Which Packet Capture Format is better?

I am writing an application to save the captured IP packets to file. Which of the following packet capture format is better suited for use as the file format? Click on the link for more information on each.

• Snoop (rfc1761)

• PCAP

In additio开发者_如何转开发n, is there a C# library for any of the above format?

I'd go for PCAP, as most tools I usually work with support it (Wireshark, tcpdump, etc.)

WinPCAP wrapper for .NET

I use pcap (because it is supported by a lot of tools and libraries for every language) but do note there is another format, ncap.

I would also recommend pcap.

I recommend a great WinPcap wrapper to use in C# or VB.NET (.NET wrapper) called Pcap.Net: http://pcapdotnet.codeplex.com

All programs that use libpcap/WinPcap to read capture files - and some that use their own code, such as Wireshark - can read a pcap file.

snoop itself, and Wireshark, can read snoop files, but I don't know what other tools can read it.

If you need to have your files directly readable by snoop (note that Wireshark includes tools that can convert snoop files to pcap files and pcap files to snoop files), and don't need to have them readable by anything other than Wireshark without conversion, use snoop. Otherwise, use pcap, as they'll be directly readable by many more programs.

In addition, I know of no C# code, or C# wrapper for other code, to handle snoop files, so if you will be writing your code in C#, pcap format would be better.