Hexdump Commands
hexdump is a utility for displaying file contents in various formats including hexadecimal, octal, decimal, and ASCII. It’s complementary to od (octal dump) and provides flexible formatting for binary file inspection, forensic analysis, and data verification.
Installation
Linux/Ubuntu
sudo apt update
sudo apt install bsdmainutils
# or usually pre-installed
hexdump /usr/bin/lsmacOS
# Pre-installed
hexdump /usr/bin/lsBasic Hex Dumping
Simple Hex Display
# Display file in hex
hexdump file.bin
# Hex dump with addresses
hexdump -C file.bin
# Canonical format (standard)
hexdump -C file.bin
# Show first 256 bytes
hexdump -C -n 256 file.bin
# Display entire file
hexdump -C file.bin | tailOutput Formats
# One-byte octal display
hexdump -o file.bin
# One-byte hexadecimal
hexdump -x file.bin
# Two-byte hexadecimal (default)
hexdump file.bin
# One-byte decimal
hexdump -d file.bin
# ASCII display
hexdump -C file.bin | awk '{print $NF}'
# Canonical hex and ASCII
hexdump -C file.binFormatting Options
Column Layout
# 16 bytes per line (default with -C)
hexdump -C file.bin
# Custom column format
hexdump -e '16/1 "%02x " "\n"' file.bin
# 32 bytes per line
hexdump -e '32/1 "%02x " "\n"' file.bin
# 8 bytes per line
hexdump -e '8/1 "%02x " "\n"' file.bin
# Packed format (no spaces)
hexdump -e '16/1 "%02x"' -e '"\n"' file.bin
# With ASCII (equivalent to -C)
hexdump -C file.binAddress Display
# Hexadecimal address (default)
hexdump -C file.bin
# Decimal address
hexdump -A d file.bin 2>/dev/null || hexdump file.bin
# Octal address
hexdump file.bin
# No address offset
hexdump -v file.bin | cut -d' ' -f2-
# Show address prefix
hexdump file.bin | head -5Data Filtering and Limiting
Size Control
# Display only first 256 bytes
hexdump -C -n 256 file.bin
# Display first 1KB
hexdump -C -n 1024 file.bin
# Display from specific offset
hexdump -C -s 512 file.bin
# From offset with limit
hexdump -C -s 256 -n 512 file.bin
# Skip to byte offset 0x100
hexdump -C -s 0x100 file.bin
# Display from offset in decimal
hexdump -C -s 1024 file.bin
# Show last 256 bytes
tail -c 256 file.bin | hexdump -CAdvanced Formatting
Custom Format Strings
# Hex bytes in compact format
hexdump -e '16/1 "%02x " "\n"' file.bin
# Hex with ASCII annotation
hexdump -C file.bin
# Word-aligned hex (2 bytes)
hexdump -e '8/2 "%04x " "\n"' file.bin
# Double word (4 bytes)
hexdump -e '4/4 "%08x " "\n"' file.bin
# Mixed format
hexdump -e '8/1 "%02x " " | "' -e '8/1 "%_p" "\n"' file.bin
# Decimal and hex combined
hexdump -e '16/1 "%3d "' -e '"\n"' file.binSpecial Characters
# Verbose output (duplicate lines)
hexdump -C -v file.bin
# No duplicate suppression
hexdump -C -v file.bin
# Show repeating patterns
hexdump -C file.bin | head -20
# ASCII representation only
hexdump -C file.bin | awk '{print $NF}' | tr -d '\n'
# Printable characters only
hexdump -C file.bin | grep -oE '[[:print:]]'Comparison with od
Using od (octal dump)
# od equivalent to hexdump
od -A x -t x1z file.bin
# od with ASCII
od -A x -t x1z -N 256 file.bin
# od two-byte hex
od -A x -t x2 file.bin
# od decimal
od -A x -t d1 file.bin
# od octal
od -A o -t o1 file.bin
# Combined od and hexdump
echo "=== hexdump ===" && hexdump -C file.bin | head
echo "=== od ===" && od -A x -t x1z file.bin | headReal-World Applications
File Format Analysis
# Check PNG magic bytes
hexdump -C -n 16 image.png
# Verify PNG header
hexdump -C -n 8 image.png
# Should show: 89 50 4e 47 0d 0a 1a 0a
# Check ZIP signature
hexdump -C -n 4 archive.zip
# Should show: 50 4b 03 04
# Inspect PDF header
hexdump -C -n 10 document.pdf
# Should show: 25 50 44 46
# Check ELF magic
hexdump -C -n 4 /bin/ls
# Should show: 7f 45 4c 46
# View file signatures
hexdump -C -n 32 unknown.fileData Inspection
# Check for null bytes
hexdump -C file.bin | grep '00'
# Find string patterns
hexdump -C file.bin | grep 'hello'
# Verify data integrity
hexdump -C file1.bin > hex1.txt
hexdump -C file2.bin > hex2.txt
diff hex1.txt hex2.txt
# Extract readable strings with offset
hexdump -C file.bin | grep -oE '[a-zA-Z]{4,}'
# Monitor binary changes
watch -n 1 'hexdump -C -n 256 /tmp/file.bin'Forensic Analysis
# Analyze disk image
hexdump -C disk.img | head
# Search for patterns in disk
hexdump -C disk.img | grep 'content'
# Find file signatures
hexdump -C -s 0 -n 512 partition.img
# Analyze unallocated space
hexdump -C deleted_file.bin
# Extract metadata
hexdump -C document | strings | head
# Find compression headers
hexdump -C archive.bin | grep -E '1f 8b|42 5a|50 4b'Batch Processing
Processing Multiple Files
# Hex dump all files
for f in *.bin; do
echo "=== $f ==="
hexdump -C -n 64 "$f"
done
# Compare multiple files
for f in file*.bin; do
echo "$f:"
hexdump -C -n 16 "$f" | md5sum
done
# Create hex dump archive
find . -name "*.bin" -exec sh -c '
echo "=== {} ===" > {}.hex
hexdump -C "{}" >> {}.hex
' \;
# Find specific pattern across files
for f in *; do
[ -f "$f" ] && hexdump -C "$f" 2>/dev/null | grep -q 'deadbeef' && echo "Found in $f"
doneText Processing
# Extract just hex values
hexdump -e '16/1 "%02x " "\n"' file.bin
# Get addresses only
hexdump -C file.bin | awk '{print $1}'
# Extract ASCII portion
hexdump -C file.bin | awk '{print $NF}' | grep -v '^|'
# Create compact representation
hexdump -e '16/1 "%02x"' -e '"\n"' file.bin
# Count bytes
hexdump -e '1/1 "x"' file.bin | wc -cPerformance Considerations
Large File Handling
# Process first chunk only
head -c 4096 largefile | hexdump -C
# Process in parts
split -b 1M largefile chunk_
for f in chunk_*; do
echo "=== $f ==="
hexdump -C "$f" | head
done
# Efficient offset viewing
dd if=largefile bs=1 skip=0 count=256 2>/dev/null | hexdump -C
# Parallel processing
find . -name "*.bin" -print0 | xargs -0 -P4 -I {} sh -c '
echo "=== {} ===" > {}.hex
hexdump -C -n 512 {} >> {}.hex
'
# Memory-efficient with pipe
dd if=largefile bs=4K | hexdump -CAnalysis Techniques
Pattern Detection
# Find repeated patterns
hexdump -C file.bin | awk '{for(i=2;i<=NF;i++) print $i}' | sort | uniq -c | sort -rn
# Identify null sections
hexdump -C file.bin | grep -E '00 00 00 00'
# Find printable strings
hexdump -C file.bin | awk -F'|' '{print $NF}' | grep -oE '[[:print:]]{4,}'
# Entropy calculation (detection of encryption)
hexdump -C file.bin | awk '{for(i=2;i<=NF-1;i++) print $i}' | sort | uniq -c
# Check for compression
hexdump -C -n 4 file.bin | grep -E '1f 8b|42 5a'Statistical Analysis
# Byte frequency
hexdump -e '1/1 "%02x\n"' file.bin | sort | uniq -c | sort -rn | head
# Distribution analysis
hexdump -e '1/1 "%x\n"' file.bin | sort | uniq -c
# High entropy detection
hexdump -e '1/1 "%x"' file.bin | fold -w1 | sort | uniq -c | wc -l
# Zero byte count
hexdump -C file.bin | grep -o ' 00 ' | wc -l
# Non-zero count
hexdump -e '1/1 "%02x\n"' file.bin | grep -v '^00$' | wc -lTroubleshooting
# Verify file accessibility
hexdump -C file.bin > /dev/null && echo "Readable"
# Check file size and offset
ls -l file.bin
hexdump -C -s $(stat -f%z file.bin 2>/dev/null || stat -c%s file.bin) file.bin
# Validate format string
hexdump -C file.bin | head # verify output
# Compare with od output
hexdump -C file.bin | head
od -A x -t x1z file.bin | head
# Memory usage check
hexdump -C largefile | head | wc -lBest Practices
- Use -C (canonical format) for standard hex/ASCII display
- Use -n to limit output for large files
- Use -s to skip to relevant file sections
- Combine with grep and awk for data extraction
- Document hex patterns found during analysis
- Verify file signatures before processing
- Use od for alternative format when needed
- Maintain forensic integrity (copy before analysis)
- Document offsets of findings for reference
- Use appropriate byte-ordering for multi-byte values
Last updated: 2026-03-30