S1-SEE
S1 Signal Event Engine - Real-time S1AP protocol analysis and event processing for LTE networks.
S1-SEE (S1 Signal Event Engine) is a production-oriented software system designed for Mobile Network Operators (MNOs) and telecom researchers to ingest, process, and analyse LTE S1AP Protocol Data Units (PDUs), generating structured events for analytical processing by separate applications. The system transforms raw signalling data from the LTE S1 interface into actionable events through a modular, replayable real-time pipeline that maintains data integrity and provides full traceability.
The architecture implements a multi-stage processing pipeline that begins with an ingress spooler capable of receiving messages via multiple transport protocols including gRPC, Kafka, AMQP, and NATS. All incoming messages are durably spooled to a Write-Ahead Log (WAL) before acknowledging receipt upstream, ensuring no data loss even during system upgrades or failures. This spool serves as the system of record, providing an append-only log with partitioning, offset tracking, and full replay capability.
Once messages are safely stored, the pipeline proceeds through decoding and normalisation stages. The S1AP decoder extracts Protocol Data Units from SCTP packets and performs full PER (Packed Encoding Rules) decoding according to 3GPP TS 36.413 specifications. The decoder extracts all relevant UE identifiers including IMSI, TMSI, IMEISV, MME-UE-S1AP-ID, and eNB-UE-S1AP-ID, as well as TEIDs from E-RAB setup messages. Embedded NAS PDUs are also parsed to extract additional subscriber identifiers, with parsing based on 3GPP TS 24.301 (EPS NAS) specifications. All decoded information is normalised into a canonical message format that provides a consistent interface for downstream processing.
The correlator stage maintains comprehensive UE contexts by tracking all subscriber identifiers and their relationships. The system maintains multiple indexing strategies to correlate messages to subscribers, including stable identifiers like IMSI and IMEISV, temporary identifiers like TMSI, location-scoped identifiers combining TMSI with ECGI, and composite network identifiers combining MME or eNB IDs with their respective UE S1AP IDs. This multi-dimensional correlation ensures that messages can be correctly associated with subscribers even as identifiers change during handovers or network procedures. The correlator automatically handles context merging during handovers and cleans up expired contexts to maintain system efficiency.
The event engine applies declarative YAML-based rules to emit structured events from the correlated message stream. Rules can be defined for single-message triggers, such as detecting when a HandoverRequest is received, or for two-step sequences within specified time windows, such as detecting a completed handover when both HandoverRequest and HandoverNotify messages are observed within a 15-second window. Every event includes an evidence chain that maintains pointers to the spool offsets of the underlying source messages, enabling full traceability, deterministic replay, and the ability to retrieve raw message bytes for auditing or debugging purposes.
Events are published through multiple output sinks, including JSONL file output, stdout for real-time monitoring, and extensible interfaces for Kafka, gRPC, and other downstream systems. The transport-agnostic design ensures that all message sources feed into a unified SignalMessage model, while the modular architecture allows for easy customisation of decoders, correlators, and sinks to meet specific operational requirements.
The system's design emphasises deterministic replay, where processing the same spool data with the same rule configuration will produce identical events. This capability is essential for testing, debugging, and ensuring consistent analytical results. The evidence chain mechanism ensures that every event can be traced back to its source messages, providing a complete audit trail for compliance and analysis purposes.
S1-SEE is particularly valuable for applications requiring precise tracking of mobile device mobility patterns, such as analysing handover events to estimate device position, track, and speed. By processing handover events and their timing information, the system enables analytical applications to calculate spatial overlap between cell coverage areas and derive mobility trajectories. This capability has applications in network optimisation, security monitoring, and specialised use cases such as tracking UAVs equipped with cellular modems using their mobile network footprint.
Available from GitHub repository:
Updated 9 days ago