Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Reduce memory consumption by re-reading data from file for r

From: Jakub Zawadzki <darkjames@xxxxxxxxxxxxxxxx>
Date: Wed, 3 Nov 2010 21:28:22 +0100
On Wed, Nov 03, 2010 at 03:00:10PM -0400, Jeff Morriss wrote:
> Memory mapped files count as part of the process' address space so 
> mapping the capture file means that, for reassembly, we'd be trading 
> malloc'd memory for mmap()'d memory *and* it would mean we're holding 
> the whole file--including the bits not used in reassembly--in memory. 
> (We don't currently do this.)

Well I'm not expert in mmap()'ed files, but afair they won't be read until page fault, 
and madvise(..., MADV_DONTNEED) should free memory.

Still it's lot easier to work with than fread() + fseek()

> Memory-mapped files also are problematic when doing live captures: as 
> the file grows we'd have to remap the memory (yikes!)

Ok, I agree this is problem. But why yikes?