Packet Captures are just that - captures of raw data packets traveling in cyberspace.
Imagine Willy Wonka and the Chocolate Factory, when the TV boy gets zapped into a million pieces.
The data transfers in compressed packets that read like a pile of lego parts and a script telling you how to reassemble them. The final product file is bulky and hard to ship, so you deconstruct it, squish the parts together and give instructions.
Doing this also allows you to move large files in intermittent spurts so network systems aren't bogged down serving a single request at a time.
Anyone can put up a "net" and collect the packets, if you know what "frequency" they are being sent among the millions of other packets other people are also sending.
That's what they have.
Next comes figuring out the instructions. If you know what you're doing, you got that file in the datastream too, otherwise you're mix-and-matching the pieces until you get lucky and find a pattern, which could LITERALLY take a millennia.
Reassemble it and you can reconstruct the file as it was in TRANSIT. If it is encrypted, you have a few more steps to decrypt it -- that is, unless, the packets were already decrypted with the intent to modify them anyway.
Now comes the crux of the matter:
If you capture when the packets LEAVE and ARRIVE from their destinations, you can see if they have been tampered with during the datastream. How that works is, a middle-man server is sent the real packets and has a pre-programmed code that modifies the packets at the COMPRESSION level. That's not small beans, that's top-tier espionage.
Keep in mind, the fact the packets were collected unencrypted is proof Dominion let it leak on purpose.
This is what the VAST majority of experts are waiting for here. If they get the Packet Captures, they can tell if Lindell actually has packets either going TO China or FROM China. If he has both, then they can prove 100% that China tweaked the packets.
If he has anything other than ACTUAL packets that were intercepted from China (which would require putting together a team ahead of time to set up the "net") this whole thing is a wash.
With the vast quantity of information required to not be dismissed as inauthentic packets outright, there are really only three options:
A. He has the receipts and they are legit.
B. Someone who DOES HAVE ACCESS to the real information feed fed him a line of packets data that was modified to intentionally sabotage Lindell's efforts.
C. He doesn't even have ANY data packets at all and this is all coming out of literally thin air (very unlikely).
PCAPs can be intercepted and changed, but it requires a large amount of coordination with both sides of the exchange, both with sender and receiver.
Because the packet transfer gets delayed so they can be doctored, it will stand out like a sore thumb if the data stream to the receiver is getting throttled. Unless someone is listening in, you could miss it.
You gotta keep in mind this one thing, though. These ballot machines should NEVER have been connected to the internet. That you can get some packet captures on them is damning in and of itself.
The possible sequence of events:
A machine has run a number of ballots and is ready to report.
As it is finalizing the report, it pings the data off to China or whomever.
It is modified and returned to the ballot machine as it is transferring the data to either the local network or a flash drive.
The final machine is none-the-wiser on the file it receives, as the FILE wasn't modified, the components of the file were, which gets past file security structures. There will be no trace on the file of tampering, as it happened in transit.
Delete the file/database on the machine and only the final file is available for review.