SIGNAL INTELLIGENCE

25 Feb

Software Defined Radio: Listening to the Invisible | ESPionic Intelligence Hub

The radio spectrum is full of information. Most people never hear it.

Software Defined Radio: Listening to the Invisible

The air around you is saturated with radio signals. Aircraft positions, emergency services, weather satellites, cellular traffic, pager networks. With a software defined radio and the right software, all of it becomes visible. This is how you start listening.

Signal Intelligence · Spectrum Monitoring · SDR Research

// RTL-SDR dongle and HackRF One: entry point and research-grade SDR hardware

SDR++ · GQRX · GNU Radio · RTL-SDR · HackRF One · Airspy · DragonOS · Spectrum Analysis · SIGINT · ADS-B · NOAA Weather Satellite · GSM · DMR · P25 · Waterfall Display · IQ Data · LimeSDR · BladeRF · Signal Intelligence · SDR++ · GQRX · GNU Radio · RTL-SDR · HackRF One · Airspy · DragonOS · Spectrum Analysis · SIGINT · ADS-B · NOAA Weather Satellite · GSM · DMR · P25 · Waterfall Display · IQ Data · LimeSDR · BladeRF · Signal Intelligence ·

The radio spectrum is one of the most information-dense environments on earth. Every second, billions of signals pass through the air around you carrying aircraft positions, emergency service communications, satellite data, pager messages, weather telemetry, and cellular traffic. For most of human history, accessing any of it required expensive, dedicated hardware built to receive a specific type of signal on a specific set of frequencies. Software defined radio changed that. A device that costs less than a meal can now receive signals across a vast slice of the spectrum, and the software on your laptop does the rest.

// SECTION 01

What Software Defined Radio Actually Is

A traditional radio receiver is built around hardware. Physical filters, mixers, and demodulators are designed and fixed at the point of manufacture to handle a specific set of frequencies and signal types. Changing what it receives means changing the hardware.

A software defined radio moves most of that processing into software. The hardware captures raw radio frequency data and converts it into a digital stream. Everything else, the filtering, the demodulation, the decoding, happens on a computer. The practical consequence is that a single piece of hardware can receive many types of signals within its supported frequency range, and the capabilities of the device expand every time the software is updated.

A cheap RTL-SDR dongle combined with the right software can outperform dedicated hardware that cost thousands of pounds a decade ago. The capability is now entirely in the software.

// SECTION 02

The Software: SDR++ and GQRX

Two applications dominate general-purpose SDR use for research and monitoring work. They approach the same problem from different directions, and understanding the difference matters when deciding which to reach for.

SDR++ is a cross-platform application written in C++ by a Belgian engineering student who began it as a learning project. It has since become the most widely recommended starting point for SDR work across Windows, macOS, and Linux. It is lightweight, fast, and does not depend on GNU Radio, which means it installs cleanly and runs without the configuration overhead that GNU Radio-based tools can require. It supports multiple VFOs simultaneously, meaning you can monitor several frequencies at once in a single session, and it handles a wide range of hardware including RTL-SDR, HackRF, Airspy, SDRplay, and others. For anyone starting out, or for professionals who want a clean, responsive interface without complexity, SDR++ is the practical default.

GQRX is an open-source SDR receiver built on GNU Radio and the Qt graphical toolkit, developed by Alexandru Csete OZ9AEC. It has been a standard tool in the Linux and macOS SDR community for years. Where SDR++ prioritises speed and simplicity, GQRX leans into its GNU Radio foundation, which makes it more flexible for users who want to pipe audio or data into other tools or build more complex signal processing chains. It supports AM, FM, SSB, CW, and other modes, has a clean FFT spectrum and waterfall display, and integrates well with the broader GNU Radio ecosystem. It does not have a plugin system in the way SDR++ does, but for straightforward monitoring and receiving work it remains a solid and well-documented option.

// Other notable SDR software

GNU Radio — The foundational toolkit. Extremely powerful for building custom signal processing pipelines but has a steep learning curve. Many other tools use it as a backend.
SDRAngel — Feature-rich cross-platform application supporting both receive and transmit. Good hardware support and a comprehensive built-in decoder suite.
SDR# (SDRSharp) — Windows-only but extremely polished with a strong plugin ecosystem. Popular entry point for Windows users.
CubicSDR — Cross-platform, straightforward, based on liquid-dsp rather than GNU Radio. Good for users who want something between SDR++ and GQRX in terms of complexity.
SigDigger — Qt-based digital signal analyser. Useful for inspecting unknown or unusual signals in more detail than a general receiver allows.
SDRTrunk — Dedicated to trunked radio systems including P25 and DMR. Specifically designed for following conversations across trunked networks.

// SECTION 03

What You Can Monitor: Frequencies and Signal Types

The range of signals accessible with consumer SDR hardware is extensive. The table below covers the major frequency bands and signal categories that fall within reach of a standard RTL-SDR dongle (roughly 500 kHz to 1.75 GHz) and extends to what becomes available with more capable hardware like HackRF or Airspy.

Frequency	Category	What you can receive
100 kHz - 500 kHz	LF / Navigation	Legacy LORAN-C navigation signals (largely decommissioned globally, with limited eLORAN deployments remaining in parts of Asia), maritime beacons, NDB (non-directional beacons) used in aviation. Requires direct sampling mode or upconverter.
500 kHz - 1.7 MHz	Medium Wave / AM	Broadcast AM radio. Maritime distress frequencies. Requires direct sampling or upconverter on most RTL-SDR hardware.
1.7 MHz - 30 MHz	HF / Shortwave	International shortwave broadcasts, amateur (ham) radio, HF maritime communications, military HF links, numbers stations, STANAG waveforms. Requires upconverter for most RTL-SDR dongles or dedicated HF-capable hardware such as Airspy HF+.
30 MHz - 300 MHz	VHF	FM broadcast radio (88-108 MHz), aircraft communications (108-137 MHz VOR/ILS navigation, 118-137 MHz voice ATC), amateur radio (144-146 MHz), maritime VHF (156-174 MHz), emergency services analogue, NOAA weather radio, pager networks (POCSAG/FLEX).
108 - 137 MHz	Aviation Navigation	VOR navigation beacons, ILS (Instrument Landing System) glide paths and localisers. Receivable with standard RTL-SDR and appropriate antenna.
118 - 137 MHz	Aviation Voice (AM)	Air traffic control communications between pilots and ATC. Ground, approach, tower, and en-route frequencies. AM mode. One of the most accessible and interesting monitoring targets for new SDR users.
156 - 174 MHz	Maritime VHF	Ship-to-ship and ship-to-shore voice communications. Channel 16 is the international distress and calling frequency. AIS (Automatic Identification System) ship tracking data transmits on channels 87B and 88B.
137 - 138 MHz	Weather Satellites	NOAA weather satellite APT (Automatic Picture Transmission) images. With a simple V-dipole antenna and RTL-SDR, real-time cloud imagery from polar-orbiting satellites is receivable. One of the most popular beginner SDR projects.
300 MHz - 3 GHz	UHF / Cellular	The broadest and most densely occupied band for modern communications. See cellular breakdown below.
380 - 400 MHz	Emergency Services Digital	TETRA digital trunked radio, used by police, fire, and ambulance services in the UK and much of Europe. Voice content on operational public safety networks is encrypted, but metadata including cell IDs and signal presence remains visible.
406 - 406.1 MHz	Emergency Beacons	EPIRB (Emergency Position Indicating Radio Beacons) and PLB (Personal Locator Beacons) transmit on this frequency when activated. Signals are relayed via the Cospas-Sarsat satellite system to rescue coordination centres.
433 - 435 MHz	ISM / IoT	Unlicensed ISM band. Car key fobs, weather station sensors, remote controls, LoRa IoT devices, temperature and humidity sensors, garage door openers, and many other short-range wireless devices. Extremely active and interesting for signal identification work.
450 - 470 MHz	UHF Land Mobile	Commercial and business radio. Analogue and digital PMR (Private Mobile Radio), including DMR (Digital Mobile Radio) and MPT1327 trunked systems. Taxi dispatch, security, logistics, and business communications.
868 MHz	LoRa / IoT (Europe)	LoRaWAN IoT network uplinks and downlinks. Smart meters, environmental sensors, asset trackers, and Meshtastic nodes in Europe operate in this band. Decodable with gr-lora or SDRAngel.
915 MHz	LoRa / IoT (US)	US equivalent of the 868 MHz LoRa band. Same use cases: Meshtastic, smart meters, asset tracking, and other low-power wide-area IoT applications.
960 - 1215 MHz	Aviation DME / TACAN	Distance Measuring Equipment used by aircraft to determine range from ground stations. Alongside ADS-B, one of the core systems in modern aviation navigation.
1090 MHz	ADS-B Aviation	Automatic Dependent Surveillance-Broadcast. Most commercial aircraft with a Mode S transponder transmit their position, altitude, speed, and identity on this frequency. Decodable with dump1090 or ADS-B capable SDR software. One of the most immediately rewarding SDR applications.
1227 / 1575 MHz	GPS / GNSS	GPS L1 (1575.42 MHz) and L2 (1227.60 MHz) satellite signals. Receivable and experimentally decodable with GNSS-SDR, though reliable decoding requires good signal-to-noise ratio and a stable clock. Typically benefits from a low-noise amplifier.
1.4 - 1.7 GHz	L-Band Satellite	Inmarsat and Iridium satellite communications. ACARS over satellite (AERO). Weather satellite HRPT (High Resolution Picture Transmission) on some satellites. Requires directional antenna and typically HackRF or better hardware.

// SECTION 04

Cellular Networks: 2G Through 5G

Cellular traffic represents some of the most complex signal environments in the spectrum. Understanding what each generation looks like, where it sits, and what is and is not accessible matters both for spectrum monitoring and for security research work.

Generation	Frequencies (UK/EU typical)	Technology	Notes
2G (GSM)	900 MHz, 1800 MHz	GSM / GPRS / EDGE	Voice calls and basic data. GSM control channels and bursts are visible in the spectrum and partially decodable using gr-gsm. Voice content on operational networks is encrypted (A5/1 or A5/3). Still active for IoT M2M devices and legacy mobile in some regions.
3G (UMTS)	900 MHz, 2100 MHz	WCDMA / HSPA / HSPA+	Wideband CDMA. Provides voice and broadband data. 3G networks have now been decommissioned across most of Europe, including by the major UK operators. Signal presence may still be visible in limited areas but infrastructure retirement is largely complete.
4G (LTE)	700, 800, 1800, 2100, 2600 MHz	LTE / LTE-A / VoLTE	The dominant current standard. High-speed data and VoLTE voice calls. LTE signals have a distinctive flat, wideband spectral appearance. Signal presence, cell IDs, and network metadata are visible. All content is encrypted. srsRAN and OsmocomBB are used in research contexts for LTE analysis.
5G (Sub-6 GHz)	700 MHz, 3.4-3.8 GHz, 26 GHz mmWave	NR (New Radio) / SA / NSA	5G New Radio. Sub-6 GHz deployments are within reach of capable SDR hardware like HackRF and LimeSDR. The 3.4-3.8 GHz band is the primary mid-band 5G allocation in the UK. mmWave (26 GHz) requires specialist hardware well beyond consumer SDR ranges. 5G signals use OFDM and are identifiable by their spectral characteristics. Content is fully encrypted.
5G (mmWave)	26 GHz, 28 GHz, 39 GHz	NR mmWave	Millimetre wave 5G for very high throughput in dense urban environments. Extremely high frequency, short range, and not accessible with any current consumer SDR hardware. Included here for completeness.
NB-IoT / LTE-M	Within LTE bands	3GPP IoT standards	Narrowband IoT and LTE-M operate within existing LTE spectrum allocations. Used for smart meters, asset tracking, and low-power devices that do not need high data rates. Signals appear within the LTE band.

// SECTION 05

DragonOS: The Dedicated Operating System

Installing SDR software on a general-purpose Linux system involves tracking down dependencies, resolving library conflicts, and compiling tools from source. For someone who wants to focus on signals rather than build systems, that overhead is a significant barrier. DragonOS was built to remove it entirely.

DragonOS is a Lubuntu-based Linux distribution built specifically for software defined radio and signals intelligence work. Created by a developer known as Cema Xecuter during the COVID-19 lockdowns, it follows the same philosophy as Kali Linux applied to SDR: take a solid Linux base, pre-install every major tool with all its dependencies correctly configured, and ship it as a ready-to-use system. The project has continued receiving updates through 2024 and 2025, with the current major releases being DragonOS Noble (based on Ubuntu 24.04) and DragonOS FocalX (22.04).

// What comes pre-installed in DragonOS

SDR++, GQRX, SDRAngel, CubicSDR — General-purpose receiving and spectrum monitoring
GNU Radio — Full signal processing toolkit with flowgraph editor
gr-gsm — GSM signal analysis and decoding tooling
gr-iridium — Iridium satellite signal capture and processing
gr-fosphor — GPU-accelerated spectrum visualisation
DSD / DSDPlus — Digital voice decoding for P25, DMR, NXDN, and other digital modes
GNSS-SDR — GPS and GNSS signal reception and processing
SigDigger — Digital signal analyser for unknown or unusual signals
Kismet — Wireless network detection and monitoring
SatDump — Satellite data decoding including NOAA weather imagery
DF Aggregator — Radio direction finding tools
dump1090 — ADS-B aircraft tracking decoder
Full driver support for RTL-SDR, HackRF One, LimeSDR, BladeRF, Airspy, and USRP hardware pre-configured

DragonOS also runs on Raspberry Pi in a separate release, making it viable as a portable, low-power signals collection platform. The WarDragon project, built by the same developer, takes this further by packaging DragonOS with an Airspy R2 and an x86 mini PC inside a carry case as a complete portable SDR kit.

// SECTION 06

The Hardware: SDR Devices Compared

The software is only part of the picture. The hardware determines how much of the spectrum you can access, how clean the signal is, and whether you can transmit as well as receive. The SDR market ranges from sub-20 pound USB dongles to professional instruments costing thousands. For research and monitoring work, the options below cover the realistic range.

// RTL-SDR (RTL2832U-based dongles)

Price: £20-40
Frequency range: ~500 kHz to 1.75 GHz (with direct sampling for LF/MF)
Bandwidth: ~2.8 MHz stable usable bandwidth (3.2 MHz theoretical)
Transmit: No
Originally designed as DVB-T television tuner dongles, repurposed for SDR after researchers discovered the raw IQ data could be accessed directly. The RTL-SDR Blog V3 and V4 are the current recommended versions with improved performance and direct HF sampling. The entry point for almost every SDR user. Enormous community, extensive documentation, and compatible with every major software package.

// Airspy

Price: £80-200 depending on model
Frequency range: Airspy R2: 24 MHz to 1.8 GHz. Airspy HF+: 9 kHz to 31 MHz and 60-260 MHz
Bandwidth: Up to 10 MHz (R2)
Transmit: No
A significant step up from RTL-SDR in dynamic range and noise performance. The HF+ is particularly strong for shortwave and medium wave reception. Used in DragonOS WarDragon kit as the primary hardware. Good balance of capability and cost for serious monitoring work.

// HackRF One

Price: £200-350
Frequency range: 1 MHz to 6 GHz
Bandwidth: Up to 20 MHz
Transmit: Yes (half-duplex)
Developed by Great Scott Gadgets as an open-source hardware project. The HackRF One is the most widely used transmit-capable SDR in the security research community. Its 1 MHz to 6 GHz range covers a substantial portion of the spectrum including 5G sub-6 GHz bands. Half-duplex means it cannot receive and transmit simultaneously. Used extensively for replay attacks, signal analysis, and protocol research. All transmit use requires appropriate authorisation.

// SDRplay RSP series

Price: £100-300
Frequency range: 1 kHz to 2 GHz
Bandwidth: Up to 10 MHz
Transmit: No
British-designed SDR hardware with strong HF performance and wide frequency coverage from near DC. The RSP1B and RSPdx are the current models. SDRplay's own SDRuno software is Windows-only but the hardware works with GQRX, SDRAngel, and SDR++ on other platforms. Strong choice for shortwave and general monitoring work.

// LimeSDR

Price: £200-400
Frequency range: 100 kHz to 3.8 GHz
Bandwidth: Up to 61.44 MHz
Transmit: Yes (full-duplex)
Full-duplex operation distinguishes the LimeSDR from HackRF, allowing simultaneous transmit and receive. Wider bandwidth than most competing hardware at this price point. Used in cellular research, including with srsRAN for building software-defined LTE/5G base stations in lab environments. Higher complexity than HackRF and requires more setup, but significantly more capable for advanced work.

// BladeRF

Price: £350-700
Frequency range: 300 MHz to 3.8 GHz
Bandwidth: Up to 56 MHz
Transmit: Yes (full-duplex)
Nuand's BladeRF 2.0 Micro is a professional-grade full-duplex SDR used in cellular research and protocol testing. Strong support from GNU Radio and compatible with most major SDR software. A step above LimeSDR in build quality and support documentation. Used in research contexts including the Librespace SatNOGS ground station evaluation.

// USRP (Ettus Research)

Price: £700 to several thousand
Frequency range: Varies by model and daughterboard; DC to 6 GHz typical
Bandwidth: Up to hundreds of MHz depending on model
Transmit: Yes (full-duplex)
The professional standard. Ettus Research USRP hardware is used in university research, government laboratories, and telecoms R&D. Modular architecture with swappable daughterboards for different frequency ranges. Native GNU Radio integration. The price reflects the performance, and for most research work the LimeSDR or BladeRF covers the same ground at a fraction of the cost. Where USRP hardware appears, serious research follows.

// SECTION 07

Where Things Stand

Software defined radio has moved from a niche hobbyist tool to a standard component of signals intelligence work, security research, and radio monitoring at every level. An RTL-SDR dongle costing twenty pounds connected to a laptop running SDR++ can receive aircraft positions, decode weather satellite imagery, monitor maritime AIS traffic, and listen to air traffic control communications. HackRF and LimeSDR extend that into transmit-capable research territory. DragonOS removes the friction of setting up the software environment entirely.

The spectrum is not going silent. As IoT devices proliferate, cellular networks expand, and satellite communications grow, the density of signals in the air increases. The tools to observe and understand all of it are more accessible than they have ever been. The barrier now is not the hardware or the cost. It is knowing what to look for.

The radio spectrum is regulated public infrastructure. Understanding what is transmitted through it, and how, is the first step to understanding who controls the environment around you.

Forty Four