#239 QMDL v.s PCAP

m0xsec2025-04-03, edited 2025-04-23OpenQ&A

Hello,

Looking for clarification regarding exporting QMDL and PCAPs - are the PCAPs just converted from the QMDL format or would using a tool like scat to convert QMDL to PCAP yield different and/or additional data?

Love this project, thank you for all the work on this!!

Comments (5)

m0xsec2025-04-03, edited 2025-04-03

I used a pcap diff tool to compare the exported PCAP and the resulting PCAP by using scat to read the QMDL file. The file sizes are different, and the pcap diff tool noted some packet differences in one instance:

Reading file ..\rayhunter_captures\exported.pcap:
Found 627 packets

Reading file ..\rayhunter_captures\qmdl_scat.pcap:
Found 627 packets

Diffing packets: not seq ack, no ip id, no checksum, 

Found 38 different packets

Writing ..\rayhunter_captures\diff_e3.pcap

I tested using these tools:

scat - https://github.com/fgsect/scat
pcap-diff - https://github.com/isginf/pcap-diff

m0xsec2025-04-03, edited 2025-04-03

File size differences:

Bytes	File
61896	exported.pcap
59708	qmdl_scat.pcap

m0xsec2025-04-03, edited 2025-04-03

@wgreenberg Sorry for the tag - wanted your thoughts on this. I was thinking of opening an issue but not sure if it warrants one as this might just be a knowledge gap on my end

oopsbagel2025-04-23, edited 2025-04-23Answer

Just seeing this now – the pcap can be considered a strict superset of the information contained in the qmdl.

wgreenberg2025-04-23, edited 2025-04-23

ack, i missed the notification from your tag, sorry @m0xsec! my guess as to why scat’s PCAPs are different is that they’re possibly storing different data in the GSMTAP headers, though it’s a little surprising that theirs is smaller than ours. does the diff file clarify what the difference is?