dorset
                   BH9 1DL England.    23 July 1990


The question you are now asking is 'what is Traffic Analysis'? And

READ ON:
Basically, if you monitor a single channel over a set period of say 24
to calculate the density of traffic on that specific channel. Which is

What possible use is this? You may well ask. Well if I offer up some of the
mechanics suitable to achieve this analysis, then the answer may well be
forthcoming.

WHAT INFO YOU HOPE TO EXTRACT
(1) TYPE OF TRAFFIC: who are they? what is being passed over the channel
(2) CONTROL: which unit is obviously in charge of the net
(3) CALLSIGNS: quantity,type, is there any apparent structure to them,
(4) MODE: what is the preferred mode? AM/FM DVP and/or clear
(5) CODES: are they being used? if so, log them all and try and work out
their meaning. The easy ones will usually be the most used.

HOW I CURRENTLY DO IT!
Take one AOR-2002, link it to an EMP (Embedded Microprocessor Products)
SCANMASTER. The Scanmaster among many other things will print out a
explanation of the user on this channel (not required in this instance
as we are only sat on one specific, and not scanning or searching a
totals. In this example, we will say this channel was active for a total of
make up a 24 hour period, I can now say that the density of the traffic
on this frequency is 1.04%.

STILL DOUBLE-DUTCH?
Well if I was inclined to break up the day into hourly blocks I could
further work out when the density of traffic was high and when it was
low. If I monitored this allocation for a month, I could then calculate
the mean activity over the period, and also the times of the day when
activity is usually higher. BIG DEAL and ISN'T THIS HEAVY GOING you mutter.

RIGHT YOU SCEPTICS
Suppose you worked for the FCC, or in the UK the DTI, somebody
applies for an extra customer on their community repeater, you say their
license shows they already have a large amount of users. The client says
that most of his users are only on between 9 till 5, whereas his
after 5pm. Being a distrusting sort you set up your SCANMASTER or

ALRIGHT, THAT'S HUNKY DORY FOR THE FCC, BUT I DON'T WORK FOR THEM!
Suppose you consider yourself a fanatical knob twiddler (SCANNER FREAK),
you live to achieve excellence in your field, and second best efforts

HERE'S THE SCENARIO-INTERCEPTING THE NET
Somebody gives you a frequency, so discrete that it appears on NO
listing, official or otherwise that you have ever seen. You may be further
told that this discrete is in DVP or some other method of HOT
encryption. Not daunted by this, you have several approaches to gaining
valuable info:
[1] Regardless of wether you can make out what they are saying, if there
s traffic on this secret spot frequency, what is the signal strength?
f all carriers are of equal strength, are you listening to a single user
(one way talk or two frequency simplex). If so, then try and find the
nput by taking other users in this band and trying out popular
frequency splits. Remember, the output from a repeater will NOT indicate
Remember that repeaters can be both fixed installations and covertly
mounted in vans or cars, and then parked in high open ground.
Most close range covert work is conducted via low power single frequency
nformed net.
LPI or Low Probability of Intercept simply means your RF carrier is
localised, thus reducing the possibility of radio intercept by outside
AIN All Informed Net, this means that by using single frequency simplex,
everybody on that particular net can hear everybody else. This is vital
n important tactical situations.
[2] If the signal strengths are different, then it could be a base
talking to a mobile, or even a near station talking to a distant one. Or
n fact two mobiles talking to each other.
[3] And how strong is the strongest signal? compare the readings with
other known users in this band. The radiated output of a specific user
t still remains a useful tool in determining  the approximate distance
to the target transmission.

DVP OR CLEAR, YOU ARE ALREADY GAINING VALUABLE INFORMATION

analysis. SIGINT, a much used military term standing for Signals
nformation passed by users over the net.

NOW TO WHERE EMITTER DENSITY COMES IN
Suppose traffic is normally 1% in every 24 hrs, all of a sudden the
traffic goes up to 50%, what can we assume from this. Well tie this to
the signal strength readings, if traffic goes up and so does the signal
DVP 100% you are still not totally in the dark.

Experience has shown me that DVP operators often screw things up by
chatting on other clear mode systems, or even the cellular phone telling
loved ones that  they are downtown on a big operation, and to please put
their dinner in the microwave.

HINT
Often a long burst followed by a shorter burst of less signal intensity
ndicates a base or control giving out instructions followed by a
'roger' or 'received' from a mobile unit.

While on the subject of the superb Motorola DVP (expensive as it is), A
located. Hours and hours of the familiar bursts of white noise with the
tell-tale feint synch tone near the end were duly heard. Boredom and
earache was setting in nicely, until one of the units on the net comes
up in the clear, gives sufficient info away in one over for yours truly
to have their location. About an hour later the same unit comes up in
the clear again and fills in the rest of the picture for me. Very nice of him
to inform me who they were, where they were and who and obviously what
they were after. Now I ask you, what's the damn point in having the best
the game away.

UP TO NO GOOD?
Now then, if I was a bad lad, had some brains and some rudimentary
equipment, I could run traffic analysis checks on all known interesting
allocations. Scan the inputs and the outputs to get signal readings. Add
to this a Doppler D.F. to locate the rough directions (rough being the
operative word), the information gained could be used to my great
advantage.

ANALYSIS
Traffic analysis will give you an immense amount of information about a
on that net, particularly if that net is encrypted.

SIGINT
Only of any use if the net is unencrypted or clear traffic is sent on an
otherwise encrypted net.

DF
Direction finding, A much overated science at the best of times,
and with the best kit available, results can be spectacularly misleading
often giving a solid bearing of a target transmission, only to be a
bearing of a reflected signal from a completely different direction,
and not a line of site bearing from the target. This is particularly
the case in urban areas where high obstructions abound. The hobbyist with
very little chance of getting an accurate bearing in a built up area.

Well there you have it, more pearls (who's he kidding) of wisdom from
the UK. This article was written at several locations when time
you should find some meat.

Any comments on this article should be left on this BBS, or sent to my

More to follow when time permits.

Best Regards Nigel.




AD: