Mastering the Linux hexdump Utility for Binary Analysis

The hexdump command is a versatile Linux utility used to inspect, filter, and display binary file data. By converting raw bytes into human-readable formats like hexadecimal, decimal, octal, or ASCII, it allows developers and system administrators to analyze file structures, debug data streams, and understand low-level data organization.

Basic Syntax and Preparation

Before diving in to specific flags, let's create a sample binary file to analyze. The following command uses printf to generate a file containing specific byte values, including printable characters and null bytes.

# Create a binary file named 'demo.bin'
printf "\x48\x65\x6c\x6c\x6f\x00\x57\x6f\x72\x6c\x64\xFF" > demo.bin

# Verify file creation
ls -l demo.bin

Canonical Hexadecimal and ASCII Display (-C)

The most frequently used format is the canonical (hex+ASCII) display, invoked with the -C flag. This output is divided into four columns: the file offset in hexadecimal, the byte values in hex (grouped), the ASCII representation (or periods for non-printable characters), and a repeating character if applicable.

$ hexdump -C demo.bin
00000000  48 65 6c 6c 6f 00 57 6f  72 6c 64 ff              |Hello.World.|
0000000c

One-Byte Octal Display (-b)

To view the data as one-byte octal values, use the -b option. This is useful when dealing with systems or protocols that rely on octal numbering, such as certain file permissions or legacy character encodings.

$ hexdump -b demo.bin
0000000 110 145 154 154 157 000 127 157 162 154 144 377
0000014

One-Byte Character Display (-c)

The -c flag interprets bytes as characters. It displays standard ASCII characters directly and represents special or non-printable characters using backslash escapes (e.g., \0 for null, \n for newline).

$ hexdump -c demo.bin
0000000   H   e   l   l   o  \0   W   o   r   l   d  377
0000014

Controlling Output Length and Offset

When working with large files, you often want to limit the output scope. The -n (length) option restricts the number of bytes processed, while -s (skip) ignores a specific number of bytes from the start of the file.

# Read only the first 5 bytes
$ hexdump -C -n 5 demo.bin
00000000  48 65 6c 6c 6f                                    |Hello|
00000005

# Skip the first 6 bytes (skipping "Hello" and the null byte) and read the rest
$ hexdump -C -s 6 demo.bin
00000006  57 6f 72 6c 64 ff                                 |World.|
0000000c

Multi-Byte Formats

For analyzing integers or wider data types, hexdump offers several two-byte display modes.

  • Two-byte hexadecimal (-x): Displays pairs of bytes in hex.
  • Two-byte decimal (-d): Displays pairs as unsigned decimal integers.
  • Two-byte octal (-o): Displays pairs as octal integers.
# Two-byte hexadecimal display
$ hexdump -x demo.bin
0000000    6548    6c6c    6f00    6f57    6c72    ff64
000000c

Advanced Formatting

For precise control over the output layout, the -e (format string) option allows users to define custom iteration formats. This includes specifying byte grouping, line breaks, and specfiic conversions (e.g., "%08_ax" for offset). Format strings can also be loaded from a file using -f.

To suppress the merging of identical output lines, use the -v (no-squeezing) flag. This ensures every line of input is printed, wich is crucial when tracking repetitive patterns in memory dumps.

Posted on Thu, 14 May 2026 22:48:41 +0000 by xentia

Hot Tags

©2026 Freaks City