SNIFFER TECHNOLOGY

CHAPTER 1
INTRODUCTION
One of the most interesting things about cell phone is that it is really a radio an extremely
sophisticated radio, which uses some band of frequency that has the basic working similar
to the ordinary cordless phone. The mobile cellular communication has been appreciated
since its birth in the early 70’s and the advancement in the field of VLSI has helped in
designing less power, smaller size but efficient transceiver for the purpose of
communication.
But however, the technology has not yet answered the loss or misplacement of the
lost mobile phone which is significantly increasing. In this paper we discuss the problem
and the probable solution that could be done. The IMEI number is a unique number that is
embedded in the mobile phone the main purpose of which is the blocking of calls that is
made by unauthorized person once the mobile is reported as stolen but here we use it
effectively for the purpose of detection.
A sniffer which can also be referred to as a network analyzer, is a piece of
software that analyzes network traffic, decodes it, gives it back packet information so that
a network administrator can use it to help diagnose problems on the network. But because
these tools can be so powerful, they can also help give leverage to those of the black hat
world by allowing them to pull plain text information off the network as well (usernames,
passwords, unencrypted emails, instant message chat, etc).
Some of the more “legitimate” uses for a sniffer fall towards the roles of the
network administrators. They can be used to probe the network for bandwidth usage,
helping pinpoint which individual machines may be running malware or simply have
wrong network settings. Sniffers are often used as a practical defense against finding
intrusion attempts by detecting inappropriate traffic. If you were ever going to be in a role
where you need to ensure your network is protected, you would do well to learn how to
use a sniffer. I recommend Wireshark (formerly known as Ethereal), it’s free (as in beer)
and well supported with great documentation. Other alternatives are NAI Sniffer
(commercial), TCP DUMP (*nix), WINDUMP (Win32), CAIN & ABEL, DSNIFF, and
ETTERCAP (the last three are most specialized for password extraction but can still be
used to test your applications or network protocols).

MRITS-Department of Science and Engineering 1

 SNIFFER TECHNOLOGY

Sniffers can also be used to bypass security. Many application protocols pass
credentials in plain text or use weak encryption that is easy for a sniffer to decode.
Common examples of insecure protocols are FTO, TELNET, POP3, SMTP, and HTTP
Basic Authentication.
One of the most common hacks other than the password sniffing that sniffers can
be used for is probably ARP Spoofing /ARP Poisoning. ARP (address resolution
protocol) allows the network to translate IP addresses into MAC addresses. Essentially,
when one host using IP on the LAN is trying to contact another, it needs the MAC
address of the host it is trying to contact. It first looks in its ARP cache to see if already
knows the MAC address. Otherwise, it sends out an ARP request (looking for the IP).
In common bus networks like a wired hub or 8052.11b, all traffic can be seen by
all hosts whose NICs are in promiscuous mode, but not a switched network. A switch
looks at the data send to it and only forwards packets to the intended recipient based on
the MAC. This helps secure the network by only sending packets to where they need to
go. Programs like ARP Spoof (part of the Dsniff package), Ether cap, or Cain and Abel
can allow you to fool the network and allow you to spoof another machine making the
network think you have the IP it is looking for, then funnel their traffic through you.
So, even with a switched network, it’s not too difficult for an attacker to simply
boot up their Backtrack CD, do some ARP spoofing with Dsniff or Ethercap, and redirect
traffic through them for the purpose of sniffing.

FIG 1.1 : LOST MOBILE

MRITS-Department of Science and Engineering 2

 SNIFFER TECHNOLOGY

CHAPTER 2
INTERNATIONAL MOBILE EQUIPMENT IDENTITY
BREIF EXPLANATION ABOUT IMEI:

The International Mobile Equipment Identity or IMEI is a number, usually unique,

to identify 3GPP and iDEN Mobile Phones, as well as some satellite phones. It is usually
found printed inside the battery compartment of the phone, but can also be displayed on-
screen on most phones by entering *#06# on the dial pad, or alongside other system
information in the settings menu on smart phone operating systems.

FIG2.1 : SYMBOL OF IMEI

The IMEI number is used by a GSM network to identify valid devices and
therefore can be used for stopping a stolen phone from accessing that network. For
example, if a mobile phone is stolen, the owner can call their network provider and
instruct them to blacklist the phone using its IMEI number. This renders the phone
useless on that network and sometimes other networks too, whether or not the
phone's subscriber identity module (SIM) is changed.

The IMEI is only used for identifying the device and has no permanent or semi-
permanent relation to subscriber. Instead, the subscriber is identified by transmission of
an International Mobile Subscriber Identity (IMSI) number, which is stored on a SIM
card. that can in theory be transferred to any handset.

MRITS-Department of Science and Engineering 3

 SNIFFER TECHNOLOGY

IMEI AND THE LAW:

Many countries have acknowledged the use of the IMEI in reducing the effect of
mobile phone thefts. For example, in the United Kingdom, under the Mobile Telephones
(Re-programming) Act, changing the IMEI of a phone, or possessing equipment that can
change it, is considered an offence under some circumstances.

IMEI blocking is not the only approach available for combating phone theft. For
example, mobile operators in Singapore are not required by the regulator to implement
phone blocking or tracing systems, IMEI-based or other. The regulator has expressed its
doubts on the real effectiveness of this kind of system in the context of the mobile market
in Singapore. Instead, mobile operators are encouraged to take measures such as the
immediate suspension of service and the replacement of SIM cards in case of loss or theft.

The existence of a formally allocated IMEI number range for a GSM terminal
does not mean that the terminal is approved or complies with regulatory requirements.
The linkage between regulatory approval and IMEI allocation was removed in April
2000, with the introduction of the European R&TTE Directive. Since that date, IMEIs
have been allocated by BABT (or one of several other regional administrators acting on
behalf of the GSM Association) to legitimate GSM terminal manufacturers without the
need to provide evidence of approval.

BLACKLISTS OF STOLEN DEVICES:

When mobile equipment is stolen or lost, the owner can contact their local
operator with a request that it should be blocked from the operator's network, and the
operator can be expected to do so if required by law in the operator's jurisdiction. If the
local operator possesses an Equipment Identity Register (EIR), it then may put the device
IMEI into it, and can optionally communicate this to shared registries, such as the Central
Equipment Identity Register (CEIR) which blacklists the device in switches of other
operators that use the CEIR. With this blacklisting in place the device becomes unusable
on any operator that uses the CEIR, making theft of mobile equipment a useless business
proposition, unless for parts.

The IMEI number is not supposed to be easy to change, making the CEIR
blacklisting effective. However, this is not always the case: a phone's IMEI may be easy
to change with special tools. In addition, IMEI is an un-authenticated mobile identifier (as
opposed to IMSI, which is routinely being authenticated by home and serving mobile

MRITS-Department of Science and Engineering 4

 SNIFFER TECHNOLOGY

networks.) Spoofed IMEI can thwart all efforts to track handsets, or target handsets for
lawful intercept.

Australia was first to implement IMEI blocking across all GSM networks, in
2003. In Australia the Electronic Information Exchange (EIE) Administration Node
provides a blocked IMEI lookup service for Australian customers.

In the UK, a voluntary charter operated by the mobile networks ensures that any
operator's blacklisting of a handset is communicated to the CEIR and subsequently to all
other networks. This ensures the handset will be unusable for calls quite quickly, at most
within 48 hours.

All UK Police forces, including the Metropolitan Police Service actively check
IMEI numbers of phones found involved in crime, against the National Mobile Property
Register (NMPR). The NMPR draws its information from many property databases. One
of the databases consulted is Immobilize, which allows optional (and free) registration of
devices by the public. Such registration ensures that a device coming into police
possession may be easily reunited with its registered owner.

In New Zealand the NZ Telecommunications Forum Inc provides a blocked IMEI

lookup service for New Zealand consumers. The service allows up to three lookups per
day and checks against a database that is updated daily by the three major mobile network
operators. A blocked IMEI cannot be connected to any of these three operators.

In some countries, such blacklisting is not customary. In 2012, major network

companies in the United States, under government pressure, committed to introducing a
blacklisting service, but it's not clear whether it will interoperate with the CEIR. GSM
carriers AT&T and T-Mobile began blocking newly reported IMEIs in November
2012. Thefts reported prior to November 2012 were not added to the database.

It is unclear whether local barring of IMEI has any positive effect, as it may result
in international smuggling of stolen phones.

MRITS-Department of Science and Engineering 5

 SNIFFER TECHNOLOGY

LIMITATIONS:

IMEIs can sometimes be removed from a blacklist, depending on local

arrangements. This would typically include quoting a password that was chosen at the
time the blacklisting was applied.

STRUCTURE OF THE IMEI AND IMEISV (IMEI SOFTWARE VERSION):

The IMEI (15 decimal digits: 14 digits plus a check digit) or IMEISV (16 digits) includes
information on the origin, model, and serial number of the device. The structure of the
IMEI/SV is specified in 3GPP TS 23.003. The model and origin comprise the initial 8-
digit portion of the IMEI/SV, known as the Type Allocation Code (TAC). The remainder
of the IMEI is manufacturer-defined, with a Luhn check digit at the end. For the IMEI
format prior to 2003, the GSMA guideline was to have this Check Digit always
transmitted to the network as zero. This guideline seems to have disappeared for the
format valid from 2003 and onwards

As of 2004, the format of the IMEI is AA-BBBBBB-CCCCCC-D, although it may not

always be displayed this way. The IMEISV drops the Luhn check digit in favor of an
additional two digits for the Software Version Number (SVN), making the format AA-
BBBBBB-CCCCCC-EE

AA - BB BB BB - CC CC CC D or EE
Old IMEI TAC FAC Serial number (Optional) Luhn checksum
New IMEI TAC
Old TAC FAC Software Version Number
IMEISV (SVN).
New TAC
IMEISV

TABLE NO 2.1: CHECKING OF IMEI

Prior to 2002, the TAC was six digits long and was followed by a two-digit Final
Assembly Code (FAC), which was a manufacturer-specific code indicating the location of
the device's construction. From January 1, 2003 until that April 1, 2004, the FAC for all

MRITS-Department of Science and Engineering 6

 SNIFFER TECHNOLOGY

phones was 00. After April 1, 2004, the Final Assembly Code ceased to exist and the
Type Allocation Code increased to eight digits in length.

In any of the above cases, the first two digits of the TAC are the Reporting Body
Identifier, which identifies the GSMA-approved group that allocated the TAC. The RBI
numbers are allocated by the Global Decimal Administrator. IMEI numbers being
decimal allows them to be distinguished from an MEID, which is hexadecimal and
always has 0xA0 or larger as its first two hexadecimal digits.

For example, the old style IMEI code 35-209900-176148-1 or IMEISV code 35-
209900-176148-23 tells us the following:

TAC: 35-2099 - issued by the BABT (code 35) with the allocation number 2099
FAC: 00 - indicating the phone was made during the transition period when FACs were
being removed.
SNR: 176148 - uniquely identifying a unit of this model
CD: 1 so it is a GSM Phase 2 or higher
SVN: 23 - The "software version number" identifying the revision of the software
installed on the phone. 99 is reserved.

By contrast, the new style IMEI code 49-015420-323751 has an 8-digit TAC of
49-015420.

The new CDMA Mobile Equipment Identifier (MEID) uses the same basic format
as the IMEI.

CHECK DIGIT COMPUTATION:

The last number of the IMEI is a check digit calculated using the Luhn algorithm, as
defined in the IMEI Allocation and Approval Guidelines:

The Check Digit shall be calculated according to Luhn formula (ISO/IEC 7812). (See
GSM 02.16 / 3GPP 22.016). The Check Digit is a function of all other digits in the IMEI.
The Software Version Number (SVN) of a mobile is not included in the calculation.

The purpose of the Check Digit is to help guard against the possibility of incorrect entries
to the CEIR and EIR equipment.

The presentation of the Check Digit both electronically and in printed form on the label
and packaging is very important. Logistics (using bar-code reader) and EIR/CEIR

MRITS-Department of Science and Engineering 7

 SNIFFER TECHNOLOGY

administration cannot use the Check Digit unless it is printed outside of the packaging,
and on the ME IMEI/Type Accreditation label.

The check digit is not transmitted over the radio interface, nor is it stored in the EIR
database at any point. Therefore, all references to the last three or six digits of an IMEI
refer to the actual IMEI number, to which the check digit does not belong.

The check digit is validated in three steps:

1. Starting from the right, double every other digit (e.g., 7 → 14).
2. Sum the digits (e.g., 14 → 1 + 4).
3. Check if the sum is divisible by 10.

Conversely, one can calculate the IMEI by choosing the check digit that would give a
sum divisible by 10. For the example IMEI 354530085441085.

IMEI 4 9 0 1 5 4 2 0 3 2 3 7 5 1 x

Double 4 18 0 2 5 8 2 0 3 4 3 14 5 2 X
every
other

Sum digits 4 + (1 + 8) + 0 + 2 + 5 + 8 + 2 + 0 + 3 + 4 + 3 + (1 + 4) + 5 + 2 + x = 52 + x

TABLE NO 2.2: TO FIND THE IMEI NUMBER

To make the sum divisible by 10, we set x = 8, so the complete IMEI become
490154203237518.

USAGE ON SATELLITE PHONE NETWORKS:

The Broadband Global Area Network (BGAN), Iridium and Thuraya satellite
phone networks all use IMEI numbers on their transceiver units as well as SIM cards in
much the same way as GSM phones do. The Iridium 9601 modem relies solely on its
IMEI number for identification and uses no SIM card; however, Iridium is a proprietary
network and the device is incompatible with terrestrial GSM networks.

MRITS-Department of Science and Engineering 8

 SNIFFER TECHNOLOGY

WHY ONLY IMEI?

The GSM MoU’s IMEI (International Mobile Equipment Identity) numbering

system is a 15-digit unique code that is used to identify the GSM/DCS/PCS phone.
When a phone is switched on, this unique IMEI number is transmitted and
checked against a data base of black listed or grey listed phones in the network’s EIR
(Equipment ID Register). This EIR determines whether the phone can log on to the
network to make and receive calls. To know the IMEI number the *#06# has to be
pressed, the number will be displayed in the LCD screen; it is unique to a mobile phone.
If the EIR and IMEI number match, the networks can do a number of things.
For example, grey list or blacklist a phone:
1. Grey listing will allow the phone to be used, but it can be tracked to see who has it (via
the SIM information).
2. Black listing the phone from being used on any network where there is an EIR match.

FIG 2.2: FOR SEARCHING IMEI NUMBER

MRITS-Department of Science and Engineering 9

 SNIFFER TECHNOLOGY

IMEI EXAMPLE:

Type Approval Code (TAC)

490154 The first two digits is the code for the

country approval

TABLE NO 2.3: HOW IMEI IS DIVIDED

FINAL ASSEMBLY CODE (FAC):

01,02 AEG

07,40 MOTOROLA

10,20 NOKIA

30 ERICSSON

40,41,44 SIEMENS

47 OPTION INTERNATIONAL

50 BOSCH

51 SONY

51 SIEMENS

51 ERICSSON

60 ALCATEL

70 SAGEM

TABLE NO 2.4: CODES FOR DIFFERENT MOBIL

MRITS-Department of Science and Engineering 10

 SNIFFER TECHNOLOGY

CHAPTER 3

DESIGNING FOR THE SNIFFER

As stated this proposal is about the detection of lost mobile phone and for this
purpose we are designing a new device called the Sniffer. The sniffer device has to be
designed precisely and size should be reduced for easy mobility for the purpose of
detection. The device can be called as a mobile base station that includes the following
important
components:
1. Sniffer base station
2. Unidirectional antenna
3. Tracking software

3.1 SNIFFER BASE STATION:

The sniffer is a small base station, it includes transceiver section. It should operate at a
frequency that is much different from the frequency of the current cell in which the
operation of detection is being carried out. Some of the main important things are the
frequency that has to be generated by the transceiver section is around 900MHz range
which is a VHF range and it is necessarily to design the oscillator circuit for that
frequency range. Another important is the cooling that has to be provided to the circuit
while designing the circuit that is to be operated at 900MHz range of frequency. Hence
proper design of base station is an important thing in the design of the sniffer. Mobile
phones as well as the base station has low power transmitter is also transmitting at low
Power. The transmitter of the sniffer has to be a low power transmitter. This helps in the
process of reducing the interference of the device with the devices that are in the other
cells.

MRITS-Department of Science and Engineering 11

 SNIFFER TECHNOLOGY

FIGURE 3.1.1: COMMUNICATION IN SNIFFER

3.2 DESIGN OF UNIDIRECTIONAL ANTENNA:

Though the transceiver in a sniffer plays an important role in the detection of the
mobile phone but however it is the directional antenna that has a major role in the design
of the transmitter. The directional antenna acts as the eyes for the sniffer for the purpose
of the detecting the lost mobile phones. Hence the proper design of the directional
antenna is required. Antenna is a device which works at specified frequencies range for
transmitting or receiving the data signal. In general, antennas transmit power depending
on lobe pattern which varies from one antenna to the other. The lobe pattern is a two-
dimensional diagram that is used to show radiation pattern. Radiation pattern
of directional antenna is shown in below figure.

MRITS-Department of Science and Engineering 12

 SNIFFER TECHNOLOGY

FIGURE 3.2.1: UNIDIRECTIONAL ANTENNA RADIATION PATTERN

In addition to this it is necessary that the transmitter should be a low power

transmitter. The Gain and directivity are intimately related in antennas. The directivity of
an antenna is a statement of how the RF energy is focused in one or two directions.
Because the amount of RF energy remains the same, but is distributed over less area, the
apparent signal strength is higher. This apparent increase in signal strength is the antenna
gain. The gain is measured in decibels over either a dipole (dBd) or a theoretical construct
called an Isotropic radiator (dBi). The isotropic radiator is a spherical signal source that
radiates equally well in all directions. One way to view the Omni directional pattern is
that it is a slice taken horizontally through the three-dimensional sphere. The graphical
representation of Radiation pattern of the unidirectional antenna is shown in figure. The
spherical co-ordination system has three main components for the pattern representation
and they are (R, _ , _ ) .The shape of the radiation system is independent of R, as long R
is chosen to be sufficiently large and much greater than the wavelength as the largest
dimension of the antenna. The magnitude of the field strength in any direction varies
inversely with R. A complete radiation pattern requires the three-dimensional
representation. The other factors that are to be taken into account during the development
of the antenna for the sniffer should be the gain and the directivity. As these features have
a greater effect while designing the antenna. The gain of the antenna is defined as the
ability of the antenna to radiate the power in a particular direction. The power radiated per
unit area in sany direction is given by the pointing vector and is equivalent to
E2/2 W/m2
Total of the power that is being radiated by the antenna is given as
W= d
MRITS-Department of Science and Engineering 13
 SNIFFER TECHNOLOGY

The average power that gets radiated is given as (avg) =W/4 (watts per steradian)
The Directivity of the antenna is the direction in which there is maximum gain for
the radiation that is being radiated, the gain of the antenna is given as a function of the
angles. The directivity value is constant for a particular direction. In addition to the
directivity and the gain of the antenna the other important thing that has to be taken into
account is the power that is being radiated by the antenna. The total power is given as W
and is the summation of the radiated power and the ohmic loss of the antenna. Here the
Wl represents the ohmic losses of the antenna.
Wt=Wr+Wl
The power gain of the antenna is given as
gp =4/wt
The ratio of power to the directivity is referred as a measure of efficiency of the
antenna
gp/gd =Wr/(Wr+Wl)
The power radiated by the antenna should be properly designed as this causes
more penetration of the electromagnetic radiation and thus it might have some effect in
the nearby cells. The effective area of the antenna is another important factor that is
mainly required in the receiving antenna and it may be referred as the effective aperture
or capture area and is related to the directive gain of the antenna through the relation
A=gd_2/4
Since the sniffer device that is constructed is a device that has both the
transmitting and the receiving antenna. Effective gain has to be taken into account and
this shows the ability of the antenna to capture the signal that the lost mobile is
transmitting.

3.3 SOFTWARE FOR THE TRACKING:

The software part plays a major role in the tracking of the lost mobile phone It is
the base for the antenna to track the lost mobile the main feature of this software is that it
helps in the process of creation of the data base and this is mainly done using a Random-
Access Memory.
The mobile phone that is lost has certain IMEI number that is embedded in the
chip. This RAM of the sniffer device stores the IMEI number of the lost mobile phone.
Thus, this acts as a data base or the directory of the lost mobile phone number/The
software that is to be designed in such a way that the software has the input as the IMEI

MRITS-Department of Science and Engineering 14

 SNIFFER TECHNOLOGY

number of the lost mobile phone from the RAM and this ID done using the SQL query
that fetches the IMEI number. After getting the input of the lost mobile phones IMEI
number it checks the comport for getting the information whether it obtains any signaling
information from the lost device that might respond to the signal sent by the sniffer The
programming is done with C or Java. However, the C is most preferred as it is easily
embedded with the chips. With VB the front end is designed. The oracle SQL is the back
end as it helps in retrieving the input data from the RAM using the query. But however,
the sample program that we have designed does not use the oracle it takes the input
directly from the keyboard and this is an example and a dummy program that has been
created that helps in the understanding of how the device would work.

FIGURE 3.3.1: OVERVIEW OF TRACKING SOFTWARE

MRITS-Department of Science and Engineering 15

 SNIFFER TECHNOLOGY

CHAPTER 4

WORKING OF THE SNIFFER DEVICE

The sniffer is basically a transceiver that works in the frequency which is in the
special unused range that is operated by the service provided or it can designed to operate
at a frequency that is of much different frequency than the one that is being used by the
nearby cells as there may be possibility of interference by the device with the devices in
the nearby cells. The working for the device is as follows. The figures show the working
of the sniffer; as given in the fig4.2 it gives the normal operation of the mobile with the
base station and there is a BTS that acts as a middle man in the process of
communication between the mobile and the MTSO which is popularly known as MSC or
Mobile Switching Centre. There is always a two-way communication between devices
and before the establishment of the communication the authentication of the SIM card
that has the IMSI or the International Mobile Subscriber Identifier. This IMSI number
helps in the authorization of the user. The second authentication is the authentication of
the handset, which is done in EIR or the Equipment Identifier Register. This register is
located at the MSC and it contains the IMEI number of the lost handset and if the signal
is obtained from the normal one then the two-way communication is established. The
IMEI of the lost mobile phone number once has been reported to the service provider,
who keeps in track of the record of lost mobile phones. The MTSO or the MSC which
keeps in track of all the mobile phones with IMEI number and the IMSI number has the
information of the lost mobile phones location which means the location of the cell where
the lost device is because of the two-way communication with the device the BTS of the
lost device is known to MSC. From this information regarding the cell in which the
device is located the sniffer device is introduced.
The BELOW figure shows the sniffer that gets into work for the purpose
of detection of the lost device. After the information regarding the IMEI number of the
lost device is provided by the MTSO or MSC. This is then fed into the sniffers main
memory the sniffer’s located in particular cell gets into action of detecting the lost device.
The sniffer uses a frequency that is different from the one that is being used by the base
station and the located nearby cells. The base station disconnects the connection with the
lost mobile phone, as there is a request regarding this action from the EIR part of the
MSC. This causes the lost device to search the BTS to get locked with since each base

MRITS-Department of Science and Engineering 16

 SNIFFER TECHNOLOGY

station does not have authorization capability the lost device sends appropriate connection
request signal. Now when the sniffer device is being deployed and this device has in built
authorization capability the lost device finds the sniffer to get itself locked to the
frequency of the sniffer. While the connection between the sniffer and the mobile phone
is established; the IMEI of the lost mobile is validated with the stored IMEI and after
successful authorization the communication between the sniffer and the lost device is
established. If the other devices in the same try
to communicate with the sniffer the access is denied and this is done at the validation
done based on the IME. Once the communication starts it is mainly with the antenna and
the signal
strength of the lost device the location can be tracked. However, the process to searching
can also be aided with the GPS system for more accurate and fast detection the main
requirement is that the sniffer is operated in a frequency that is different from the
frequency adopted by the cell and nearby ones. Hence the interference from the nearby
cell can be avoided. The directional antenna is used in finding the location of the mobile
phone.

FIGURE 4.1: BEFORE INCREASING THE FREQUENCY

MRITS-Department of Science and Engineering 17

 SNIFFER TECHNOLOGY

BASE TRANSCEIVER SECTION:

This manages the interface between the network and the mobile station. Hence, it
performs the important function of acting as a hub for the whole of the network
infrastructure. Mobile terminals are linked to the BTS through the air-interface.
Transmission and reception at the BTS with the mobile is done via omnidirectional or
directional antennas (usually having 120-degrees sectors). The major functions of the
base station are transmission of signals in the desired format, coding and decoding of the
signals, countering the effects of multi-path transmission by using equalization
algorithms, encryption of the data streams, measurements of quality and received signal
power, and operation and management of the base station equipment itself.

FIGURE 4.2: GSM ARCHITECTURE

MRITS-Department of Science and Engineering 18

 SNIFFER TECHNOLOGY

FIGURE 4.3: BLOCK DIAGRAM OF THE BTS

MOBILE TELEPHONE SWITCHING OFFICE (MTSO):

This is operated with respect to the GSM system. In GSM system, mobile
handsets used are referred as mobile stations. The cellular switching center was known as
MTSO in earlier analog telephone systems such as AMPS.
Currently MTSO is referred by name “MSC” or Mobile Services Switching
Center in GSM. There are various types of handoffs or handovers. Most of them are
controlled by MSC or MTSO. The figure depicts the interfaces of MTSO or MSC in
mobile cellular system such as GSM.
FUNCTIONS PERFORMED BY MTSO:
 It serves handoff initiated by mobile or BTS based on channel conditions as well
as movement of the mobile.
 It provides mobile to PSTN subscriber connectivity.
 One MTSO can serve more than one base stations (i.e. BTS/BSC). As a result,
handoff is very smooth for larger coverage.
 MTSO is responsible to provide connections of all mobile phone users with the
telephone central office. This makes long distance communication possible.

MRITS-Department of Science and Engineering 19

 SNIFFER TECHNOLOGY

FIGURE 4.4: MOBILE TELEPHONE SWITCHING OFFICE

AFTER SNIFFER INCREASES THE FREQUENCY:

FIGURE 4.5: THE CONNECTION OF THE SNIFFER DEVICE WITH LOST

MOBILE PHONE

Here the signal strength of the received signal is obtain antenna pattern is plotted once the
signal of the mobile is obtained. The no. of antenna pattern for different position of same
mobile phone is used to find the exact location. But however in this method the

MRITS-Department of Science and Engineering 20

 SNIFFER TECHNOLOGY

directional antenna used much be of a very small beam width this helps in more accurate
process of detection.

FIGURE 4.6: HOW SNIFFER TRIES TO COMMUNICATE WITH

MOBILE
After getting connected with the mobile it creates a virtual cell pattern and thus
helps in the detection of lost mobile phones.

ADVANTAGES:
 This method is used for finding the lost mobile effectively
 Cost effective
 Low power consumption
 Easy to design

DISADVANTAGES:
 Frequency should be maintained correctly because there may be a slight effect of
the reflection of the signal from the ground.
 Even though the directivity of antenna is less the direction of propagation should
be restricted.

MRITS-Department of Science and Engineering 21

 SNIFFER TECHNOLOGY

CHAPTER 5

CONCLUSION
Since the boom of the mobile phone for the purpose of the communication there has been
a large number of complaints regarding the mobile phone that is being lost and there has
been no effective method developed for detecting the lost device. The given sniffer
technology dealt the idea of development “Sniffer for the detection of lost Mobile
Phones” paves a way by means of which the lost mobile phones can be recovered. But the
process of detection is yet to be developed through the software and demo has been
developed and is with the authors. The demo has been written in VB that gives the over
view of how the lost mobile is being detected and the software has been written in C. The
SQL has to be used for the purpose of querying and the internal architecture is of lesser
complexity compared to the base station as this mainly involves the control signal and
there is no need for the voice process. The design involved the following: Design of the
sniffer base station, design of unidirectional antenna, development of the software
tracking. Though this method appears to be a little bit complex involving the design of the
sniffer but however for large scale detection the overall effective cost of the design and
the detection scales down. There are certain boundary conditions or criteria that have to
be qualified for the identification of the lost mobile like the power of the mobile should
be good enough; the mobile phone should not be in the shadow region etc., but however
this method can be improved by using modern technologies and devices.

MRITS-Department of Science and Engineering 22

 SNIFFER TECHNOLOGY

CHAPTER 6

REFERENCES
I. International Journal for Engineering Trends and Technology (IJETT) -Volume4
Issue4

II. Institute of Electrical and Electronics Engineers- www.seminorsonly.com

III. Fundamentals of Network Planning and Optimization – www.books.google.com

IV. International Journal of Advanced Research in Computer Engineering and

Technology (IJARCET)- Prof. P. D. Chowhan.

V. International Journal of Innovations in Engineering and Technology (IJIET)-

POONAM SINGLA

VI. Introduction to Base Transceiver Section - www.AirLink8000/BTS.com

MRITS-Department of Science and Engineering 23