-
Notifications
You must be signed in to change notification settings - Fork 2
/
memdump.1
100 lines (95 loc) · 3.21 KB
/
memdump.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
.TH MEMDUMP 1
.ad
.fi
.SH NAME
memdump
\-
memory dumper
.SH SYNOPSIS
.na
.nf
.ad
.fi
\fBmemdump\fR [\fB-kv\fR] [\fB-b \fIbuffer_size\fR]
[\fB-d \fIdump_size\fR] [\fB-m \fImap_file\fR] [\fB-p \fIpage_size\fR]
.SH DESCRIPTION
.ad
.fi
This program dumps system memory to the standard output stream,
skipping over holes in memory maps.
By default, the program dumps the contents of physical memory
(\fB/dev/mem\fR).
Output is in the form of a raw dump; if necessary, use the \fB-m\fR
option to capture memory layout information.
Output should be sent off-host over the network, to avoid changing
all the memory in the file system cache. Use netcat, stunnel, or
openssl, depending on your requirements.
The size arguments below understand the \fBk\fR (kilo) \fBm\fR (mega)
and \fBg\fR (giga) suffixes. Suffixes are case insensitive.
Options
.IP \fB-k\fR
Attempt to dump kernel memory (\fB/dev/kmem\fR) rather than physical
memory.
.sp
Warning: this can lock up the system to the point that you have
to use the power switch (for example, Solaris 8 on 64-bit SPARC).
.sp
Warning: this produces bogus results on Linux 2.2 kernels.
.sp
Warning: this is very slow on 64-bit machines because the entire
memory address range has to be searched.
.sp
Warning: kernel virtual memory mappings change frequently. Depending
on the operating system, mappings smaller than \fIpage_size\fR or
\fIbuffer_size\fR may be missed or may be reported incorrectly.
.IP "\fB-b \fIbuffer_size\fR (default: 0)"
Number of bytes per memory read operation. By default, the program
uses the \fIpage_size\fR value.
.sp
Warning: a too large read buffer size causes memory to be missed on
FreeBSD or Solaris.
.IP "\fB-d \fIdump-size\fR (default: 0)"
Number of memory bytes to dump. By default, the program runs
until the memory device reports an end-of-file (Linux), or until
it has dumped from \fB/dev/mem\fR as much memory as reported present
by the kernel (FreeBSD, Solaris), or until pointer wrap-around happens.
.sp
Warning: a too large value causes the program to spend a lot of time
skipping over non-existent memory on Solaris systems.
.sp
Warning: a too large value causes the program to copy non-existent
data on FreeBSD systems.
.IP "\fB-m\fR \fImap_file\fR"
Write the memory map to \fImap_file\fR, one entry per line.
Specify \fB-m-\fR to write to the standard error stream.
Each map entry consists of a region start address and the first
address beyond that region. Addresses are separated by space,
and are printed as hexadecimal numbers (0xhhhh).
.IP "\fB-p \fIpage_size\fR (default: 0)"
Use \fIpage_size\fR as the memory page size. By default the program
uses the system page size.
.sp
Warning: a too large page size causes memory to be missed
while skipping over holes in memory.
.IP \fB-v\fR
Enable verbose logging for debugging purposes. Multiple \fB-v\fR
options make the program more verbose.
.SH BUGS
.ad
.fi
On many hardware platforms the firmware (boot PROM, BIOS, etc.)
takes away some memory. This memory is not accessible through
\fB/dev/mem\fR.
This program should produce output in a format that supports
structure information such as ELF.
.SH LICENSE
.na
.nf
This software is distributed under the IBM Public License.
.SH AUTHOR
.na
.nf
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
USA