wireshark: hexadecimal dump

What is hexadecimal dump

  • On a computer, a hexadecimal dump is a hexadecimal view of the computer's data (on screen or paper), either from RAM or from a file or storage device
  • Viewing hexadecimal data dumps is usually done as part of debugging or reverse engineering.
  • In a hexadecimal dump, each byte (8 bits) is represented as a two-digit hexadecimal number.
  • Hexadecimal dumps are usually organized into eight or hexadecimal rows, sometimes separated by spaces.
  • Some hexadecimal dumps have hexadecimal memory addresses at the beginning or checksum bytes at the end of each line
  • Some common names for this program function are hexdump, od, xxd, simple dump and even D.

hexdump

The hexdump command is generally used to view the hexadecimal encoding of binary files, but in fact it is used for more than that. The statement on the manual page is "ascii, decimal, hexadecimal, octal dump", which is why the title of this article calls "hexadecimal" "Given the cause, and it can view any file, not just binary files. There are also xxd and od that can do similar things, but I've never used them. When a program outputs a file in binary format, hexdump is often used to check if the output is correct. Of course, you can also use tools like UltraEdit32 on Windows to see the hexadecimal number of files." Code, but there are ready-made tools on Linux, so why not use them?

Example: Confirm the format of file text

Text files on different operating systems have different end-of-line flags, which often cause problems. For example, many commands on Linux do not handle DOS-formatted text files very well. Text files under Windows/DOS end with \r\n, while text files under Linux/Unix end with \n.

Example 1

[root@localhost oceanstar]# cat test.bc 
123*321
123/321
scale=4;123/321
[root@localhost oceanstar]# hexdump -C test.bc
00000000  31 32 33 2a 33 32 31 0a  31 32 33 2f 33 32 31 0a  |123*321.123/321.|
00000010  73 63 61 6c 65 3d 34 3b  31 32 33 2f 33 32 31 0a  |scale=4;123/321.|
00000020

Note: Hexadecimal representation of common ASCII characters

  • \r 0D
  • \n 0A
  • \t 09
  • DOS/Windows line break\rn hexadecimal representation 0D 0A
  • The line breakn for Linux/Unix is hexadecimal representation 0A (00000000 31 33 2A 33 32 31 0A 31 32 33 2F 33 32 31 0A |123*321.123/321. |)

Example 2

cat >test.txt
ABCDEFGHIJKLMNODF12*DFDF

Parameter: -C, displays the characters in the file in hexadecimal and corresponding ASCII characters

[root@DB-Server ~]# hexdump -C test.txt 
00000000  41 42 43 44 45 46 47 48  49 4a 4b 4c 4d 4e 4f 44  |ABCDEFGHIJKLMNOD|
00000010  46 31 32 2a 44 46 44 46  0a                       |F12*DFDF.|
00000019
//-n Set to output only the first n characters (ABCDE only)
[root@DB-Server ~]# hexdump -C -n 5 test.txt 
00000000  41 42 43 44 45                                    |ABCDE|
00000005
//The -s parameter is set to output after the nth character (no previous ABCDE output)
[root@DB-Server ~]# hexdump -C -s 5 test.txt 
00000005  46 47 48 49 4a 4b 4c 4d  4e 4f 44 46 31 32 2a 44  |FGHIJKLMNODF12*D|
00000015  46 44 46 0a                                       |FDF.|
00000019

Parameter: -c, display the characters in the file as ASCII characters

//Line breaks can be output, which can be used to check whether a file is a Linux or Widows line break.
[root@DB-Server ~]# hexdump -c test.txt 
0000000   A   B   C   D   E   F   G   H   I   J   K   L   M   N   O   D
0000010   F   1   2   *   D   F   D   F  \n                            
0000019

Parameter: -b, display the characters in the file in octal

//One line shows 16 bytes, less than 16 bytes in test.txt is filled with the next line, and more than 16 bytes are displayed in a new line
[root@DB-Server ~]# hexdump -b test.txt 
0000000 101 102 103 104 105 106 107 110 111 112 113 114 115 116 117 104
0000010 106 061 062 052 104 106 104 106 012                            
0000019

Example: View binaries

Get ready

#include <stdio.h>
#include <stdlib.h>

int main() {
        FILE *fp_in;
        fp_in = fopen("test", "wb");
        if (fp_in == NULL) {
                printf("open test failed\n");
                return -1;
        }
        else {
                for (unsigned char i = 0; i < 100; i++) {
                        fwrite(&i ,sizeof(unsigned char), 1, fp_in);
                }
                fclose(fp_in);
        }
        return 0;
}

operation

Compile:

[root@localhost oceanstar]# g++ main.cpp -o main  # Generate binary file test

cat View Files in Generated Files

[root@localhost oceanstar]# cat main
`  /lib64/ld-linux-x86-64.so.2GNU GNU���9��������ne�  GAZLSlibstdc++.so.6__gmon_start__libm.so.6libgcc_s.so.1libc.so.6fopenputsfclosefwrite__libc_start_mainGLIBC_2.2.57ui	l�`` `(`0`8`H�H�U
                                               H��t�sH���5B
                                                            �%D
                                                                @�%B
                                                                      h������%:
                                                                                h������%2
                                                                                           h������%*
                                                                                                      h������%"
                                                                                                                 h������%�
 f�1�I��^H��H���PTI��@H���@H��@������fD�O`UH-H`H��H��w]øH��t�]�H`����H`UH-H`H��H��H��H��?H�H��u]úH��t�]H�ƿH`����=m
 uUH���~���]�Z
`H����]�{����s���UH��H���0@�3@�����H�E�H�}�u�8@�����������F�E��'H�U�H�E�H�Ѻ�H��������E����E��E�<cv�H�E�H���o�������AWA��AVI��AUI��ATL�%( UH�-( SL)�1�H��H������H��t�L��L��D��A��H��H9�u�H�[]A\A]A^A_Ðf.���H�H��wbtestopen test failed;0t���|����L�����T��������
                                                                                      zRx
                                                                                               �����*zRx
                                                                                                                 �$����`FJ
v                                                                                                                           �?;*3$"D%���{A�C
  Dd����eB�E�E �E(�H0�H8�M@l8A0A(B BB������@�@)7
`���o�@`@�@                                                 �@
x
`�@�@�@@@GCC: (GNU) 4.8.5 20150623 (Red Hat 4.8.5-36)GCC: (GNU) 4.8.5 20150623 (Red Hat 4.8.5-44)8@T@t@�@�@`@�@�@    @
 @
    �@
`�``@`D`��
`� @`@�0@. =(@Ob� @�@`�H`�(@��@e�D`�H`���D`@{�
                                                                                                            �@crtstuff.c__JCR_LIST__deregister_tm_clones__do_global_dtors_auxcompleted.6355__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entrymain.cpp__FRAME_END____JCR_END____GNU_EH_FRAME_HDR_GLOBAL_OFFSET_TABLE___init_array_end__init_array_start_DYNAMIC__libc_csu_fini__gmon_start__puts@@GLIBC_2.2.5fopen@@GLIBC_2.2.5__libc_start_main@@GLIBC_2.2.5_IO_stdin_used__data_start__TMC_END____dso_handle__libc_csu_init__bss_startfclose@@GLIBC_2.2.5fwrite@@GLIBC_2.2.5_edatamain.symtab.strtab.shstrtab.interp.note.ABI-tag.note.gnu.build-id.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.init.plt.got.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.jcr.dynamic.got.plt.data.bss.comment8@8#T@T 1t@t$D���o�@�N
                                                                                                                                �@��V`@`x^���o�@�k���o�@� z�B @ x��`�@`@D`D0DZ�H	��L@L4��@���
                                                          [root@localhost oceanstar]# 

Format Output File

$ hexdump main
0000000 457f 464c 0102 0001 0000 0000 0000 0000
0000010 0002 003e 0001 0000 0530 0040 0000 0000
0000020 0040 0000 0000 0000 1a00 0000 0000 0000
0000030 0000 0000 0040 0038 0009 0040 001f 001e
0000040 0006 0000 0005 0000 0040 0000 0000 0000
0000050 0040 0040 0000 0000 0040 0040 0000 0000
0000060 01f8 0000 0000 0000 01f8 0000 0000 0000
0000070 0008 0000 0000 0000 0003 0000 0004 0000
0000080 0238 0000 0000 0000 0238 0040 0000 0000
0000090 0238 0040 0000 0000 001c 0000 0000 0000
00000a0 001c 0000 0000 0000 0001 0000 0000 0000
00000b0 0001 0000 0005 0000 0000 0000 0000 0000
00000c0 0000 0040 0000 0000 0000 0040 0000 0000
00000d0 0874 0000 0000 0000 0874 0000 0000 0000
00000e0 0000 0020 0000 0000 0001 0000 0006 0000
00000f0 0de0 0000 0000 0000 0de0 0060 0000 0000
0000100 0de0 0060 0000 0000 0264 0000 0000 0000
0000110 0268 0000 0000 0000 0000 0020 0000 0000

... 

Format the first 10 bytes of the output file

$ hexdump -n 10 test
0000000 0100 0302 0504 0706 0908               
000000a

Format the first 80 bytes of the output file and display it in hexadecimal

$ hexdump -n 80 -C test
00000000  00 01 02 03 04 05 06 07  08 09 0a 0b 0c 0d 0e 0f  |................|
00000010  10 11 12 13 14 15 16 17  18 19 1a 1b 1c 1d 1e 1f  |................|
00000020  20 21 22 23 24 25 26 27  28 29 2a 2b 2c 2d 2e 2f  | !"#$%&'()*+,-./|
00000030  30 31 32 33 34 35 36 37  38 39 3a 3b 3c 3d 3e 3f  |0123456789:;<=>?|
00000040  40 41 42 43 44 45 46 47  48 49 4a 4b 4c 4d 4e 4f  |@ABCDEFGHIJKLMNO|
00000050

Formatted output 200 bytes starting at 30 and displayed in hexadecimal

$ hexdump -n 200 -C test -s 30
0000001e  1e 1f 20 21 22 23 24 25  26 27 28 29 2a 2b 2c 2d  |.. !"#$%&'()*+,-|
0000002e  2e 2f 30 31 32 33 34 35  36 37 38 39 3a 3b 3c 3d  |./0123456789:;<=|
0000003e  3e 3f 40 41 42 43 44 45  46 47 48 49 4a 4b 4c 4d  |>?@ABCDEFGHIJKLM|
0000004e  4e 4f 50 51 52 53 54 55  56 57 58 59 5a 5b 5c 5d  |NOPQRSTUVWXYZ[\]|
0000005e  5e 5f 60 61 62 63                                 |^_`abc|
00000064

Keywords: wireshark

Added by the DtTvB on Fri, 26 Nov 2021 20:05:27 +0200