How much can I learn about a nearby mobile phone with RX only and no decryption?

I live in a remote area with few visitors and it would be very interesting to detect a mobile phone in my vicinity that isn’t my own.

It would be very easy to just use a frequency counter and look for activity on those bands, but that might be my own mobile phone and might also be chatter from a base station, etc.

So I would like to actually inspect the traffic with gnuradio. I am aware that I can’t determine a phones number (need SS7 access). Also, I do not want to involve myself in illegal transmissions. But there must be some amount of data that is sent outwards from a mobile phone that I can receive and decode without decrypting or cracking and with an RX only SDR.

What can I find out in this RX only manner ? Can I differentiate between different phones ? Can I determine what their physical address is and correlate to manufacturer (sort of like a MAC address in ethernet) … can I see what base station they are associated with ?

I’d like to scan the local airwaves and see a list of operating mobile handsets, the same way you might do a site survey for wifi clients. The question is simply: How much can I see with RX only and without doing difficult (and possibly illegal) decryption ?