DEV Community

Cover image for SDR Is the New Wireshark: Sniffing the Sub-GHz Spectrum from Your Desk
v. Splicer
v. Splicer

Posted on • Originally published at blog.stackademic.com

SDR Is the New Wireshark: Sniffing the Sub-GHz Spectrum from Your Desk

The modern security engineer is effectively blind. We spend our lives staring into the comforting, structured matrix of the OSI model. We audit TLS 1.3 handshakes, we fine-tune eBPF probes, and we obsess over Kubernetes network policies. We treat the Ethernet cable and the 802.11 Wi-Fi frame as the absolute edge of the digital universe.

But right outside your window, floating through the literal air of your office park or suburban neighborhood, a completely parallel, chaotic, and utterly unencrypted digital wild west is playing out in real-time.

Smart meters are broadcasting household power consumption. Drive-thru headsets are leaking audio. Municipal traffic sensors are blabbing about congestion. Fire alarms, medical pagers, logistics trackers, and gate garage clickers are all screaming raw, unauthenticated data into the ether. They do not use Wi-Fi. They do not care about IP addresses. They live in the sub-gigahertz (Sub-GHz) spectrum, and they are completely naked.

If Wireshark taught us how to spy on the nervous system of the internet, Software Defined Radio (SDR) is how we spy on the nervous system of the physical world. And the best part? You can capture all of it without ever touching a standard network interface, using a USB dongle that costs less than a decent bottle of scotch.

The Blind Spot at 433 MHz

Why is this happening? Because of a fundamental design flaw in how the tech industry views security: if a human cannot easily interact with a medium, engineers assume hackers won’t either.

For decades, RF (Radio Frequency) engineering was a dark art. If you wanted to sniff, intercept, or manipulate signals outside of standard consumer Wi-Fi and Bluetooth, you needed thousands of dollars of specialized hardware. You needed hardware spectrum analyzers, proprietary oscilloscopes, and discrete, application-specific integrated circuits. The barrier to entry was a massive financial moat.

Because of this moat, embedded systems designers building infrastructure got lazy. They needed to transmit data over long distances with minimal power consumption, so they looked toward the license-free Industrial, Scientific, and Medical (ISM) radio bands. Specifically, the sub-gigahertz bands: 315 MHz, 433 MHz, 868 MHz, and 915 MHz.

They didn’t implement encryption because cryptography requires clock cycles, clock cycles drain batteries, and besides, who is going to build a custom radio receiver just to decode a weather station or a water meter?

Then came the SDR revolution.

Software Defined Radio completely flipped the script. It took all the complex, heavy lifting traditionally done by dedicated analog hardware (mixers, filters, amplifiers, demodulators) and dumped it onto the CPU of your laptop. A cheap piece of hardware simply converts the raw, analog electromagnetic waves from an antenna into digital I/Q data data streams. The software does the rest.

Suddenly, the financial moat evaporated. The RTL-SDR, a tiny USB stick originally designed for watching terrestrial television on a computer, was discovered to be an incredibly flexible wideband receiver. For $30, anyone could suddenly view, record, and demodulate signals from 500 kHz up to 1.7 GHz.

If you are a hacker who has only ever operated on standard IP networks, walking into the RF space feels like discovering a secret backdoor into reality.

Setting Up Your Digital Periscope

To begin sniffing the invisible world from your desk, you do not need an academic background in electromagnetic theory. You just need the right glass to look through.

The Hardware Choice

If you are just getting started, grab an RTL-SDR Blog V4. It is cheap, incredibly well-shielded against USB noise, and functions as the perfect gateway drug. If you want something more self-contained, elegant, and dangerously portable, devices like the HackRF One or the Flipper Zero allow you not just to listen, but to transmit (though we will be focusing strictly on passive listening today to stay on the correct side of federal communication laws).

The Software Stack

Think of your SDR software as the Wireshark GUI. The most popular cross-platform tools for visual spectrum exploration are:

GQRX (Linux/macOS)

SDR++ (Multi-platform, lightweight, and incredibly fast)

SDR# (Windows)

When you boot up these programs and hit play, you are presented with a FFT Plot (a real-time graph of signal strength across various frequencies) and a Waterfall Display. The waterfall is a historic record of the spectrum: time moves down the vertical axis, frequency spans the horizontal axis, and color intensity dictates signal strength.

Seeing a waterfall for the first time is a revelatory moment for a network engineer. It is the literal visualization of data slicing through physical space. You will see brief, sharp bursts of light against a dark blue background. Every one of those bursts is a packet. Your job is to catch them.

The “Hello World” of Radio Sniffing: Pagers and Telemetry

Let’s move past theory and look at a practical, real-world target that is almost certainly floating through your room right now: FLEX and POCSAG pager networks.

You might think pagers died in the late 1990s. You would be dead wrong. Pagers are still heavily relied upon by hospitals for medical staff, by emergency services for volunteer fire departments, and by industrial facilities for automated system alerts. Why? Because a single, high-powered sub-GHz transmitter can penetrate deep into concrete basements where cellular signals die.

They also transmit completely in the clear, and they do it constantly.

Step 1: Locating the Frequency

Depending on where you live in the world, pager networks usually live around 138–174 MHz or 450–470 MHz. Open your SDR software, set the modulation to NFM (Narrowband FM), and scroll through these bands. You are looking for a distinct, rhythmic, almost musical screeching sound that occurs in rapid bursts. On the waterfall, it looks like a thick, solid block of data.

Step 2: Demodulating the Stream

In the old days, you had to route the audio output of your SDR software via a virtual audio cable into a legacy decoding program. Today, tools like multimon-ng make this trivial.

If you prefer a streamlined, automated experience, you can use a command-line tool called rtl_fm (which comes with the standard RTL-SDR utilities) to tune to the frequency and pipe the raw audio straight into multimon-ng.

rtl_fm -f 466.05M -s 22050 | multimon-ng -t raw -a POCSAG512 -a POCSAG1200 -a POCSAG2400 -f alpha -
Enter fullscreen mode Exit fullscreen mode

Run that command, and your terminal will begin printing out cleartext pages. You will see internal hospital alerts, patient transport coordinates, automated infrastructure status reports, and system diagnostics. It feels deeply invasive because it is. You are pulling raw, sensitive data straight out of thin air without interacting with a single server, authenticated API, or firewalled gateway.

Decoding the Neighborhood with rtl_433

If hacking legacy pager systems sounds a bit too industrial, let’s look at something much closer to home. Literally.

The 433.92 MHz and 915 MHz frequencies are the absolute wild west of consumer and commercial telemetry. Almost every cheap wireless sensor manufactured in the last twenty years uses these bands to talk to its base station.

There is an open-source masterpiece of software called rtl_433. Despite the name, it doesn’t just listen to 433 MHz; it is an incredibly powerful decoder for hundreds of distinct sub-GHz protocols. It is essentially the tcpdump of the radio world.

Plug in your SDR dongle, open your terminal, and simply run:

rtl_433 -f 433.92M
Enter fullscreen mode Exit fullscreen mode

Within a few minutes, your terminal screen will likely populate with JSON-like blocks of data:

json
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
time. : 2026–07–06 17:42:12
model. : Nexus-TH. id. : 142
Channel. : 1. Battery. : OK. Temperature: 22.4 C. Humidity. : 48 %
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
time. : 2026–07–06 17:43:01
model. : Schrader-EG53MA4. id. : 0A3F21B
Type. : TPMS. Pressure. : 32.5 PSI. Temperature: 28.0 C. Flags. : 00

Enter fullscreen mode Exit fullscreen mode

Look at what you are seeing.

The first block is a neighbor’s backyard weather station, telling you their precise indoor or outdoor climate metrics.

The second block is a TPMS (Tire Pressure Monitoring System) sensor from a car driving past your house. Every modern vehicle has wireless sensors embedded inside the tire valves. They broadcast their unique sensor ID, their current tire pressure, and their temperature every few seconds to the car’s internal computer.

Think about the security implications of this for a moment. A car’s TPMS ID is static. If you place a cheap SDR receiver at an intersection, you can track the exact physical movement and patterns of specific vehicles based entirely on the unencrypted radio beacons their tires emit. No license plate readers required. No complex surveillance infrastructure. Just raw, unencrypted telemetry floating through public space.

Deconstructing the Protocol: The Reverse Engineering Mindset

What happens when you find a signal on your waterfall that rtl_433 doesn’t recognize? This is where true hacking begins. This is where we move from being consumers of security tools to creators.

When an SDR captures a signal, it records it in I/Q format. I/Q data represents the changes in amplitude and phase of a radio wave over time. It is the ultimate raw format.

To reverse engineer a mystery signal, we use an open-source tool called Universal Radio Hacker (URH).

The Anatomy of an RF Packet

When you load a raw signal recording into URH, you are looking at a waveform. By applying a digital demodulator (usually Amplitude Shift Keying, ASK, or Frequency Shift Keying, FSK), URH converts that wavy analog line into a clean, digital train of 1s and 0s.

Just like an Ethernet frame, a sub-GHz radio packet has a distinct structure:

The Preamble: A predictable, alternating pattern of bits (e.g., 10101010) that tells the receiving radio, “Hey, wake up, a packet is coming, sync your internal clock to my speed.”

The Sync Word: A specific, fixed sequence of bits (e.g., 0xD391) that signifies the exact boundary where the actual data payload begins.

The Payload: The actual message, containing sensor readings, command IDs, or device statuses.

The Checksum (CRC): A mathematical verification string to ensure the packet wasn’t corrupted in transit.

By aligning different packets recorded from the same device in URH, you can start to spot patterns. If you press the “Unlock” button on a garage door remote control five times, you will notice that 95% of the binary string remains identical, while a tiny section changes or increments. If it doesn’t change, you have just discovered a device vulnerable to a simple replay attack…where replaying the exact audio recording of the transmission back into the air will trigger the physical action again.

The Ultimate Paradigm Shift

The point of exploring the sub-GHz spectrum isn’t just about reading your neighbor’s thermometer or spying on hospital pagers. It is about shattering the illusion of security boundaries.

We have spent billions of dollars securing the internet, reinforcing the application layer, and enforcing strict access controls on the networks we can see. Yet, we have built a physical world that relies entirely on a massive, invisible foundation of unauthenticated radio communications.

Smart grids, automated manufacturing lines, municipal infrastructure, and physical access controls are constantly leaking state information, configuration telemetry, and operational commands into the atmosphere. The only thing that kept this infrastructure secure for decades was the obscurity of the medium.

That obscurity is completely dead.

The next time you open Wireshark to look at a packet capture, look up from your screen and look out the window. There is a whole universe of data passing straight through your body right now. All you have to do is listen.

Deepen Your Digital Reconnaissance

If you are ready to stop scratching the surface of standard consumer networks and want to dive deeper into the gritty, unfiltered realities of modern hardware, infrastructure exploitation, and terminal dominance, explore these essential handbooks:

Expand Your Operational Horizon: Uncover the hidden vulnerabilities in unconventional targets with Notes from the Wrong Side of the Network Volume 1.

Master the Command Line:Turn your local terminal into a highly optimized weapon for system auditing and environmental control with The Black Terminal Compendium: 2026 Edition.

Weaponize the Physical Layer: Learn how to script, weaponize, and deploy automated keystroke injection hardware while evading endpoint defense with BadUSB Studio: 20 Rubber Ducky Scripts That Bypass Modern AV (2026 Edition).

Top comments (0)