> To be clearer, when Ethereal opens a capture file (i.e.
> v6.pcap), Ethereal loads all the data of the file in a structure, just
> before Ethereal prints the data on the screen.
No, it doesn't.
It builds an in-memory data structure that's a list of information about
each frame from the capture file - the members of the list are
"frame_data" structures, as defined in "epan/frame_data.h" - but it does
*NOT* read all of the packet data into memory.
Instead, on the first pass through the capture file, for each frame:
the frame data is read into memory;
a "frame_data" structure is allocated for the frame;
the frame is passed to the link-layer dissector which passes it
on, in turn, to other dissectors;
*some* information about the frame is stored in the "frame_data"
structure, including an offset in the file where the frame's
data can be read.
All the frame data is read into the *same* buffer, rather than each
frame having a separate buffer.
When a frame is accessed on subsequent passes through the file (such as
when you're applying a display filter, or printing the file's contents),
or accessed when you click on a frame, Ethereal re-reads the frame's
data from the file into a buffer in memory.
