Warflying (Wi-Fi scanning) in an airplane up to 450 km

Recently I was traveling by plane over Europe. Of course, I could not resist to check what could be received on 5 GHz there, at an altitude of over ten kilometers…

I took the following equipment for Wi-Fi scanning onboard:

  • Mikrotik Routerboard SXT 5HPnD (AR9280),
  • Raspberry PI 3B with GNSS receiver, RTC and 10 V PoE output – see more: Wardriving @ 5 GHz,
  • USB power bank (5V/2.1A),
  • Nexus 7 tablet.

I was scanning using MikroTik SXT antenna with a built-in radio module. This device is as small as 14×14 cm. The dual-polarization antenna rated at 16 dBi is even smaller, at just 11×11 cm. It was connected to Raspberry PI single board computer.

The software used for scanning is called MTscan and it has a passive mode which relies on sniffer tool in MikroTik RouterOS that streams packets via TZSP protocol. All beacons and probe response packets are being parsed on the Raspberry PI computer that runs Arch Linux ARM.

The primary residence of this Raspberry PI setup is inside my car, together with 3× MikroTik OmniTik antennas for 5 GHz Wi-Fi scanning, also known as wardriving. Actually such activity in an airplane has its own name too and it is called warflying. The installed loudspeaker indicates new network detection or some problems like GPS fix loss or antenna connection failure. Of course, I decided to keep the device quiet during flight.

I don’t have any passive GPS antenna with SMA connector, so I used a random LTE rubber antenna. It is not really suitable for GNSS bands, as the measured SWR for GPS/GLONASS frequencies is between 2.5 and 3.5, but the receiver sensitivity is good anyway.

During the flight I was also able to follow the results in real-time via VNC client on a tablet, connected to Raspberry PI via Wi-Fi (2.4 GHz). The RTC module in Raspberry PI was synchronized beforehand, so the ADS-B flight path points can be interpolated and used for determining the latitude, longitude and altitude of each received network signal. After the trip I downloaded all JSON files with flight information from FlightRadar24 website. 

Poland → Denmark (Airbus A320)

During my first flight I was not using any GNSS at all. I was sitting next to a window with a view to north-east Poland, Lithuania and Latvia. I was checking the possibility of scanning and trying different antenna tilt angles down to Earth. I received some Wi-Fi networks that I’m getting at my QTH near Płock during enhanced tropospheric conditions. Later, when the airplane was at a higher altitude above ground I logged networks from Lithuania and presumably Latvia.

BSSID SSID / Radio name S↑ N Approx. location (ADS-B)
0027222A8950 VYT206141 Vyt103_Aido25_ -88 2 LTU ŠiauliaiW 417 km
802AA8A4639E sia-link18 RRL_RadviliskisVB_PolekelesVB_AP -87 3 LTU RadviliskisT ~412 km
44D9E7AEAF19 siuncia lieplaukei mazeikiu kamin -89 2 LTU TelšiaiW 391 km
D4CA6DBD725D ST-M8 D4CA6DBD725D -86 4 LVA LiepajaW 366 km
E48D8CF878EE Liepaja USA -86 7 LVA LiepajaT ~365 km
DC9FDB0641A2 erdves_jrb_sudargas BSUU_jurbarkas -89 2 LTU SudargasW
316 km
4C5E0C8F84CD kvt-kmb-4 KTBS3189S4 -88 1 LTU (unid) ?

N – number of received beacons or probe responses,
W – Wigle.net geolocation, T – tentative location based on SSID or radio name. 

Almost all networks listed above were logged at an altitude of 10 – 11 km, except the unidentified one (kvt-kmb-4), which was logged at a height of around 7 km. The listed distances are just rough information due to nature of Wi-Fi geolocation. They do not correspond to the exact location of a network. Furthermore, the location of each logged signal is based on interpolation of ADS–B data from Flightradar24.

Lithuanian and Latvian signals (red) and the corresponding geolocation (blue).

Between Poland and Denmark, i.e. over Baltic Sea, nothing was logged at all. Later, over Bornholm, I logged several networks from there, with the antenna tilted down: WL03-ST02-S03, WL43-S03, WL36-S02, HS-link1-AP, WL34-ST01-S03, WL41-S03, WL51-S03.

Bornholm, as seen from the window inside Airbus

Norway → Poland (Airbus A321)

On the way home to Warsaw I logged at least three German Wi-Fi networks. Surprisingly, I managed to identify them with Wigle.net geolocation. This time I was using GNSS, but the fix with the antenna on my lap was sometimes unreliable, so I also performed the linear interpolation from the ADS-B flight path. The following table contains the furthest signals only, i.e. over ~330 km. 

BSSID SSID / Radio name S↑ N Approx. location (GNSS / ADS-B) [km]
002722EC638B thors-nees Link (thors-ne -89 1 DNK ThorsmindeW 410.7 410.3
0418D648D2C8 Sector5 -88 1 DNK LemW 403.6 403.5
24A43CD6055A TGBridge1 AP1 -88 2 DNK Odense NW 327.5 327.6
4C5E0C61AE15 201 -88 3 DNK FynshavW 361.5 361.0
64D154958823 203 Wlan1 -89 1 DNK Fynshav?W,T 339.1 339.0
6C3B6B4A8709 SCLink BottPutt6CB6B4A -80 52 D PuttgardenW 347.0 347.0
64D15467243E AP-Kaltenhausen01 AP-Kaltenhausen0 -91 1 D BrandenburgW
450.1 450.4
6C3B6BA83ED1 OL30.wdsl-ol.de OL21.1 -KMD Schu -87 5 D LöbauW
445.0 445.1
44D9E72AB386 zeto_kier_phu Z_elew_kier_PH -88 1 POL ŻagańW (no fix) 333.0
E48D8CF7F875   -88 2 POL Biała PrudnickaW 354.8 355.0
E48D8C152145 wlanwodna11.MK E48D8C152145 -89 1 POL GłubczyceT 337.9 338.0
E48D8C3FFF09 websoftsmermik1 Chlum-Kolniovice -82 9 CZE Zlatý ChlumW,T 352.8 352.9
E48D8CF2D707 websoftsmermik Chlum smer Sirok -84 4 CZE Zlatý ChlumW,T 351.5 351.6
4C5E0C8584AF PtP_ChlumMik Chlum-BSU-MIMO-Brod -84 5 CZE Zlatý ChlumW,T 351.5 351.6

Apparently, simple linear interpolation of ADS-B data produces satisfying results. Errors up to 0.5 km in the distances listed above are negligible, taking into account low resolution (1 Hz update rate of GNSS) and airplane speed (about 900 km/h, i.e. 250 m/s).

The furthest signals (red) and the corresponding geolocation (blue), up to 450 km.

The first German network SCLink was actually the strongest signal received at an altitude over 10 km, counting over 50 beacon/probe response frames and moderate signal up to -80 dBm at a distance of almost 350 km. Looking at the map, it seems to be an international link between Germany and Denmark. If this is true, then it may be possible that antenna is somewhat tilted upwards to avoid multipath interference from the sea. At least it would explain such strong signal level.

The furthest network AP-Kaltenhausen01 from Germany was logged… near Swedish coast at an approximate distance of 450 km (!). Unfortunately, there is no Google Street View in Germany due to privacy issues, so it is not possible to find the antenna. Anyway, the network’s name is perfectly consistent with the geolocation (Kaltenhausen, Brandenburg). Only a single packet was received though.

According to RadioMobile software, the antenna installation height of almost 100 meters is required to maintain LOS… or tropospheric propagation enhancement.

Tentative terrain profile to AP-Kaltenhausen01 network

Geolocation of the furthest signal received (450 km), source: Wigle.net

Another German Wi-Fi network OL30.wdsl-ol.de from Löbau or its neighborhood was found near Polish coast, but at a bit shorter distance of around 444 km. All signals from Germany were logged at an altitude of 10.7 kilometers. 

A bit further into Poland several networks from Czechia (websoftsmermik1, websoftsmermik, PtP_ChlumMik) were logged at a distance of 350 km. It should be noted that the plane was already decreasing its flight altitude. The reception was possible at a height between 7.5 and 5.5 km.

I am able to receive these Czech Wi-Fi signals sometimes at my QTH, near Płock in Poland during tropospheric ducting propagation. In last year, 2018, I logged them over 10 times at a distance of over 300 km, once up to -72 dBm. The tentative source of these signals is Zlatý Chlum, with a well elevated stone lookout tower.

MTscan screenshot during reception of Wi-Fi networks from Czechia over Poland

I also logged a CCTV monitoring link on 5 GHz from my city – Płock. The distance is actually quite short (just 49 km), but there is a very interesting clue about this reception. The antenna is installed at a height of few meters above ground… and it is heading a totally opposite direction, but it is titled towards sky. You can check it on your own, as the antenna is clearly visible on Google Street View. Well… it means that signal was reflected from a nearby high-rise building before reaching my antenna at the plane. The network’s SSID PK_34/PK_26 is also visible in the screenshot above.

Poland → Italy (Boeing 737) – 2018

Actually, I was not the first one who was scanning the 5 GHz Wi-Fi band in an airplane with a directional antenna in Poland. My friend Maciek SQ7OBJ did the first 5 GHz scan during a flight from Warsaw to Italy in 2018. He also used my MTscan software, but the hardware was a bit different. He was equipped with Mikrotik Groove 5Hn device with a 19 dBi panel antenna. Although the antenna gain was higher (+3 dB means 2× better signal), it was just a single polarization design.

I used my script for ADS-B data interpolation and I merged the coordinates with his reception log. It turned out that he also reached the 400+ km range with two networks: F5G-Poliklinika-Strma (~431 km) from Czechia above Poland and BS201AP83 from Italy over Croatia (~412 km). 

Conclusions

Wi-Fi devices transmit lots of individual packets. This is not a continuous signal like a FM broadcast, so usually there is no problem with detecting many networks on a single channel (i.e. receiving some beacon frames), as the channel utilization is not high all the time. I was trying to keep the antenna pointed at the horizon or even a little higher in order to minimize interference from closer signals though.

As the antenna is directional, with quite wide beam-width (25°), it should be slowly rotated within the window boundaries to obtain the best results (i.e. as many networks as possible). Note that paths of the furthest signals from Germany are not perpendicular to the direction of flight.

GPS works very well near window in an airplane. When it is placed a bit more away from window, it will lose fix at some point. I was worried about windows in planes, but it seems that they are not metallized. I know that windows in my house have more attenuation on microwave bands than a wall.

The best obtained distance of 450 km is not my best Wi-Fi signal reception record though. Last year, in October 2018, I received Ukrainian 5 GHz Wi-Fi networks in central Poland at a distance of over 460 km via tropospheric ducting propagation with antenna at a height of only 18 meters, instead of almost 11 kilometers

4 thoughts on “Warflying (Wi-Fi scanning) in an airplane up to 450 km

    1. W moim przypadku nie było problemów. Jedynie na kontroli w Warszawie zapytano mnie co to jest, wskazując na SXT. Odpowiedziałem zgodnie z rzeczywistością – antenka Wi-Fi.

      Powerbanki to już obecnie standard. Jeżeli chodzi o urządzenia radiowe w samolocie, to na wielu liniach lotniczych jest Wi-Fi pokładowe z dostępem do internetu i lokalnej sieci w której można śledzić na żywo położenie lotu i szacowany czas lądowania.

  1. E48D8C3FFF09 websoftsmermik1 Chlum-Kolniovice -82 9 CZE Zlatý ChlumW,N 352.8 352.9

    odbieramy sygnał w Kluczborku, woj. Opolskie z sygnałem -88 :)

    4C5E0C8584AF PtP_ChlumMik Chlum-BSU-MIMO-Brod -84 5 CZE Zlatý ChlumW,N 351.5 351.6

    oraz to z sygnałem -90

  2. o ku…a! :-) Moje zerkanie na anteny podczas jazdy samochodem to pikuś przy tym co Ty tu pokazujesz !

Leave a Reply

Your email address will not be published. Required fields are marked *