RF Scope — protocol-agnostic RF network analysis
rfscope is Wireshark for the RF physical layer. Point it at any band — a
recorded IQ capture or a live SDR — with no prior knowledge of the technology,
modulation, framing, or encryption, and it produces a structured analysis of
what is on the air and how it behaves: an RF protocol hierarchy, per-channel
activity over time, burst timing and periodicity, an emitter/conversation graph,
an entropy/encryption triage, and an expert-info anomaly list.
Where hunt discovers and maps known trunked systems and siglab decodes the
13 named protocols, rfscope is the layer below: it says something structural
about a signal even when it is not one of those — an unknown IoT mesh, a
telemetry link, a paging variant, an encrypted data burst, a frequency hopper.
It optimizes for non-WiFi RF (slow, channelized, bursty LMR/IoT/paging traffic)
but the same primitives work for WiFi-style bursty traffic too.
It adds no DSP of its own: it orchestrates the primitives the rest of GopherTrunk
already ships (the survey blind classifier, carriers peak detection,
spectrum occupancy metrics, siglab protocol identification, the cryptolab
randomness/keystream engines) and accumulates their output into one
JSON-exportable Scene.
The analyzers
A Scene is built by a registry of pluggable analyzers (rfscope list prints
them). Each is the RF analog of a Wireshark feature:
| Analyzer | Wireshark analog | What it produces |
|---|---|---|
hierarchy |
Protocol Hierarchy | bursts grouped by modulation class → occupied-bandwidth bucket → identified protocol, with counts, airtime, spectrum/time share |
timeline |
I/O Graphs | per-channel occupancy/power over time, duty cycle, burst rate |
timing |
(timing stats) | burst-length & inter-arrival histograms, and the TDMA/frame period recovered by autocorrelating channel occupancy |
topology |
Conversations / Endpoints | bursts clustered into emitters by RF fingerprint (frequency hoppers collapse into one), then linked into conversations (co-active / request-response / hop-sequence); defers to hunt’s authoritative map when a trunking control channel is present |
entropy |
entropy-based encryption detection | for unidentified digital emitters, a byte-level triage (plaintext / substitution / repeating-xor / periodic-scrambler / lfsr-or-keyless-scrambler / strong-encrypted) built on the cryptolab randomness battery |
expert |
Expert Information | anomaly flags: frequency hoppers, intermittent emitters, abnormally wide/narrow carriers, noise-like (high spectral-flatness) carriers, and the encrypted/obfuscated/unknown findings from the entropy triage |
Command-line
gophertrunk rfscope analyze -in <capture> [flags] analyze a recorded IQ capture
gophertrunk rfscope live -serial <sdr> -freq Hz [flags] analyze a live SDR span
gophertrunk rfscope cockpit [-in <cap> | -serial <sdr> -freq Hz] live scene TUI
gophertrunk rfscope serve [-addr host:port] [-open] web console (browser)
gophertrunk rfscope list list registered analyzers
Common flags (shared by analyze and live): -format u8|f32, -sample-rate,
-freq (capture centre), -fft, -peak-threshold-db, -min-spacing,
-channel-rate, -analyzers hierarchy,timing,… (default: all),
-out-format summary|json|jsonl|yaml|csv, -out <path>, and `-frames-out