Signals Intelligence
A $30 USB dongle and a laptop now do what once required a van full of equipment. Software-defined radio has transformed signals intelligence from a government monopoly into a capability any motivated team can develop. This section covers the tools, techniques, and tradecraft.
Contents — 11 units
SIGINT Fundamentals
Signals intelligence is the craft of learning about someone from the signals they give off — what they are saying, where they are, what gear they run — without them ever knowing you are there.1 In this guide it serves two honest purposes: understanding the threat so you can defend against it, and the authorized monitoring of your own networks. It is not a license to eavesdrop, and the line between the two is sharp enough that the law comes first.
In the United States you may freely receive almost any signal that lands on your antenna — scanning public-safety, aviation, marine, and amateur traffic is legal. What is illegal is intercepting private communications, decoding what is meant to be private (cellular and encrypted traffic above all), and divulging or acting on anything you happen to overhear. The Wiretap Act carries up to five years in prison for intercepting or disclosing protected communications, and the Communications Act separately forbids divulging what you receive.3 Listen to learn the spectrum; never decode or share private traffic.
For most of its history signals intelligence meant a van full of equipment and a government budget. The RTL-SDR changed that — a thirty-dollar USB TV tuner that hobbyists found could receive almost any radio signal — and a laptop now does what a signals van once did.2 Purpose-built kits like SIGpi pack a full collection setup onto a Raspberry Pi smaller than a paperback, and cheap machine learning now does the listening too, pulling signals out of the noise better than hand-written code. The gap between an agency and a motivated team narrows every year.2
SIGINT Categories
SIGINT splits by what it listens to. Communications intelligence (COMINT) is the traffic between people — voice, text, and data. Electronic intelligence (ELINT) is everything that emits but does not communicate: radar, navigation beacons, telemetry.1 Two narrower categories round it out, one for instrumentation signals like missile telemetry and one for the faint, unintended emanations a device leaks.
| Category | Focus | Examples |
|---|---|---|
| COMINT | Communications between people | Voice radio, digital messaging, data links |
| ELINT | Non-communication emissions | Radar, navigation beacons, telemetry |
| FISINT | Foreign instrumentation signals | Missile telemetry, weapons test data |
| MASINT | Measurement and signature | Unintentional emanations, radar fingerprinting |
The Intelligence Cycle
Collection is not the first step; thinking is. The intelligence cycle runs from planning and direction, through collection, processing, and analysis, to dissemination, and it begins by deciding what you need to know.1 Before you place a single receiver, you answer three questions: what do you need to learn, which signals would tell you, and where and on what frequencies do those signals live?
Listening costs you nothing on the air. You take in energy that others transmit without transmitting yourself, so there is no emission to detect, nothing to direction-find, and no sign you are even there — the exact mirror image of the operator hunted in the chapter on direction finding.1 The only requirement is to put your antenna where the target's signal can reach it.
Sources
- MCRP 2-10A.1 Signals Intelligence (Light Fighter Library) — the SIGINT categories (COMINT, ELINT, FISINT), the intelligence cycle, and the passive nature of collection.
- SIGINT for Anyone: The Growing Availability of Signals Intelligence in the Public Domain (RAND, Light Fighter Library) — the democratization of SIGINT by cheap software-defined radio.
- FCC: Interception and Divulgence of Radio Communications & 18 U.S.C. §2511 (Wiretap Act) — receiving is broadly legal; intercepting private communications, and divulging or using what you hear, is not.
Software Defined Radio
A software-defined radio throws out the fixed circuits of an ordinary radio and does the work in software instead. One small box of hardware feeds raw radio into a computer, and the program decides what it is — an FM station, an aircraft transponder, a pager, or a signal nobody has identified yet — so changing what you can hear becomes a matter of changing software, not soldering.1
You do not need an expensive rig, or even Linux, to start. A thirty-dollar RTL-SDR dongle and a free program on the Windows or Mac laptop you already own will pull in most of the spectrum below 1.7 GHz, and that is plenty to learn on.1, 2 A wideband, transmit-capable radio like the HackRF, covered later, opens the rest of the band and the ability to replay signals, but it is a step up, not a starting point.2
SDR Architecture
Inside, an SDR is three stages. A radio front end filters and amplifies what the antenna brings in, an analog-to-digital converter turns that into numbers, and software does everything else.1 Three figures describe what a given SDR can do: how wide a frequency range it tunes, how much spectrum it can grab at once (its bandwidth), and how finely it measures the signal (its bit depth).
Those figures trade against price. More bandwidth lets you watch more of the spectrum at once; more bits let you pick a weak signal out from beside a strong one; a wider tuning range reaches more bands. You pay for each, so you buy the radio that fits the job.1
SDR Software Ecosystem
The hardware is only half of it; the software is what turned SDR from a lab instrument into something anyone can run.2
| Software | Platform | Primary Use |
|---|---|---|
| SDR# | Windows | General purpose receiver, beginner friendly |
| GQRX | Linux/Mac | General purpose receiver, GNU Radio based |
| GNU Radio | Linux/Mac/Windows | Advanced signal processing, custom decoders |
| SDR++ | Cross-platform | Modern interface, plugin architecture |
| SIGpi | Raspberry Pi | Complete portable SIGINT platform |
| SigintOS | Linux | Dedicated SIGINT distribution with integrated tools |
Some SDR programs phone home — beaconing your location or sending identifying data over the internet. For any sensitive collection, run the setup air-gapped, with every network connection switched off, and confirm how a piece of software behaves before you trust it. Listening is supposed to be silent; do not let your own laptop break that.1
Sources
- Introduction to Software-Defined Radio (LF-Course) (Light Fighter Library) — what an SDR is, its front-end / ADC / software architecture, the key specifications, and starting on a cheap RTL-SDR with free cross-platform tools.
- RTL-SDR.com — the RTL-SDR Blog V4 (500 kHz–1766 MHz, native HF), the HackRF and HackRF Pro, and the SDR++ / SDR# / GQRX software.
RTL-SDR Dongle
The RTL-SDR is the dongle that started it all — a USB stick built to receive digital television that hobbyists discovered could be retuned to listen across the radio spectrum.1 For about thirty dollars it covers roughly 500 kHz to 1.8 GHz, enough to hear aircraft, ships, weather satellites, pagers, and most of what a beginner wants to find, which is why it is where nearly everyone starts.2
Specifications
The current model, the RTL-SDR Blog V4, adds native HF reception to the original VHF and UHF coverage.2
| Parameter | Value | Notes |
|---|---|---|
| Frequency Range | 500 kHz to 1.766 GHz | RTL-SDR Blog V4 with native HF support |
| Bandwidth | Up to 2.4 MHz | 3.2 MHz possible with some host controllers |
| ADC Resolution | 8-bit | Limits dynamic range compared to higher-end SDRs |
| Sample Rate | Up to 3.2 MSPS | 2.4 MSPS recommended for stability |
| Sensitivity | -130 dBm typical | Varies by frequency |
| Cost | ~$30 | V4 model with improved performance |
Common Applications
What a thirty-dollar receiver can actually do is more than its price suggests.2
- FM broadcast and amateur radio monitoring
- Aviation communications (118-137 MHz) and ADS-B tracking (1090 MHz)
- Weather satellite imagery (137 MHz NOAA, 1.7 GHz GOES)
- Marine AIS vessel tracking (161-162 MHz)
- Trunked radio monitoring (P25, DMR, NXDN)
- ISM band device analysis (433 MHz, 915 MHz)
- Amateur radio digital modes (APRS, FT8, JS8Call)
- General spectrum survey and signal identification
Limitations
The price shows up in two places. The 8-bit converter gives it a narrow dynamic range, so a strong nearby transmitter can swamp the front end and bury the weak signal you were after, and the 2.4 MHz of bandwidth lets you watch only a thin slice of spectrum at a time.2 It also cannot transmit. None of that makes it a toy — it stays the right tool for learning and for a surprising amount of real work — but it is why serious collection moves up to a better radio.1
Match the signal chain to the job. A band-pass filter keeps strong out-of-band signals from overloading the dongle's limited range, and a low-noise amplifier lifts weak signals — but that same amplifier can make overload worse next to a strong transmitter, so add each only when the task calls for it.2
Sources
- Introduction to Software-Defined Radio (LF-Course) (Light Fighter Library) — the RTL-SDR as the cheap entry point for learning SDR and SIGINT.
- RTL-SDR.com — the RTL-SDR Blog V4 specifications (500 kHz–1766 MHz, 8-bit, 2.4 MHz bandwidth), common applications, and front-end filtering and LNA guidance.
HackRF One
The HackRF One is the radio you graduate to when an RTL-SDR is not enough. Where the dongle only listens over a narrow slice, the HackRF tunes from 1 MHz to 6 GHz, watches 20 MHz of spectrum at once, and — the real difference — can transmit as well as receive.1 Created by Great Scott Gadgets with fully open hardware and firmware, it has become the standard tool of the security-research world.2
Specifications
| Parameter | Value | Notes |
|---|---|---|
| Frequency Range | 1 MHz to 6 GHz | Covers HF through SHF bands |
| Bandwidth | Up to 20 MHz | Wide instantaneous bandwidth |
| ADC/DAC Resolution | 8-bit | Same as RTL-SDR |
| Sample Rate | Up to 20 MSPS | Matched to bandwidth |
| TX Power | Up to +15 dBm | Band dependent, ~30mW |
| Operation | Half-duplex | TX or RX, not simultaneous |
| Cost | ~$350 | Open source hardware |
SIGINT Applications
Its 20 MHz window makes it a fast surveyor: you can sweep a wide band, spot the signals that are active, and characterize them far quicker than a 2 MHz dongle.1
Because it transmits, it also opens RF protocol work — capturing and decoding the proprietary links in key fobs, IoT devices, sensors, and other wireless gadgets to learn how they are built and where they are weak.2
That transmit ability is powerful and legally loaded. Replaying a captured signal to test a system is a real technique, but transmitting is regulated and can be a crime against systems you do not own, so keep it to your own gear, on a bench, with authorization — the law from the start of this section still applies.2
Accessories and Enhancements
A few add-ons turn it from a bench instrument into a field one, the most important being the PortaPack, which runs the HackRF as a standalone handheld with no computer at all.1
| Accessory | Purpose |
|---|---|
| ANT500 | Telescopic antenna for basic receiving 75-1000 MHz |
| Opera Cake | Antenna switching for automated multi-band monitoring |
| Portapack H2 | Standalone operation without computer |
| External Clock | Improved frequency accuracy and stability |
| Filtered Preamps | Enhanced sensitivity for specific bands |
Great Scott Gadgets' HackRF Pro, shipping at the end of 2025, widens the range to 100 kHz–6 GHz and improves the receiver while keeping the same software and accessories as the original.2 If you are buying new, it is the one to get; the original HackRF One stays fully supported.
Sources
- HackRF with PortaPack Operation Guide (Light Fighter Library) — running the HackRF, and the PortaPack with Mayhem firmware for standalone, computer-free operation.
- Great Scott Gadgets — the HackRF One (1 MHz–6 GHz, 20 MHz bandwidth, half-duplex transmit) and the HackRF Pro (100 kHz–6 GHz), open hardware and firmware.
KrakenSDR Direction Finding
Direction finding used to be a government capability; the KrakenSDR put it on a hobbyist's budget.2 It is five RTL-SDR receivers locked to a single clock so they stay perfectly in step, wired to a calibrated five-antenna array, and from the tiny phase differences between those antennas the software computes the bearing to a transmitter — roughly 100 MHz to 1 GHz with the antennas it ships with.1, 2 It is the mirror of the threat from the chapter on direction finding: here the radio hunting an emitter is yours.
System Components
| Component | Description |
|---|---|
| KrakenSDR Unit | 5 coherent RTL-SDR receivers with noise source for calibration |
| Antenna Array | 5 magnetic mount antennas with calibrated spacing |
| Computing | Raspberry Pi 4/5 with pre-built software image |
| Mobile Device | Android phone/tablet for direction display |
| Power | USB-C power, ~15W draw |
Direction Finding Technique
KrakenSDR finds direction the same way modern tactical sets do, by correlative interferometry.1 All five antennas, set in a known pattern, hear the same signal at slightly different instants. A built-in noise source first calibrates the exact phase relationship between the five receivers, and then the software reads the phase differences across the array and solves for the angle the signal arrived from. One bearing points a line; bearings from two or three positions cross on the transmitter.
- Antenna array receives signal simultaneously on all five elements
- Noise source calibrates phase relationships between receivers
- Software compares phase differences across antenna pairs
- Correlative interferometry algorithm computes bearing
- Bearing displayed on map overlay in mobile app
- Multiple bearings from different locations triangulate transmitter position
Setup and Operation
- Burn KrakenSDR DF image to SD card (8GB minimum for Pi4, 16GB for Pi5)
- Mount antenna array on vehicle roof with proper spacing using paper templates
- Connect antennas to KrakenSDR in correct order (numbering matters)
- Power KrakenSDR and Raspberry Pi
- Create WiFi hotspot on Android device (SSID: KrakenAndroid, Password: KrakenAndroid)
- Access web interface to configure frequency and parameters
- Enable noise source calibration before taking bearings
- Drive to different positions to collect multiple bearings for triangulation
Practical Applications
- Locating interference sources affecting communications
- Amateur radio fox hunting and transmitter hunts
- Finding unauthorized transmitters or repeaters
- Tracking wildlife with radio collars
- Educational demonstration of RF direction finding
- Locating cellular towers and analyzing coverage
Direction finding lives and dies on calibration and a clean line of sight. Buildings throw reflections that produce false bearings, so a city is the hardest place to work and open ground the easiest, and the fix is the same one the threat side uses against you: take bearings from several positions and let them cross.1
Sources
- Direction Finding & Electronic Warfare Fundamentals (Light Fighter Library) — correlative-interferometry direction finding, bearings and triangulation, and the effect of multipath on accuracy.
- KrakenRF — the KrakenSDR: five coherent RTL-SDR channels on one clock (24 MHz–1766 MHz), calibration hardware, and the five-element direction-finding antenna set.
Signal Identification
Every signal looks and sounds like itself. An FM station is a fat symmetric blob on the waterfall, a pager fires short bursts, a frequency-hopping radio scatters across the band. Signal identification is the skill of reading those tells — bandwidth, modulation, timing, and how the frequency behaves — to name a transmission you have never seen before.1
Signal Characteristics
| Characteristic | What It Reveals |
|---|---|
| Bandwidth | Signal type, data rate, modulation complexity |
| Modulation | AM, FM, SSB, digital mode, spread spectrum |
| Timing | Continuous, periodic, bursty, time-slotted |
| Frequency Behavior | Fixed, hopping, chirped, drifting |
| Center Frequency | Frequency allocation, likely user type |
| Signal Shape | Waterfall appearance, distinctive patterns |
Signal Identification Wiki (sigidwiki.com)
When the waterfall shows something you cannot place, the Signal Identification Wiki is the reference. It is a community catalog of more than five hundred signals, each with a waterfall picture, an audio clip, and its technical parameters, searchable by band and characteristic.2 Capture a screenshot and a short recording of the mystery signal, note its frequency, bandwidth, and timing, and match it against the entries — the wiki even keeps Unknown categories for signals no one has identified yet.
When encountering an unknown signal, capture a waterfall screenshot and audio recording. Compare visual patterns and sound to database entries. Note the frequency, bandwidth, and any timing patterns. The wiki's Unknown Digital and Unknown Analog categories can help identify submissions or find similar unidentified signals.
Artemis Offline Database
Artemis carries that whole database offline, for the field where there is no internet. The current version, Artemis 4, is a full rewrite with the waterfalls and audio samples built in, and it lays the groundwork for automatic, machine-learning signal recognition.2
Common Signal Types
| Signal Type | Visual Appearance | Frequency Range |
|---|---|---|
| FM Broadcast | Wide (~200 kHz), symmetric | 88-108 MHz |
| P25 Digital Voice | Narrow (12.5 kHz), choppy bursts | VHF/UHF public safety |
| DMR | Narrow (12.5 kHz), two time slots visible | VHF/UHF |
| ADS-B | Short bursts at 1090 MHz | 1090 MHz |
| Weather Satellite | Wide FM with sync pulses | 137 MHz (NOAA) |
| Pager (POCSAG/FLEX) | Narrow bursts, periodic | VHF/UHF |
| Radar | Swept or pulsed, often wideband | Various |
Reading the waterfall is a trained eye, not a lookup. Spend time watching signals you already know until their shapes and sounds are familiar, and then, when something strange appears, work through its properties before you reach for the database. After a while you will name the common ones at a glance.1
Sources
- Electronic Warfare Fundamentals (Radio & Radar) (Light Fighter Library) — the signal characteristics that identify a transmission: bandwidth, modulation, timing, and frequency behavior.
- Signal Identification Wiki & Artemis — the 500-plus-signal reference database with waterfalls and audio, and Artemis 4, its offline, machine-learning-ready companion.
SDR Collection Operations
Listening to the spectrum and collecting intelligence from it are not the same thing. Listening is turning the dial and hearing what is there. Collection is a plan: you decide what you need to know, sweep to find it, record it the same way every time, and protect the fact that you were ever there. The hardware barely matters; the discipline does.1
Spectrum Survey
Start wide. Before you can target anything you have to know what the air around you normally holds, so scan whole bands and watch which frequencies stay busy, which sit quiet, and how that shifts through the day. That picture is your baseline — once you know what normal looks like, a new signal or a sudden silence stands out.1
- Define frequency ranges of interest based on intelligence requirements
- Configure SDR for maximum bandwidth to scan quickly
- Record waterfall displays to capture time-varying patterns
- Note signal frequencies, bandwidths, and timing characteristics
- Identify signals for detailed analysis or continued monitoring
- Document the RF environment as a baseline for detecting changes
Targeted Collection
Once a signal is worth a closer look, narrow down onto it. Set the frequency range tight around the target, adjust the gain until the signal comes in clean without overloading the receiver, and record the raw IQ stream so you can process it later — or demodulate it live if you already know what it is.1
Traffic Analysis
You do not have to break the message to learn from it. When a transmission happens, how long it runs, and whether traffic rises or falls all carry meaning on their own. Line that activity up against events you already know about, and the adversary's schedule, operating rhythm, and chain of command start to show through the pattern.1
| Observation | Potential Intelligence |
|---|---|
| Transmission timing | Activity schedules, shift changes, check-in times |
| Traffic volume changes | Increased activity before operations |
| New frequencies appearing | Network expansion, new units deployed |
| Frequencies going silent | Unit movement, equipment failure, EMCON |
| Duration patterns | Procedural vs. substantive communications |
Geolocation
A single receiver tells you a signal exists; several receivers tell you where it is. The KrakenSDR — a five-channel coherent receiver running on a Raspberry Pi — does this automatically, using direction-finding math to point at a transmitter and even navigate you to it, accurate to within tens of meters under good conditions.2 Without that gear, take a directional bearing from two or three separate positions and plot where the lines cross.1
Protect the collection itself. Run it on an air-gapped machine with no network connection during sensitive work, turn off GPS and location services on the device, and remember that the moment you transmit you can be found the same way you find others. The discipline covers not just what you collect but what you do with it afterward.
Sources
- Introduction to Software-Defined Radio (Light Fighter Library) — the collection workflow: spectrum survey, targeted collection, traffic analysis, and collection OPSEC.
- KrakenSDR (KrakenRF) — the five-channel coherent receiver for automatic radio direction finding and passive geolocation, runs on a Raspberry Pi 4 or 5.
RF Emitter Analysis
Every radio you turn on cuts both ways. The same signal that reaches your own people also reaches anyone listening for it, so the analysis that protects you and the analysis that targets the enemy are the same questions asked from two seats. Work the framework below against your own emissions to shrink what you give away, and against the adversary's to read what they are giving away.1
Propagation Analysis
Local RF Environment
Communications Architecture
Threat Assessment
Signature Management
Every transmission leaves a signature — a detectable fingerprint of when, where, and how you key up. You manage it the way you manage any other exposure: key up for as little time as possible, run the lowest power that still does the job, put terrain between you and the listener, vary your patterns so they cannot be predicted, and time your emissions so they do not line up with the activity you are trying to hide.1
Work each category methodically, before and during the operation. Together the questions are a repeatable way to read the electromagnetic environment, and the answers feed straight into your PACE plan, your operating procedures, and the steps you take to lower risk.
Sources
- Electronic Warfare Fundamentals (Radio & Radar) (Light Fighter Library) — emission control (EMCON), signature management, and the threat-assessment framework for friendly and adversary emissions.
COMINT Techniques
Communications intelligence, COMINT, is the work of listening in on traffic between people. The content is the obvious prize, but even a message you cannot read still tells you who is talking, when, and how often — and that metadata is intelligence on its own. The skill is knowing how the common systems work and where they leak.1
Voice Communications
Old-fashioned analog voice — AM, FM, single sideband — comes straight out of an SDR with the right demodulation; what is said is right there in the clear. Digital voice modes like P25, DMR, NXDN, and D-STAR need decoding software first, but a great deal of that traffic still runs unencrypted, so once you decode it you can follow it. Encrypted traffic, AES-256, stays closed without the key.1
| Mode | Encryption | Decoder Software |
|---|---|---|
| Analog FM | None | Any SDR software |
| P25 Phase 1 | Optional | DSD+, OP25, SDRTrunk |
| DMR | Optional | DSD+, SDRTrunk |
| NXDN | Optional | DSD+ |
| D-STAR | None | DSD+ |
| Encrypted | AES-256 | Not decodable without keys |
Data Communications
A surprising amount of data goes out in the clear. Aircraft positions (ADS-B), ship positions (AIS), amateur position beacons (APRS), and pager messages (POCSAG and FLEX) all decode with off-the-shelf software, and cheap Internet-of-Things gadgets often use sloppy protocols that quietly broadcast facts about the people who own them.1
Trunked Radio Systems
A trunked system does not park each group on a fixed channel; it hands out whatever channel is free and announces the assignment on a separate control channel. To follow a conversation you have to follow those announcements, which is exactly what SDRTrunk automates — it watches the control channel and the voice channels at once and stitches the talk group back together.2
Network Identification
Radio networks give away their own shape. DMR systems stamp every transmission with a radio ID and a talk-group ID; P25 carries a Network Access Code and talk-group information. Log those identifiers over time and the organization's structure — who reports to whom, which units talk to which — starts to assemble itself.2
The law on intercepting communications changes with the jurisdiction. In many countries listening to an unencrypted over-the-air transmission is legal, but recording it or passing the content on may not be, and intercepting cellular traffic almost always requires authorization. Know the rules where you operate and stay inside them.
Sources
- Introduction to Software-Defined Radio (Light Fighter Library) — analog versus digital voice, and the data protocols that transmit in the clear.
- SDRTrunk & RTL-SDR digital-voice decoding guide — following trunked systems by control channel and reading network identifiers; the DSD+, OP25, and SDRTrunk decoders.
ELINT Fundamentals
Not every emission is a conversation. Radars, jammers, and beacons pour out signals that carry no message yet say a great deal about the machine behind them. Electronic intelligence, ELINT, reads those non-communication emissions — mostly radar — to work out what a system is, what it is for (searching, tracking, or guiding a missile), and where it sits. Done right it is early warning: it tells you a threat is looking before it shoots.1
Radar Signal Parameters
| Parameter | What It Indicates |
|---|---|
| Frequency | Radar type, band (S, C, X, Ku, etc.) |
| Pulse Width | Range resolution, system type |
| Pulse Repetition Frequency (PRF) | Unambiguous range, velocity measurement |
| Scan Pattern | Surveillance vs tracking, coverage |
| Power | Range capability, system size |
| Modulation | Pulse compression, FMCW, etc. |
Common Radar Types
Radars come in families by job. Surveillance radars sweep a wide area at lower frequencies — the L, S, and C bands — trading resolution for range so they can see far. Fire-control radars narrow to a tight beam at higher frequencies, the X and Ku bands, for the precision needed to track one target. Missile-guidance radars go a step further, lighting up a target so a missile can ride the reflection home.1
Radar Warning Receiver Concepts
A radar warning receiver does for a cockpit what your ears do in the dark: it catches an emission, classifies it, and tells the crew a threat is out there. SDR-based ELINT works on the same principle — match a captured signal against a library of known emitter parameters to name the radar, and watch for changes in that signal as a sign the threat picture is shifting.1
- Surveillance radar scanning past your position: periodic illumination
- Track radar locked onto your position: continuous illumination
- Missile guidance radar active: imminent threat
- New emitters appearing: changing tactical situation
- Emitters going silent: possible EMCON, repositioning
SDR Limitations for ELINT
A consumer SDR can only reach so far. Many radars work above 6 GHz, past the top of a HackRF, and a wideband radar pulse can be wider than the slice of spectrum the SDR can see at once. Professional ELINT runs on specialized wideband receivers backed by deep signal libraries. SDR ELINT is real and worth learning, but treat it as a teaching tool and a limited capability, not dependable threat warning.1
Passive radar listens instead of shouting. It borrows signals already in the air — FM broadcast, cellular, digital TV — as its illuminator and watches how they bounce off a target, so it can detect without emitting a thing. A KrakenSDR with the right software runs basic passive-radar experiments, giving you a look at the technique without lighting up your own position.2
Sources
- Electronic Warfare Fundamentals (Radio & Radar) (Light Fighter Library) — radar signal parameters, radar families, the radar-warning-receiver concept, and the limits of SDR-based ELINT.
- KrakenSDR (KrakenRF) — using existing broadcasts as illuminators for basic passive-radar detection without emitting.
SIGINT Tools Reference
These are the tools that keep coming up across SIGINT work. None is the single right answer; each earns its place at a particular job, so the tables below lay out what every receiver, program, and reference is actually good for. Prices are approximate street prices and drift with stock and chip costs.1
Hardware Platforms
| Platform | Frequency | Bandwidth | TX | Cost | Best For |
|---|---|---|---|---|---|
| RTL-SDR V4 | 24 MHz - 1.7 GHz | 2.4 MHz | No | $35 | Entry-level, VHF/UHF monitoring |
| Airspy Mini | 24 MHz - 1.7 GHz | 6 MHz | No | $100 | Better dynamic range than RTL |
| Airspy HF+ Discovery | 9 kHz - 31 MHz | 660 kHz | No | $170 | HF reception, shortwave |
| HackRF One | 1 MHz - 6 GHz | 20 MHz | Yes | $350 | Wideband, research, replay |
| KrakenSDR | 24 MHz - 1.7 GHz | 2.4 MHz × 5 | No | $500 | Direction finding |
| SDRplay RSPdx | 1 kHz - 2 GHz | 10 MHz | No | $250 | Wideband, HF-UHF |
| USRP B200 | 70 MHz - 6 GHz | 56 MHz | Yes | $1200 | Research grade, GNU Radio |
Software Tools
| Tool | Platform | Function |
|---|---|---|
| SDR# | Windows | General receiver, plugins for many modes |
| SDR++ | Win/Lin/Mac | Modern receiver, modular design |
| GQRX | Linux/Mac | GNU Radio based receiver |
| GNU Radio | All | Signal processing framework |
| SDRTrunk | All (Java) | Trunked radio decoding (P25, DMR) |
| DSD+ | Windows | Digital voice decoder |
| Artemis | All | Offline signal ID database |
| Inspectrum | Linux | IQ file analysis and visualization |
| Universal Radio Hacker | All | Protocol analysis and reverse engineering |
| SigintOS | Linux | Dedicated SIGINT distribution |
Online Resources
| Resource | URL | Purpose |
|---|---|---|
| Signal ID Wiki | sigidwiki.com | Signal identification database |
| RTL-SDR Blog | rtl-sdr.com | News, tutorials, project guides |
| RadioReference | radioreference.com | Frequency databases (US focus) |
| WebSDR | websdr.org | Online SDR receivers worldwide |
| KiwiSDR | kiwisdr.com | HF online receivers network |
| Band | Frequencies | Content |
|---|---|---|
| Aviation Voice | 118-137 MHz AM | ATC, air-to-ground |
| ADS-B | 1090 MHz | Aircraft position broadcasts |
| Marine VHF | 156-162 MHz FM | Ship-to-shore, ship-to-ship |
| AIS | 161.975, 162.025 MHz | Ship position broadcasts |
| 2m Amateur | 144-148 MHz | Ham radio, repeaters, digital |
| 70cm Amateur | 420-450 MHz | Ham radio, digital modes |
| FRS/GMRS | 462-467 MHz | Consumer radios |
| Public Safety | Various VHF/UHF | Police, fire, EMS (check local) |
| NOAA Weather | 162.4-162.55 MHz FM | Weather broadcasts |
| Pagers | 929-932 MHz | POCSAG/FLEX paging |
Start small and cheap. An RTL-SDR with SDR# or SDR++ is enough to learn on, so point it at signals you can verify — FM broadcast, NOAA weather, an amateur repeater — until the equipment feels familiar. From there, work on naming unknown signals with the help of sigidwiki, and build toward planned collection as your skills catch up.1
Sources
- Introduction to Software-Defined Radio (Light Fighter Library) — the SDR hardware tiers, the receiver and analysis software, and the learn-on-known-signals starting path.
- RTL-SDR Blog & Signal Identification Wiki — current hardware availability and street pricing, and the signal-identification reference; prices reconfirmed 2026-06-19.