Incomputing, ahex dump is atextualhexadecimal view (on screen or paper) of (often, but not necessarilybinary) computer data, frommemory or from acomputer file orstorage device. Looking at a hex dump of data is usually done in the context of eitherdebugging,reverse engineering ordigital forensics.[1] Interactive editors that provide a similar view but also manipulating the data in question are calledhex editors.
In a hex dump, eachbyte (8bits) is represented as a two-digithexadecimal number. Hex dumps are commonly organized into rows of 8 or 16 bytes, sometimes separated by whitespaces. Some hex dumps have the hexadecimalmemory address at the beginning.
Some common names for this program function arehexdump,hd,od,xxd and simplydump or evenD.
A sample text file:
0123456789ABCDEF/* ********************************************** */Table with TABs (09)1 2 33.146.289.42
as displayed byUnixhexdump:
00000003031323334353637383941424344454600000100a2f2a202a2a2a2a2a2a2a2a2a2a2a2a00000202a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a*00000402a2a202a2f0a095461626c6520776974000005068205441427320283039290a093109090000060320909330a09332e313409362e3238090000070392e34320a0000075
The leftmost column is the hexadecimal displacement (or address) for the values of the following columns. Each row displays 16 bytes, with the exception of the row containing a single *. The * is used to indicate multiple occurrences of the same display were omitted.The last line displays the number of bytes taken from the input.
An additional column shows the correspondingASCII character translation withhexdump -C orhd:
0000000030313233343536373839414243444546|0123456789ABCDEF|000000100a2f2a202a2a2a2a2a2a2a2a2a2a2a2a|./* ************|000000202a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a|****************|*000000402a2a202a2f0a095461626c6520776974|** */..Table wit|0000005068205441427320283039290a09310909|h TABs (09)..1..|00000060320909330a09332e313409362e323809|2..3..3.14.6.28.|00000070392e34320a|9.42.|00000075
This is helpful when trying to locate TAB characters in a file which is expected to use multiple spaces.
The-v option causeshexdump to display all data verbosely:
0000000030313233343536373839414243444546|0123456789ABCDEF|000000100a2f2a202a2a2a2a2a2a2a2a2a2a2a2a|./* ************|000000202a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a|****************|000000302a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a|****************|000000402a2a202a2f0a095461626c6520776974|** */..Table wit|0000005068205441427320283039290a09310909|h TABs (09)..1..|00000060320909330a09332e313409362e323809|2..3..3.14.6.28.|00000070392e34320a|9.42.|00000075
The POSIX[2] commandod can be used to display a hex dump with the-t x2 option.
#od-tx2tableOfTabs.txt00000000: 1f8b 0808 d2e9 9766 0203 6461 7461 322e00000010: 6269 6e00 0141 02be fd42 5a68 3931 415900000020: 2653 59ea 2468 ae00 0017 7fff dadb b7fb00000030: dbff 5ffb f3fb d776 3d6f fffb dbea fdbd00000040: 85db edfc ffa9 7def faaf efdf b001 386c00000050: 1001 a0d0 6d40 01a0 1a00 0006 8006 800000000060: 0000 d034 01a1 a34d 0034 3d43 40d0 0d3400000070: d034 34da 9ea1 b49e a7a8 f29e 5106 432600000080: 9a19 1934 d1a0 341a 6234 d018 d468 683400000090: 00c9 a308 6434 0000 0308 d068 0680 1900000000a0: 0034 d068 1a34 d068 c3a7 a41a 0c9a 0d34000000b0: 641a 0646 8346 4003 4d34 1a68 6806 9a06000000c0: 9a64 d064 001a 0681 a343 10d0 d00d 1840000000d0: 01a3 21a0 68c9 a050 008a 0009 619a 9541000000e0: 25d5 8bc0 0ff3 e679 7fd0 31b2 c784 e7f7000000f0: 8fcb 33b8 28a5 bf86 4ac4 274f ce21 eeea00000100: 2c19 2633 60e9 ddd1 8d60 18e9 b189 4a9400000110: 3a14 ee61 ac8d d369 f545 a964 2617 f1fd00000120: 72dc 51d1 e601 1071 745d 846c 4677 4ba200000130: 0562 5d79 894a 9150 dfe1 8083 e4c0 896f00000140: b75c d58b 4264 021c 625c c4f2 816a 890700000150: 8b80 2b3e 4d2a f1b3 4fb4 6cee a869 131600000160: c318 cdb5 b1cd 21c4 a23a 0297 65ae 8a2a00000170: 0cd2 0864 8a47 ed68 48f3 a65f 5803 dc9f00000180: b2e5 bbe0 daac 3d56 8c8b 4181 510f 017f00000190: 1328 9a47 6027 62c1 e4b4 db74 bb3a 9455000001a0: 07dd fd5b 19b5 e522 32e0 9b3e a3cf 0189000001b0: 4d9a 5edb 27be 1855 880f 7517 0ec0 a878000001c0: 2ee0 92a3 e339 4138 5cb7 517a a8b7 4dab000001d0: 8645 a681 214b 7f27 0cee 8ee5 3f4b 3a60000001e0: 530a 74b2 8acf 9044 e73c ca09 0d28 e5b4000001f0: 1471 0963 4a9c 3b75 73c0 4057 0c9c d0f2 .00000200: 132a bb2c cc84 29cf 3568 9101 0a77 f03300000210: 41a4 8cfa f520 3ed5 8a4a 9528 1314 7b3200000220: 87c6 4825 698a 921e e1da 8f2d 4237 2da100000230: 3f68 051d fe05 08cb 096d 4a17 ed35 213000000240: 9d75 6c2f a414 8003 e650 ea14 4eb1 5fe200000250: ee48 a70a 121d 448d 15c0 8914 1b20 4102 .00000260: 0000
Character evaluations can be added with the-c option:
0000000 0 1 2 3 4 5 6 7 8 9 A B C D E F 30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 460000020 \n / * * * * * * * * * * * * * 0a 2f 2a 20 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a0000040 * * * * * * * * * * * * * * * * 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a0000100 * * * / \n \t T a b l e w i t 2a 2a 20 2a 2f 0a 09 54 61 62 6c 65 20 77 69 740000120 h T A B s ( 0 9 ) \n \t 1 \t \t 68 20 54 41 42 73 20 28 30 39 29 0a 09 31 09 090000140 2 \t \t 3 \n \t 3 . 1 4 \t 6 . 2 8 \t 32 09 09 33 0a 09 33 2e 31 34 09 36 2e 32 38 090000160 9 . 4 2 \n 39 2e 34 32 0a 0000165
In this output the TAB characters are displayed as\t and NEWLINE characters as\n.
In theCP/M 8-bit operating system used on early personal computers, the standardDUMP program would list a file 16 bytes per line with the hex offset at the start of the line and the ASCII equivalent of each byte at the end.[3]: 1-41, 5-40–5-46 Bytes outside the standard range of printable ASCII characters (20 to 7E) would be displayed as a single period for visual alignment. This same format was used to display memory when invoking the D command in the standard CP/MdebuggerDDT.[3]: 4-5 Later incarnations of the format (e.g. in the DOS debuggerDEBUG) changed the space between the 8th and 9th byte to a dash, without changing the overall width.
This notation has been retained in operating systems that were directly or indirectly derived from CP/M, includingDR-DOS,MS-DOS/PC DOS,OS/2 andWindows. On Linux systems, the command hexcat produces this classic output format, too. The main reason for the design of this format is that it fits the maximum amount of data on a standard 80-character-wide screen or printer, while still being very easy to read and skim visually.
1234:0000:57696B6970656469612C207468652066Wikipedia, the f1234:0010:72656520656E6379636C6F7065646961ree encyclopedia1234:0020:207468617420616E796F6E652063616Ethat anyone can1234:0030:20656469740000000000000000000000edit...........
Here the leftmost column represents the address at which the bytes represented by the following columns are located. CP/M and variousDOS systems ran inreal mode on thex86CPUs, where addresses are composed of two parts (base and offset).
In the above examples the final 00s are non-existent bytes beyond the end of the file. Some dump tools display other characters so that it is clear they are beyond the end of the file, typically using spaces or asterisks, e.g.:
1234:0000:57696B6970656469612C207468652066Wikipedia, the f1234:0010:72656520656E6379636C6F7065646961ree encyclopedia1234:0020:207468617420616E796F6E652063616Ethat anyone can1234:0030:2065646974edit
or
1234:0000:57696B6970656469612C207468652066Wikipedia, the f1234:0010:72656520656E6379636C6F7065646961ree encyclopedia1234:0020:207468617420616E796F6E652063616Ethat anyone can1234:0030:2065646974**********************edit