[Catchercatcher] Explanation of some parameters

Luca Melette luca at srlabs.de
Thu Jan 3 03:13:53 CET 2013

Hi Matej,

> what is the current development of the catcher catcher software?

I have to say that there is no news right now.
Everything is experimental as you can see it.

Thanks for spending your time in understanding our work,
and possibly contributing to improve its functionality.
I have to say that everything you asked below has a very
technical explanation and may be not so useful to a user.
This is why we included the green/yellow/red flag.
> Catcher status for MS '1'
>   link establishment
>     rach sent: 2
> That means how many requests for the beginning of the communication
> has been sent from the mobile phone to the network through Random
> Access Channel (uplink channel)?

>     paging:    0
> How many paging requests has been sent to the mobile phone from the
> network through Paging Channel (PCH)?

>     imm_ass:   1
> How many immediate assignment messages has been sent to the mobile
> phone from the network?

>     assign:    0
>     handover:  0
>     release:   1
>     tune:      1
>     failure:   0
>     current:   0
> Can you add some brief explanation of this?

All the counters under "link establishment" have to be considered
together to make some sense. You would expect that for every
paging you send one rach request, then you get an immediate assignment
and then, depending on the service, a release, assignment, handover
and so on. The sum/difference of these counters can indicate unusual
failures in network behaviour. There is no specific tune yet.
>     high pwr:  0.67
> This is antenna power on the scale [0..1]

No. This ratio indicates how many frames were transmitted by the phone
at (near)maximum power, as asked by the network, showing a possible
try to locate a user (e.g. silent call). This condition can however
happen in normal circumstances depending on network coverage.

>   cipher mode
>     request:   1
>     response:  1
>     no cipher: 0
>     no IMEISV: 1
> Can you add some brief explanation of this? IMEISV is probably
> International Mobile station Equipment Identity and Software Version
> Number, but what does number 1 means?

This section is dedicated to describe cipher mode command usage.
As before, the sum/difference of the counter express abnormal
conditions. For each request you want to see only one response.
The network should ask you to include the IMEISV to protect your
uplink frames, and in your case it doesn't. No cipher, is quite
clear, it records the very unusual case of the network asking you
to start ciphering with actually no cipher.

>     first alg: A5/1
>     last alg:  A5/1
> This is the initial ciphering algorithm (first used on the network)
> and the last one? Under what circumstances these two differ?

They should not differ, but an IMSI catcher will clearly prefer to
talk to its victims using no cipher (A5/0).

>   cell monitoring
>     camped:    0
> Can you add some brief explanation of this?

Currently not implemented, because you can see this information
with another console command (see show ms).
It wanted to say "successfully connected to the network".

>     MCC:       293 (293, 0)
>     MNC:       41 (41, 0)
>     LAC:       11 (11, 0)
>     CID:       482 (172, 1)
> OK, I understand these are Mobile Country Code, Mobile Network Code,
> Local Area Code and Cell ID... The first number is current code, what
> about numbers in brackets?

Those are respectively, the previous value for each field (MCC,
MNC, etc) and the number of changes we detected for this field.
In your case, MCC/MNC/LAC was always constant, and CID changed once.

>   data exchange
>     IMSI req:  0
>     IMEI req:  0
>     SilentSMS: 0
> How many times mobile network requested IMSI and IMEI from mobile
> phone, how many silent SMS'es has been sent to the phone?

Correct. The count of identity requests should remain very low.
And the silent SMS... should never be received in normal conditions.
> BTW, show neighbour-cells command shown me that there is a cell
> with state "no sync" - what does it mean?

All this stuff is part of the normal Osmocom-BB mobile application,
and I didn't write it nor I normally use it.
It's just measurements/parameters described in the GSM standard.
They are used for cell selection/reselection.
Like RLA_C, average received level from a BTS, C1 & C2 are numbers
out of two formulas, indicating path loss and penalty for reselection.

> What are possible statuses of the following parameters:
> - prio (normal, what else?)
> - state (SYSINFO, no sync, RLA_C - what is the explanation of these?)

Not exactly my business, but still measurements of neighbour cells,
that occurs continuously, trying to sync, receive system information
and monitoring reception quality to select the best cell.

Hope this was helpful.



More information about the Catchercatcher mailing list