This is a static archive of our old Q&A Site. Please post any new questions and answers at

Sniffing 3G/4G packets ?


Can we use wireshark to sniff 3G/4G packets from nearby cellphones ?

asked 15 Oct '14, 02:44

Aru's gravatar image

accept rate: 0%

2 Answers:


No, you can't, Wireshark does not have the ability to tap into 3G/4G wireless networks.

answered 15 Oct '14, 02:46

Jasper's gravatar image

Jasper ♦♦
accept rate: 18%

See also the answer to this similar question.

(15 Oct '14, 17:30) Guy Harris ♦♦


If the question is meant in the paranoid sense, as "Is it possible for other people to see my traffic over the radio network?", it's likely not going to be possible for them because virtually all operators negotiate encryption with your phone for both your IP payload as well as most signaling exchanges, however a few things to keep in mind:

1) With specialized tools, it is possible to 'listen' to the radio interface on licensed frequency bands (like Wifi, these are broadcasted messages over the air so there's no stopping that).

2) While I've never seen it done outside of lab/test environments, it is possible to avoid encryption altogether for these radio types, including both signaling (RRC/NAS) and payload. Those are separately negotiated between the phone and the network, though again I would be surprised if too many networks allow unciphered connections.

3) It is always possible for other people to intercept IMSI numbers (unique ID of a SIM card, similar to a MAC address) over the radio network because that is used prior to encryption negotiation. That is minimized somewhat because networks will assign temporary identifiers ("GUTIs" for LTE networks, or just "TMSIs/P-TMSIs" for legacy networks), meaning subsequent connections can use these temporarily assigned numbers in plain-text rather than the SIM's IMSI number. Also note that while IMSIs are interceptable they are not enough to impersonate, since they are virtually always (and in a real-world network, literally always) challenged by the network when they connect.

4) The phone's IMEI wouldn't be authenticated (at least, not within the 3GPP standardized call flows), however they are not transmitted over the network until after signaling encryption is negotiated so they should not be vulnerable to over-the-air interception.

answered 15 Oct '14, 18:57

Quadratic's gravatar image

accept rate: 13%

edited 15 Oct '14, 19:01

In the context of point 3 " 3) It is always possible for other people to intercept IMSI numbers (unique ID of a SIM card, similar to a MAC address) over the radio network because that is used prior to encryption negotiation......" in the answer above

Is there any tool, code, app that is available to intercept the IMSI numbers? I have a requirement to capture just the unique identifier of the mobile phones / GPRS modules around me. In my use case, the mobile phones/gprs modules would be transmitting data over 2G or 3G. Please point me to any tool that can help me do capture a unique identifier or the phone/gprs module.

(03 Oct '15, 18:18) Murali

To be more specific, is there an android app or code that can be run on an android phone that can identify IMSI numbers or any other unique identifier of mobile phones/gprs modules that are transmitting data around me.

(03 Oct '15, 19:05) Murali

In short I don't think you're going to be able to accomplish what you want by passively scanning the radio. For one thing, the vast majority of signaling from the other phones will be with temporary identifiers rather than IMSIs, so even if you could set up a scan you would find a small minority of what's really there in terms of unique, permanent identifiers for a device or SIM.

Further, to even start a scan like this you'd need a level of control over the chipset in your device which is not normally available to apps running on the phone. You can get special tools for that, usually from the chipset manufacturers themselves, but at that point you're not talking about an app you can write and make available in an app store (you do not, as an IOS or Android developer, have access into the API of the chipset to do something like order a scan and save the RRC control channel data into something your program can work with). Even if you had such access, you'd have the problem of knowing what frequency to scan on since cellular networks can use a broad range of licensed frequency bands (they do not all contend with each other over just three 2.4 GHz bands like Wifi does).

So, for your goal I see two ways to approach it, depending who you are.

If you are the operator, SGSN(s) are likely the best place to look in "3G" UMTS networks since they own all P-TMSI/IMSI mappings and they know the mobility state of all subscribers registered on them, with different levels of precision depending on the device state. An API into the SGSNs that retrieves such data could be cross-referenced against cell locations to map out what devices are where. There are other places like the towers, the RNCs, etc., but that's one working concept.

If you're not the operator, and just a user, then the most practical way may be to write an app (or use use an existing one) that has your own device reports its own usage and location to a common database. That way your users 'volunteer' the information to you for use by the app.

(04 Oct '15, 15:52) Quadratic

Hi Quadratic, I am not an operator, I am only a user. Having own device report location is not an option. What I am trying to do is - get own device report the location of another device (which is mounted on an asset/vehicle) that I know has a certain IMSI or IMEI or any other such unique identifier. So, as the vehicle drives past my own device, I want to be able to report the location of that vehicle. I will know which mobile operator that the device is subscriped to - so I will know before hand the frequeny to scan.

With the above information, do you think there is some way of achieving what I am trying to do?

On top of above, if I assume that I have root access to the android device on which I install the app, then is there a way to do it?

(04 Oct '15, 23:23) Murali

So, as the vehicle drives past my own device, I want to be able to report the location of that vehicle.

I'm sorry, but can you please tell us what the use case is for such a "test"??

(05 Oct '15, 01:22) Kurt Knochner ♦

Hi, We have public transport buses with GPS-GPRS trackers. But the location data is not open. So I am trying to figure out a way to get the location data myself.

(05 Oct '15, 03:00) Murali

How would that help you? You would need several hundred or several thousand 'probing stations' to figure out where a bus is currently located !?! Can you please add more details?

(05 Oct '15, 03:09) Kurt Knochner ♦

Well, what you are looking for is an IMSI catcher ( ), which is something that is not supposed to be available for common users.

(05 Oct '15, 03:10) Pascal Quantin

Yes, I would need hundreds of "probing stations". I plan to crowd-source them ( in the form of smartphones with an app running on them).

(05 Oct '15, 03:28) Murali

First of all you will not be able to do it with a simple smartphone (without being able to completely change the 2G baseband modem SW), and moreover there are high chances this is not legal...

(05 Oct '15, 05:09) Pascal Quantin

I only need to detect the presence of a gps-gprs module. I won't be looking into the data that is exchanged. If I am open to taking a smartphone and completely changing the 2G baseband modem SW, then how do I go about doing it?

(05 Oct '15, 17:21) Murali

How would you crowd source such a thing? Murali, when I said that IOS/Android APIs do not exist for device developers to control the chipset of the phone at this level, that means you can't just write an app for it and source it on the playstore.

This idea is just sooooo prone to failure. You have no readily-available way to source a device or modify your own to perform this type of scan, if you did you would have no way to distribute it, if you did that would likely not be legal, and even if it was you still would have more misses than hits due to the use of temporary identifiers. And even THEN, with the few SIMs whose IMSIs you could retrieve, you couldn't reliably track them since they'd be flipping temporary P-TMSI all through the day, so it would be like ball and cups, where you wouldn't be looking most of the time.

The thing is, you're not supposed to have that kind of data which is why networks are designed to prevent you from getting it easily. Man-in-the-middle attacks which exploit GSM are exactly that - attacks - which aren't meant to be possible and which really should not be done. Think for a moment about what such an application, which tracks the location of other users SIM cards, could be used for. That's why it is actively prevented, why IMEIs are never transmitted without encryption and why permanent IMSI identifiers are transmitted only out of necessity in a minimal number of mobility procedures.

(05 Oct '15, 20:46) Quadratic

I plan to crowd-source them ( in the form of smartphones with an app running on them).

smartphone apps to track moving public buses? Besides the technical problems on the phone (see comments of @Quadratic) I see problems with 'logistics' as well. Let's assume you would be able to create such an app: Did you estimate/calculate how many smartphones/people (with your app) you would need to get meaningful statistical data? I mean you need a lot of running apps to track every bypassing bus often enough to know where it is currently located?

Can you please post a link to that public transport system?

(06 Oct '15, 11:23) Kurt Knochner ♦
showing 5 of 13 show 8 more comments