Which Packet Capture Format is better?
https://stackoverflow.com/questions/2026394
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am writing an application to save the captured IP packets to file. Which of the following packet capture format is better suited for use as the file format? Click on the link for more information on each.
In addition, is there a C# library for any of the above format?
Solution
I'd go for PCAP, as most tools I usually work with support it (Wireshark, tcpdump, etc.)
OTHER TIPS
I use pcap (because it is supported by a lot of tools and libraries for every language) but do note there is another format, ncap.
I would also recommend pcap.
I recommend a great WinPcap wrapper to use in C# or VB.NET (.NET wrapper) called Pcap.Net: http://pcapdotnet.codeplex.com
All programs that use libpcap/WinPcap to read capture files - and some that use their own code, such as Wireshark - can read a pcap file.
snoop itself, and Wireshark, can read snoop files, but I don't know what other tools can read it.
If you need to have your files directly readable by snoop (note that Wireshark includes tools that can convert snoop files to pcap files and pcap files to snoop files), and don't need to have them readable by anything other than Wireshark without conversion, use snoop. Otherwise, use pcap, as they'll be directly readable by many more programs.
In addition, I know of no C# code, or C# wrapper for other code, to handle snoop files, so if you will be writing your code in C#, pcap format would be better.
