In
computing
Computing is any goal-oriented activity requiring, benefiting from, or creating computing machinery. It includes the study and experimentation of algorithmic processes, and development of both hardware and software. Computing has scientific, e ...
, a hex dump is a
hexadecimal
In mathematics and computing, the hexadecimal (also base-16 or simply hex) numeral system is a positional numeral system that represents numbers using a radix (base) of 16. Unlike the decimal system representing numbers using 10 symbols, hexa ...
view (on screen or paper) of computer data, from
memory
Memory is the faculty of the mind by which data or information is encoded, stored, and retrieved when needed. It is the retention of information over time for the purpose of influencing future action. If past events could not be remembered, ...
or from a
computer file
A computer file is a computer resource for recording data in a computer storage device, primarily identified by its file name. Just as words can be written to paper, so can data be written to a computer file. Files can be shared with and transfe ...
or
storage device. Looking at a hex dump of data is usually done in the context of either
debugging
In computer programming and software development, debugging is the process of finding and resolving '' bugs'' (defects or problems that prevent correct operation) within computer programs, software, or systems.
Debugging tactics can involve in ...
,
reverse engineering
Reverse engineering (also known as backwards engineering or back engineering) is a process or method through which one attempts to understand through deductive reasoning how a previously made device, process, system, or piece of software accompli ...
or
digital forensics
Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery, investigation, examination and analysis of material found in digital devices, often in relation to mobile devices and co ...
.
In a hex dump, each
byte
The byte is a unit of digital information that most commonly consists of eight bits. Historically, the byte was the number of bits used to encode a single character of text in a computer and for this reason it is the smallest addressable unit ...
(8
bit
The bit is the most basic unit of information in computing and digital communications. The name is a portmanteau of binary digit. The bit represents a logical state with one of two possible values. These values are most commonly represente ...
s) is represented as a two-digit
hexadecimal
In mathematics and computing, the hexadecimal (also base-16 or simply hex) numeral system is a positional numeral system that represents numbers using a radix (base) of 16. Unlike the decimal system representing numbers using 10 symbols, hexa ...
number. Hex dumps are commonly organized into rows of 8 or 16 bytes, sometimes separated by whitespaces. Some hex dumps have the hexadecimal
memory address
In computing, a memory address is a reference to a specific memory location used at various levels by software and hardware. Memory addresses are fixed-length sequences of digits conventionally displayed and manipulated as unsigned integers. Su ...
at the beginning.
Some common names for this program function are
hexdump
,
hd
,
od
,
xxd
and simply
dump
or even
D
.
Samples
A sample text file:
0123456789ABCDEF
/* ********************************************** */
Table with TABs (09)
1 2 3
3.14 6.28 9.42
as displayed by
Unix
Unix (; trademarked as UNIX) is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, and ot ...
hexdump
:
0000000 30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 46
0000010 0a 2f 2a 20 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a
0000020 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a
*
0000040 2a 2a 20 2a 2f 0a 09 54 61 62 6c 65 20 77 69 74
0000050 68 20 54 41 42 73 20 28 30 39 29 0a 09 31 09 09
0000060 32 09 09 33 0a 09 33 2e 31 34 09 36 2e 32 38 09
0000070 39 2e 34 32 0a
0000075
The leftmost column is the hexadecimal displacement (or address) for the values of the following columns. Each row displays 16 bytes, with the exception of the row containing a single *. The * is used to indicate multiple occurrences of the same display were omitted.
The last line displays the number of bytes taken from the input.
An additional column shows the corresponding
ASCII
ASCII ( ), abbreviated from American Standard Code for Information Interchange, is a character encoding standard for electronic communication. ASCII codes represent text in computers, telecommunications equipment, and other devices. Because of ...
character translation with or :
00000000 30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 46 , 0123456789ABCDEF,
00000010 0a 2f 2a 20 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a , ./* ************,
00000020 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a , ****************,
*
00000040 2a 2a 20 2a 2f 0a 09 54 61 62 6c 65 20 77 69 74 , ** */..Table wit,
00000050 68 20 54 41 42 73 20 28 30 39 29 0a 09 31 09 09 , h TABs (09)..1..,
00000060 32 09 09 33 0a 09 33 2e 31 34 09 36 2e 32 38 09 , 2..3..3.14.6.28.,
00000070 39 2e 34 32 0a , 9.42.,
00000075
This is helpful when trying to locate TAB characters in a file which is expected to use multiple spaces.
The option causes hexdump to display all data verbosely:
00000000 30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 46 , 0123456789ABCDEF,
00000010 0a 2f 2a 20 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a , ./* ************,
00000020 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a , ****************,
00000030 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a , ****************,
00000040 2a 2a 20 2a 2f 0a 09 54 61 62 6c 65 20 77 69 74 , ** */..Table wit,
00000050 68 20 54 41 42 73 20 28 30 39 29 0a 09 31 09 09 , h TABs (09)..1..,
00000060 32 09 09 33 0a 09 33 2e 31 34 09 36 2e 32 38 09 , 2..3..3.14.6.28.,
00000070 39 2e 34 32 0a , 9.42.,
00000075
od
POSI
command can be used to display a hex dump with the -t x option.
# od -tx1 tableOfTabs.txt
0000000 30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 46
0000020 0a 2f 2a 20 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a
0000040 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a
*
0000100 2a 2a 20 2a 2f 0a 09 54 61 62 6c 65 20 77 69 74
0000120 68 20 54 41 42 73 20 28 30 39 29 0a 09 31 09 09
0000140 32 09 09 33 0a 09 33 2e 31 34 09 36 2e 32 38 09
0000160 39 2e 34 32 0a
0000165
Character evaluations can be added with the -c option:
0000000 0 1 2 3 4 5 6 7 8 9 A B C D E F
30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 46
0000020 \n / * * * * * * * * * * * * *
0a 2f 2a 20 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a
0000040 * * * * * * * * * * * * * * * *
2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a
0000100 * * * / \n \t T a b l e w i t
2a 2a 20 2a 2f 0a 09 54 61 62 6c 65 20 77 69 74
0000120 h T A B s ( 0 9 ) \n \t 1 \t \t
68 20 54 41 42 73 20 28 30 39 29 0a 09 31 09 09
0000140 2 \t \t 3 \n \t 3 . 1 4 \t 6 . 2 8 \t
32 09 09 33 0a 09 33 2e 31 34 09 36 2e 32 38 09
0000160 9 . 4 2 \n
39 2e 34 32 0a
0000165
In this output the TAB characters are displayed as \t and NEWLINE characters as \n.
DUMP, DDT and DEBUG
In the
CP/M
CP/M, originally standing for Control Program/Monitor and later Control Program for Microcomputers, is a mass-market operating system created in 1974 for Intel 8080/ 85-based microcomputers by Gary Kildall of Digital Research, Inc. Initial ...
8-bit operating system used on early personal computers, the standard DUMP program would list a file 16 bytes per line with the hex offset at the start of the line and the ASCII equivalent of each byte at the end. Bytes outside the standard range of printable ASCII characters (20 to 7E) would be displayed as a single period for visual alignment. This same format was used to display memory when invoking the D command in the standard CP/M debugger DDT.
CP/M 2.2 Manual
page 4-5 Later incarnations of the format (e.g. in the DOS debugger DEBUG) changed the space between the 8th and 9th byte to a dash, without changing the overall width.
This notation has been retained in operating systems that were directly or indirectly derived from CP/M, including DR-DOS
DR-DOS (written as DR DOS, without a hyphen, in versions up to and including 6.0) is a disk operating system for IBM PC compatibles. Upon its introduction in 1988, it was the first DOS attempting to be compatible with IBM PC DOS and MS-D ...
, MS-DOS
MS-DOS ( ; acronym for Microsoft Disk Operating System, also known as Microsoft DOS) is an operating system for x86-based personal computers mostly developed by Microsoft. Collectively, MS-DOS, its rebranding as IBM PC DOS, and a few ope ...
, OS/2
OS/2 (Operating System/2) is a series of computer operating systems, initially created by Microsoft and IBM under the leadership of IBM software designer Ed Iacobucci. As a result of a feud between the two companies over how to position OS/2 ...
and Windows
Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
. On Linux systems, the command hexcat produces this classic output format too. The main reason for the design of this format is that it fits the maximum amount of data on a standard 80-character-wide screen or printer, while still being very easy to read and skim visually.
1234:0000: 57 69 6B 69 70 65 64 69 61 2C 20 74 68 65 20 66 Wikipedia, the f
1234:0010: 72 65 65 20 65 6E 63 79 63 6C 6F 70 65 64 69 61 ree encyclopedia
1234:0020: 20 74 68 61 74 20 61 6E 79 6F 6E 65 20 63 61 6E that anyone can
1234:0030: 20 65 64 69 74 00 00 00 00 00 00 00 00 00 00 00 edit...........
Here the leftmost column represents the address at which the bytes represented by the following columns are located. CP/M and various DOS systems ran in real mode
Real mode, also called real address mode, is an operating mode of all x86-compatible CPUs. The mode gets its name from the fact that addresses in real mode always correspond to real locations in memory. Real mode is characterized by a 20-bit seg ...
on the x86
x86 (also known as 80x86 or the 8086 family) is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel based on the Intel 8086 microprocessor and its 8088 variant. The 8086 was introd ...
CPUs, where addresses are composed of two parts (base and offset).
In the above examples the final 00s are non-existent bytes beyond the end of the file. Some dump tools display other characters so that it is clear they are beyond the end of the file, typically using spaces or asterisks, e.g.:
1234:0000: 57 69 6B 69 70 65 64 69 61 2C 20 74 68 65 20 66 Wikipedia, the f
1234:0010: 72 65 65 20 65 6E 63 79 63 6C 6F 70 65 64 69 61 ree encyclopedia
1234:0020: 20 74 68 61 74 20 61 6E 79 6F 6E 65 20 63 61 6E that anyone can
1234:0030: 20 65 64 69 74 edit
or
1234:0000: 57 69 6B 69 70 65 64 69 61 2C 20 74 68 65 20 66 Wikipedia, the f
1234:0010: 72 65 65 20 65 6E 63 79 63 6C 6F 70 65 64 69 61 ree encyclopedia
1234:0020: 20 74 68 61 74 20 61 6E 79 6F 6E 65 20 63 61 6E that anyone can
1234:0030: 20 65 64 69 74 ** ** ** ** ** ** ** ** ** ** ** edit
See also
*Core dump
In computing, a core dump, memory dump, crash dump, storage dump, system dump, or ABEND dump consists of the recorded state of the working memory of a computer program at a specific time, generally when the program has crashed or otherwise terminat ...
References
{{Reflist
External links
How to Use the Hexdump Unix Utility
Extensive examples.
hdr
Hexdump with colored ranges to ease visualization. Options to skip data, displaying bitfields, complex range definition, ... follow the link to 'hdr_examples.pod'.
Hex cheatsheet
for looking up byte-nibbles and nibble-bits.
Debugging
Hexadecimal numeral system
de:Dump#Hexdump