Tutorial: Drone SIGINT — Practical, Legal, and Tactical Fundamentals

This tutorial covers lawful, practical approaches to doing signals intelligence on unmanned aircraft systems. The goal is defensive research, situational awareness, and spectrum troubleshooting. I assume you are operating with authorization or in compliance with local law and airspace rules. If you do not have authorization, stop here.

Why do Drone SIGINT

Drone SIGINT provides three operational benefits: discovery, characterization, and attribution. Discovery means detecting a transmitter or telemetry stream on a band where you did not expect traffic. Characterization means identifying waveform type, bandwidth, hopping behavior, and protocol. Attribution means tying a radio link to a platform, remote controller, or service such as a commercial video downlink. Those three steps let you prioritize resources and, where appropriate, hand off actionable information to authorities. The MAVLink protocol is a ubiquitous telemetry/control format for many open autopilot systems and is a useful starting point when analyzing unmanned platforms.

Legal and ethical boundaries

Radio reception is not a free pass. In the United States, the legal landscape is layered. The FAA requires Remote ID for many drones, which affects what identifiers should be available and who may lawfully collect them. Separately, federal statutes and FCC guidance restrict interception and unlawful use or publication of intercepted communications. Always consult applicable law and, when in doubt, obtain written authorization from property owners, operators, or regulators before collecting or retaining telemetry or other nonpublic traffic. If you plan to publish captures or analysis, strip personally identifying details or get consent.

High-level workflow

1) Define objective - detection, protocol analysis, jam/deter testing in a controlled lab, or evidence collection for a protected facility. Only proceed if you are authorized. 2) Choose hardware that matches your bands of interest and the operational environment. 3) Stage antennas and front end filtering. Gain and selectivity matter more than raw sample rate for weak telemetry. 4) Capture wide and then zoom - record wideband IQ when possible, then extract narrow channels for decoding and replay analysis. 5) Classify the modulation and try established decoders or protocol libraries before building custom demod chains. 6) Document chain, time stamps, and chain of custody if data may be shared with authorities.

Equipment overview: SDRs, antennas, preselectors

Start with software defined radio hardware to keep the toolchain flexible. For VHF/UHF/ISM work a modest set of devices covers most needs: low-cost RTL-SDR dongles for initial sweeps, mid-tier Airspy/SDRplay devices for better dynamic range, and wideband transceivers such as HackRF or USRP when you need transmit capability or coverage into GHz ranges. HackRF One is a proven open platform that spans roughly 1 MHz to 6 GHz and integrates with common SDR ecosystems. Choose the device that matches sample rate, instantaneous bandwidth, and dynamic range you need.

Antennas and front end

Use antennas sized for the band. A discone or broadband log periodic is useful for discovery sweeps. For targeted captures, use tuned whip, quarter wave, or directional Yagi/patch antennas. Add a band-pass filter or notch if strong local signals cause ADC overload. In urban environments, moderate gain directional antennas help isolate a single link and reduce multipath. Short coax runs and low loss connectors preserve SNR.

Recording strategy

Always record IQ where possible. IQ files are the forensic baseline you can reprocess later as decoders evolve. If storage is limited, capture chunked wideband files and metadata that record center frequency, sample rate, timestamp, gain settings, and antenna used. If you must capture only audio or a narrow demod output, note that you have lost the ability to try alternate demod chains later.

Common signals and practical pointers

• MAVLink and autopilot telemetry: MAVLink is widely used in open autopilot stacks and appears over serial, UDP, and radio modems. When you see periodic, short telemetry packets with position and attitude fields, MAVLink is a likely candidate. Many implementations send unencrypted telemetry by default so they are straightforward to decode once you extract a clean stream. Use existing libraries like pymavlink to parse message streams after you have demodulated and converted to raw bytes.

• RC control links: Consumer RC systems use FM, FSK, or spread-spectrum schemes across 433 MHz, 868/915 MHz, and 2.4 GHz bands. Modern 2.4 GHz radio control often employs frequency hopping or direct sequence techniques which complicate passive decoding. Older fixed-frequency or narrowband FSK links are simpler to capture and decode.

• Video downlinks: Analog 5.8 GHz video is still common on hobby rigs and is trivial to demodulate with an analog FM chain. HD digital video downlinks from commercial vendors are usually proprietary and encrypted. Capturing raw RF can help analysts fingerprint vendor signatures without revealing decrypted content.

• Cellular and LTE-based C2: Some drones use 4G/5G links. Those links are regulated and encrypted end to end. Passive interception and decoding of cellular user data is unlawful for civilians in most jurisdictions and technically nontrivial. Do not attempt to intercept cellular traffic unless you are in a lawful, authorized lab environment.

Software tools and libraries

For discovery and demodulation use general-purpose SDR receivers and signal analyzers that support baseband IQ capture. Gqrx and GNU Radio provide solid receiver front ends and visual inspection. SigDigger and Inspectrum are excellent for offline signal analysis, burst detection, and visual symbol inspection when you need to reverse engineer an unknown waveform. After you extract raw bytes, use protocol-specific libraries such as pymavlink to parse telemetry streams. These tools let you iterate quickly between wideband capture and narrowband decoding.

Practical signal analysis steps

1) Sweep and annotate

• Use a wideband sweep across expected bands (e.g. 400 to 6,000 MHz depending on the environment). Log spectral occupancy and persistent carriers. 2) Isolate bursts and narrow channels
• Use waterfall displays and burst detectors in SigDigger or Gqrx to find time-synchronous transmissions. Mark start and stop times and save IQ segments. 3) Measure basic parameters
• Determine occupied bandwidth, symbol rate estimates, and modulation family (ASK, FSK, PSK, OFDM). Simple autocorrelation and spectral analysis often reveal symbol rates and chirp behavior. 4) Attempt existing decoders
• Try off-the-shelf decoders for common formats. For MAVLink, pipe a demodulated serial stream to pymavlink and inspect message fields. For analog audio channels, try FM/AM demodulation first. 5) Iterate and document
• If built-in decoders fail, use GNU Radio or a custom DSP chain to implement matched filters, symbol timing recovery, and error correction. Keep documentation of parameter choices so other analysts can reproduce results.

Safety, countermeasures, and limitations

This tutorial focuses on passive SIGINT. Active measures such as jamming, spoofing, or replay are frequently illegal and can endanger aircraft and people. Do not attempt active countermeasures unless you are operating under a validated test plan in a controlled range with proper approvals. Passive SIGINT is limited by range, line of sight, and the platform’s use of spread spectrum or encryption. Some commercial drone links are encrypted or vendor proprietary and cannot be meaningfully decoded without keys or vendor cooperation.

Example: lawful MAVLink capture and analysis (conceptual)

Conceptually, a lawful test could follow these steps: place a directional antenna near a test range, record wideband IQ during a flight of an open-platform vehicle that you own, isolate the telemetry bursts in SigDigger or Gqrx, demodulate the narrow channel to raw bytes, and feed the stream into pymavlink to convert messages to human readable telemetry for performance tuning or anomaly analysis. Use the result to validate autopilot behavior or to improve frequency planning. Do not publish raw telemetry without redaction.

Closing recommendations and reading

• Start small and legal. Begin with receive-only dongles, an appropriate antenna, and open source visual tools to learn spectrum signatures.
• Keep IQ archives and annotate them rigorously. You will inevitably reprocess captures as new decoders appear.
• Learn the law and publish responsibly. FCC and federal guidance on interception and divulging of radio communications sets expectations on lawful receipt and use. For drone-specific regulatory context, review Remote ID and the FAA guidance on compliance.

If you want a follow up, tell me the bands and platforms you can legally work on and I will sketch a capture-to-decode chain for that exact scenario.