memdump - memory dumper
memdump [-kv] [-b buffer_size] [-d dump_size] [-m map_file] [-p
This program dumps system memory to the standard output stream,
skipping over holes in memory maps. By default, the program dumps the
contents of physical memory (/dev/mem).
Output is in the form of a raw dump; if necessary, use the -m option to
capture memory layout information.
Output should be sent off-host over the network, to avoid changing all
the memory in the file system cache. Use netcat, stunnel, or openssl,
depending on your requirements.
The size arguments below understand the k (kilo) m (mega) and g (giga)
suffixes. Suffixes are case insensitive.
-k Attempt to dump kernel memory (/dev/kmem) rather than physical
Warning: this can lock up the system to the point that you have
to use the power switch (for example, Solaris 8 on 64-bit
Warning: this produces bogus results on Linux 2.2 kernels.
Warning: this is very slow on 64-bit machines because the entire
memory address range has to be searched.
Warning: kernel virtual memory mappings change frequently.
Depending on the operating system, mappings smaller than
page_size or buffer_size may be missed or may be reported
-b buffer_size (default: 0)
Number of bytes per memory read operation. By default, the
program uses the page_size value.
Warning: a too large read buffer size causes memory to be missed
on FreeBSD or Solaris.
-d dump-size (default: 0)
Number of memory bytes to dump. By default, the program runs
until the memory device reports an end-of-file (Linux), or until
it has dumped from /dev/mem as much memory as reported present
by the kernel (FreeBSD, Solaris), or until pointer wrap-around
Warning: a too large value causes the program to spend a lot of
time skipping over non-existent memory on Solaris systems.
Warning: a too large value causes the program to copy non-
existent data on FreeBSD systems.
Write the memory map to map_file, one entry per line. Specify
-m- to write to the standard error stream. Each map entry
consists of a region start address and the first address beyond
that region. Addresses are separated by space, and are printed
as hexadecimal numbers (0xhhhh).
-p page_size (default: 0)
Use page_size as the memory page size. By default the program
uses the system page size.
Warning: a too large page size causes memory to be missed while
skipping over holes in memory.
-v Enable verbose logging for debugging purposes. Multiple -v
options make the program more verbose.
On many hardware platforms the firmware (boot PROM, BIOS, etc.) takes
away some memory. This memory is not accessible through /dev/mem.
This program should produce output in a format that supports structure
information such as ELF.
This software is distributed under the IBM Public License.
IBM T.J. Watson Research
P.O. Box 704