Classroom Glossary Public page

WIR-101 Lab 1 — RF Fundamentals: Spectrum Survey

709 words

Prerequisites: SETUP.md smoke test complete; RTL-SDR driver installed and verified with rtl_test -t Duration: ~90 min Points: 100

Authorization

  • Lab Authorization Form signed
  • Lab environment: authorized lab machines only
  • No transmissions in this lab (receive only)
  • Survey only the frequency ranges listed below; do not attempt to decode or capture communications protocols

Objective

Operate the RTL-SDR as a passive spectrum sensor. Observe and document signal activity across three frequency ranges. Build a baseline understanding of what "the spectrum looks like" before the attack-focused labs begin.

Part A — FM Broadcast Band Survey (20 min)

Setup

Open GQRX. In the configuration dialog:

  • I/O Device: your RTL-SDR device
  • Input rate: 250000 (250 kSps)
  • Center frequency: 100.0 MHz

Steps

  1. Open GQRX and configure as above. Click the power button to start the SDR.
  2. In the "Receiver Options" panel, set Mode to WFM (stereo) or NFM.
  3. Observe the FFT spectrum. You should see peaks corresponding to FM broadcast stations.
  4. Tune across 88-108 MHz and identify at least three distinct station peaks.
  5. For each station: record the center frequency, estimated signal strength (dBm from the GQRX readout), and whether audio is audible.
  6. Take a screenshot of the GQRX waterfall showing all three stations visible simultaneously.

Deliverable A

Table with three FM stations (frequency, approximate dBm, audio quality good/fair/poor) + 1 screenshot of the spectrum.

Part B — 2.4 GHz ISM Band Survey (20 min)

The RTL-SDR can tune to 2.4 GHz. It cannot capture a full 802.11 channel (would need 20+ MHz sample rate), but it can observe spectral occupancy across the band.

Steps

  1. In GQRX, switch to:
    • I/O Device: RTL-SDR
    • Input rate: 2400000 (2.4 Msps -- maximum reliable RTL-SDR rate)
    • Center frequency: 2437 MHz (802.11 channel 6 center)
  2. Observe spectral activity. Busy office/home environments will show dense occupancy from nearby APs.
  3. Retune to 2412, 2437, and 2462 MHz (channels 1, 6, 11) in sequence. Observe any differences in occupancy density.
  4. Take a screenshot at each center frequency (3 screenshots total).
  5. Write a 2-3 sentence observation: does the band look congested? Do you see any recognizable patterns?

Note: you are observing spectral occupancy only. At 2.4 Msps the RTL-SDR cannot capture a complete 802.11 frame. That comes in Week 2 with the Alfa NIC.

Deliverable B

3 screenshots (channels 1, 6, 11) + 2-3 sentence observation log.

Part C — Sub-GHz Survey with rtl_power (30 min)

rtl_power sweeps a wide frequency range by hopping the center frequency and recording power at each step. We will survey the 300-450 MHz sub-GHz ISM range.

Steps

  1. Run a power sweep:
rtl_power -f 300000000:450000000:50000 -g 40 -1 sub_ghz_survey.csv

This sweeps 300-450 MHz in 50 kHz steps, collects one sweep, saves to CSV. Runtime: ~30 seconds.

  1. Visualize the results:
import pandas as pd
import matplotlib.pyplot as plt
import numpy as np

df = pd.read_csv('sub_ghz_survey.csv', header=None)
# rtl_power CSV format: date, time, start_hz, stop_hz, step_hz, samples, power...
freqs = []
powers = []
for _, row in df.iterrows():
    start = float(row[2])
    step = float(row[4])
    vals = [float(x) for x in row[6:] if x.strip()]
    n = len(vals)
    freqs.extend([start + i*step for i in range(n)])
    powers.extend(vals)

plt.figure(figsize=(14,5))
plt.plot([f/1e6 for f in freqs], powers, linewidth=0.5)
plt.xlabel('Frequency (MHz)')
plt.ylabel('Power (dB)')
plt.title('Sub-GHz Survey 300-450 MHz')
plt.grid(True)
plt.savefig('sub_ghz_survey.png', dpi=150)
  1. Examine the output plot. Mark any peaks that stand out above the noise floor.
  2. Common signals in this range: 315 MHz (US garage/key fobs), 433.92 MHz (EU sensors/remotes). Your environment will vary.
  3. Screenshot the plot and annotate any peaks with a label (even if you don't know the source yet).

Virtual Path

The virtual path for Part C provides a pre-recorded sub_ghz_survey.csv file from a suburban environment. Use it in place of the live rtl_power run.

Deliverable C

The annotated frequency plot (sub_ghz_survey_annotated.png) + a 3-5 sentence description of at least two peaks you observed.

Write-up Questions (20 min)

Answer in 2-4 sentences each:

  1. At 2.4 Msps, what is the maximum signal bandwidth the RTL-SDR can capture without aliasing?
  2. Why does the FM broadcast survey at 250 kSps show stations clearly, while the 2.4 GHz survey at the same rate would miss most Wi-Fi traffic?
  3. You observed a peak at 433.92 MHz in your sub-GHz survey. What type of device is most likely transmitting at that frequency? What is the legal transmit power limit for a device operating there under FCC Part 15?
  4. Describe one security implication of the fact that sub-GHz ISM transmissions are unencrypted and unauthenticated by default.

Submission

Zip the following into lab1_YOURNAME.zip:

  • deliverable_A.md (table + screenshot path reference)
  • Screenshots: fm_station_1.png, fm_station_2.png, fm_station_3.png (or a single composite), gqrx_ch1.png, gqrx_ch6.png, gqrx_ch11.png
  • sub_ghz_survey_annotated.png
  • writeup.md (answers to the 4 write-up questions)