Differences between FalconEye and FalconCaptureProbe

[andrewferguson]

Firstly, many thanks for developing FALCON, it looks to be a really great way to analyse LTE networks.

I'm trying to use FALCON but have run into an issue: the output from using FalconEye directly differs from when I use FalconCaptureProbe and then analyse the captured file with FalconEye. Specifically, when I use FalconEye directly, several RNTIs are detected, but when I capture with FalconCaptureProbe then run FalconEye on the captured file, no RNTIs are detected.

A bit of background – my laptop is rather old so not particularly suitable for real-time decoding. So I decided to capture to a raw file and process the capture later. However, when I tried this FALCON didn't detect any RNTIs. I then tried FalconEye directly (reading from the USRP directly) and was surprised that several RNTIs were detected.

My setup is as follows: Dell Latitude E5420 laptop running Ubuntu 20.04 LTS, connected to a USRP B210 over USB 2 (I hope to get a USB 3 express card shortly).

To demonstrate the issue I ran two experiments. Both experiments used the same frequency and cell ID, and the second was run a few minutes after the first.

1. Run FalconEye directly. The log file of this is in experiment-1.log, and FALCON detected 20 RNTIs.
2. Run FalconCaptureProbe, then run FalconEye on the captured file. With this experiment, no RNTIs were detected. There are several files from this experiment:

• experiment-2_capture.log is the log from running FalconCaptureProbe
• experiment-2-unknownOperator-cell.csv / experiment-2-unknownOperator-iq.bin / experiment-2-unknownOperator-txpower.csv are the output files from running FalconCaptureProbe
• experiment-2_falconeye.log is the output from running FalconEye on the capture file.

Both experiments captured for 5 seconds, however since there is no way to limit FalconEye capture to 5000ms, I monitored it and manually cancelled it after 5 seconds had passed.

My guess would be that I'm mis-configuring something, or am mis-understanding how FalconEye / FalconCaptureProbe is supposed to work. I'd really appreciate help in understanding how to correctly use FalconCaptureProbe.

Many thanks!

[falkenber9]

Hi Andrew,

I also can't decode your -iq.bin file on my side.

In experiment-1.log the long sequence of

Entering main loop...
Finding PSS... Peak: 1.21791, FrameCnt: 0 State: 0
Finding PSS... Peak: 1.1064, FrameCnt: 0 State: 0
Finding PSS... Peak: 1.01325, FrameCnt: 0 State: 0
Finding PSS... Peak: 1.19986, FrameCnt: 0 State: 0
Finding PSS... Peak: 1.06954, FrameCnt: 0 State: 0
Finding PSS... Peak: 1.116, FrameCnt: 0 State: 0
Finding PSS... Peak: 1.63083, FrameCnt: 0 State: 0
Finding PSS... Peak: 1.06723, FrameCnt: 0 State: 0
Finding PSS... Peak: 5.1081, FrameCnt: 0 State: 1

looks suspicious. It may be a result of a weak signal or maybe the USRP / PC is losing samples. I didn't ever test via USB2.

Furthermore, the summary of gathered RNTIs also looks suspicious.
Is far as I have experienced, RNTI values typically concentrate in one or two narrow value ranges, while scattered RNTIs over the entire 16-bit value range often indicate that something is wrong -- either a bad/weak signal, or the DCI format is not supported, so FALCON tries hard to find something.

Could you check your radio conditions and/or maybe try another cell?
You could use gqrx to visualize how the signal you are trying to decode looks like. It should clearly stand out of the noise floor.

Finally, maybe the serving cell already uses dynamic spectrum sharing (DSS) for 4G/5G multiplexing, which may confuse FALCON a bit -- but this is only a hypothesis; It hasn't been tested yet, but I wouldn't be surprised if this leads to some issues with FALCON.

[andrewferguson]

Thanks for the very quick response. The USB 3 express card should arrive in the next few days, and once it does I will try again with different antenna positions / cells. I will also check the signal strength with gqrx. I will update this issue then.

[andrewferguson]

My apologies for the delay in replying - I have been trying a number of things over the past few weeks, unfortunately with little success.

What I've changed:

1. The USRP is now running over USB 3.
2. The USRP is running of an external power supply.
3. The antenna is a better one - "better" is definitely relative in this context, as I've switched to a cheap dipole one that seems to give much better dBm measurements with srsLTE's cell_search tool. I would appreciate knowing what antenna was used as a reference for Falcon measurements?

Unfortunately the results are still the same - FalconEye is able to find some RNTIs when running in real-time, but not when I capture using FalconCaptureProbe and then send the I/Q file to FalconEye.

I've attached the following logs for debugging, if they are of any help:

1. 798.5MHz.zip / 2119.9MHz.zip / 1846.7MHz.zip - I ran three experiments in an identical manner to the one I ran in my original post (except with the changes as noted above). The files contained within these zips (experiment-1.log / experiment-2_capture.log / experiment-2_falconeye.log, and the .bin / .csv files produced by FalconCaptureProbe) were created the same way as in my first post (ie: experiment-1 is running FalconEye in real-time, while experiment-2 is running FalconCaptureProbe then FalconEye on the captured files).
2. cell_search.zip - the output of the srsLTE cell_search tool for the three bands that correspond to the cells that I tried the above three experiments on. I'm not sure how helpful this output would be, but I thought I would include it just in case.

Given that the problem still persists despite better (although by no means perfect) cell reception, I suspect that the issues I am having are caused by software issues, rather than antenna / reception issues. I will try to dig out a spare hard drive and do a complete reinstall (OS + USRP drivers + Falcon). Do you think there are any benefits to installing the USRP drivers from source, rather than the PPA?

I'd greatly appreciate any help / suggestions you may have. I'd be particularly interested in knowing if the RTNIs I am getting with the FalconEye realtime (experiment-1) are looking better than they were before. But at the same time I understand that this is an open source project, and you will have much better things to be doing than helping me debug my setup!

[falkenber9]

Hi I just tried your examples.

Capture at 798.6 MHz:

On my machine, both, FalconEye and FalconGUI, produce a reasonable output:

Note that in file mode, Falcon not only expects the input file, but also needs information about the cell, i.e. nof PRBs and number of antenna ports (of the eNodeB).
Try to run it as follows:

FalconEye -i experiment-2-unknownOperator-iq.bin -c 489 -p 25 -P 2

Here is the summary output that is printed at the end:

----------------------Active RNTI Set----------------------
RNTI    Format  Freq    Last[ms]        Found by
-----------------------------------------------------------
60130     0        0       2035 shortcut
61234     2        0        492 shortcut
61100     0       50          7 shortcut
61218     6        0       1246 shortcut
60748     6        0        446 random access
13950     0        0       4854 shortcut
52108     2        0       2441 shortcut
33141     2        0       1931 shortcut
60580     6        0       3063 shortcut
60555     2        0       3239 shortcut
60601     6        1         51 shortcut
58628     3        0       2865 shortcut
60507     0        0       2578 shortcut
17396     0        0       3888 shortcut
60803     6        0       2505 shortcut
60718     6        0       1802 histogram
  911     0        0       3104 shortcut
60773     6        0        225 histogram
48271     0        0       2743 shortcut
60417     0       30          2 shortcut
60353     6        0       1852 shortcut
61810     0        0       2351 shortcut
 3579     2        0       2266 shortcut
10336     0        0       2142 shortcut
64830     2        0       1350 shortcut
60044     0        0       1867 shortcut
58906     6        0       1288 shortcut
61352     0        0        929 histogram
39728     3        0        943 shortcut
60424     0        0        760 shortcut
34101     0        1         21 shortcut
-----------------------------------------------------------
Total: 31
-----------------------------------------------------------
nof_decoded_locations, nof_cce, nof_missed_cce, nof_subframes, nof_subframe_collisions_dw, nof_subframe_collisions_up, time, nof_locations
967441, 83804, 71930, 4999, 1, 1, 0.000000, 154336
Skipped subframes: 0 (0%)
Destroyed Phy

If you adjust Cell ID, PRB and Ports in FalconGUI, it also decodes the file with comparable output.
Note: For convenience, if you drag&drop the <name>-iq.bin file into the file field, FalconGUI automatically loads these parameters from a file <name>-cell.csv in the same directory.

Capture at 1846.7MHz and 2119.9MHz:

The same thing here, but this time the cells both have 4 ports (as indicated by the cell search). There seems to be a bug in the capturing tool, as it incorrectly saves 2 instead of 4 ports in <name>-cell.csv, so you have to adjust it by hand.

Hope this helps.

[andrewferguson]

Thanks very much! It is indeed incredibly helpful, many thanks for your patience and assistance getting this to work.

Using the extra parameters to FalconEye, I can get it to work, although I am getting a different number of RNTIs than you got:

----------------------Active RNTI Set----------------------
RNTI	Format	Freq	Last[ms]	Found by
-----------------------------------------------------------
60130	  0	   0	   1090	shortcut
61100	  6	  51	      7	shortcut
61234	  2	   0	    492	shortcut
61218	  6	   0	   3426	shortcut
60748	  0	   0	   1769	random access
42262	  1	   0	   3487	shortcut
60555	  2	   0	   3239	shortcut
55020	  2	   0	    881	shortcut
60507	  0	   0	   3287	shortcut
24835	  6	   0	    923	shortcut
60718	  6	   0	    684	histogram
60773	  0	   0	    429	histogram
20089	  3	   0	   1574	shortcut
 1010	  3	   1	      2	shortcut
60417	  0	  28	      2	shortcut
61810	  0	   0	   2351	shortcut
60353	  6	   0	   1852	histogram
38622	  2	   0	    399	shortcut
60601	  6	   0	   1480	shortcut
64830	  2	   0	   2051	shortcut
44534	  0	   0	   1933	shortcut
61352	  0	   0	    929	histogram
11869	  3	   0	    827	shortcut
60424	  0	   0	    760	shortcut
 1126	  5	   0	    706	shortcut
34101	  0	   1	     21	shortcut
-----------------------------------------------------------
Total: 26
-----------------------------------------------------------
nof_decoded_locations, nof_cce, nof_missed_cce, nof_subframes, nof_subframe_collisions_dw, nof_subframe_collisions_up, time, nof_locations
976334, 83804, 72695, 4999, 2, 1, 0.000000, 154336
Skipped subframes: 0 (0%)
Destroyed Phy

I'm not entirely sure why this is - perhaps you are using a development / testing version of Falcon that is more recent than the version on GitHub? (I tried on several machines and got the same results).

Thanks again.