Scroll to navigation

MEMDUMP(8) System Manager's Manual MEMDUMP(8)

NAME

memdump - memory dumper

SYNOPSIS


memdump [-kv] [-b buffer_size] [-d dump_size] [-m map_file] [-p page_size]

DESCRIPTION


This program dumps system memory to the standard output stream, skipping over holes in memory maps. By default, the program dumps the contents of physical memory (/dev/mem).

Output is in the form of a raw dump; if necessary, use the -m option to capture memory layout information.

Output should be sent off-host over the network, to avoid changing all the memory in the file system cache. Use netcat, stunnel, or openssl, depending on your requirements.

The size arguments below understand the k (kilo) m (mega) and g (giga) suffixes. Suffixes are case insensitive.

Options

Attempt to dump kernel memory (/dev/kmem) rather than physical memory.

Warning: this can lock up the system to the point that you have to use the power switch (for example, Solaris 8 on 64-bit SPARC).

Warning: this produces bogus results on Linux 2.2 kernels.

Warning: this is very slow on 64-bit machines because the entire memory address range has to be searched.

Warning: kernel virtual memory mappings change frequently. Depending on the operating system, mappings smaller than page_size or buffer_size may be missed or may be reported incorrectly.

Number of bytes per memory read operation. By default, the program uses the page_size value.

Warning: a too large read buffer size causes memory to be missed on FreeBSD or Solaris.

Number of memory bytes to dump. By default, the program runs until the memory device reports an end-of-file (Linux), or until it has dumped from /dev/mem as much memory as reported present by the kernel (FreeBSD, Solaris), or until pointer wrap-around happens.

Warning: a too large value causes the program to spend a lot of time skipping over non-existent memory on Solaris systems.

Warning: a too large value causes the program to copy non-existent data on FreeBSD systems.

Write the memory map to map_file, one entry per line. Specify -m- to write to the standard error stream. Each map entry consists of a region start address and the first address beyond that region. Addresses are separated by space, and are printed as hexadecimal numbers (0xhhhh).
Use page_size as the memory page size. By default the program uses the system page size.

Warning: a too large page size causes memory to be missed while skipping over holes in memory.

Enable verbose logging for debugging purposes. Multiple -v options make the program more verbose.

BUGS


On many hardware platforms the firmware (boot PROM, BIOS, etc.) takes away some memory. This memory is not accessible through /dev/mem.

This program should produce output in a format that supports structure information such as ELF.

LICENSE

This software is distributed under the IBM Public License.

AUTHOR

Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
USA