kk Blog —— 通用基础


date [-d @int|str] [+%s|"+%F %T"]
netstat -ltunp

kexec-tools-1.102pre-164.el5 之前的有问题

kexec-tools-1.102pre-154.el5 会直接进入 dump.img,于是便看到单CPU在跑,内存只有crashkernel中大小的情况。但是指定了ext /dev/sd* 后就能正常。其他问题就是它通过网络时只会走eth0,不然就失败。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
e2fsck 1.38 (30-Jun-2005)
fsck.ext3: while determining whether /dev/sda2 is mounted.
/: recovering journal
/: clean, 100877/4653056 files, 1236284/4648809 blocks
Mounting root filesystem.
Trying mount -t ext4 /dev/sda2 /sysroot
Trying mount -t ext3 /dev/sda2 /sysroot
Using ext3 on root filesystem
Switching to new root and running init.
^MINIT: version 2.86 booting^M
	        Welcome to  CentOS release 5.8 (Final)
	        Press 'I' to enter interactive startup.
Cannot access the Hardware Clock via any known method.
Use the --debug option to see the details of our search for an access method.
Setting clock  (utc): Tue Aug  5 19:18:49 PDT 2014 [  OK  ]^M
Starting udev: [  OK  ]^M

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kexec-tools-1.102pre-154.el5.src.rpm

vim mkdumprd


https://bugzilla.redhat.com/show_bug.cgi?id=788678

Hmm, after a second thought, did you put the block device mounted on /var into your /etc/kdump.conf? Something like:

ext3 /dev/sdbX #the device mounted on /var path crash #relative path inside /var

? Please share your kdump.conf if possible.

Thanks!

The point is to not touch the default kdump.conf, and mkdumprd should just work, like it does in RHEL6.

If I do put the ext3 and path directives into kdump.conf, then of course things work fine, but it shouldn’t be needed for the stock case where you just want to dump to /var/crash on your local filesystem.

Yeah… I saw how RHEL6 handles this, will try to backport it to RHEL5. Thanks!

Created attachment 594144 detailsProposed Patch v3

Ok, let’s just remove the UUID converting code.

Yep - it works now!

… almost. I’m pretty sure that the RHEL6 default mkdumprd uses makedumpfile by default so it isn’t just using “cp” to create the vmcore file.

The currently-patched version appears to just use “cp” instead.

Yeah, this is expected, because we don’t have a chance to change the default core_collector to makedumpfile on RHEL5, so “cp” is still the default one. :)

Thanks for testing!

log_buf(ring buffer)(syslog)(printk)

printk 的输出都是保存在log_buf里的

How to read it the ring buffer? Here is a beautiful illustration from IBM Developerworks dmesg would be your first resort! How does dmesg accomplish its task? By a call to syslog()! How does syslog do its job? Through the system call interface which in turn call do_syslog(). do_syslog() does the finishing act like this

alt

// 模仿kernel/printk.c中do_syslog,在module 中读printk输出的最后4k

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
char **log_buf;
int *log_buf_len, *log_start, *log_end;

int MASK;
int end, len;
unsigned i, j, limit, count;
char c;
int ret;


log_buf = (char**) 0xffffffff803270e0;
log_buf_len = (int*)0xffffffff803270d8;
log_start = (int*) 0xffffffff804eabd0;
log_end = (int*) 0xffffffff804eabe0;

i = 0;
end = *log_end;
len = *log_buf_len;
MASK = len - 1;

count = L;
if (count > len) count = len;
limit = end;

for (i=0;i<count;i++) {
        j = limit-1-i;
        c = *(*log_buf + (j&MASK));
        if (c == '\0') c = '\n';
        buf[count-1-i] = c;
}

// 输出

file = filp_open(file_path, O_RDWR|O_CREAT|O_APPEND, 0777);
if(IS_ERR(file)) {
        printk("Open file %s failed..\n", file_path);
        return 0;
}
old_fs = get_fs();
set_fs(get_ds());
ret = file->f_op->write(file, buf, i, &file->f_pos);
file->f_op->fsync(file, file->f_dentry, 0);
set_fs(old_fs);
filp_close(file, NULL);

kdump conf

cat /etc/kdump.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
# Configures where to put the kdump /proc/vmcore files
#
# This file contains a series of commands to perform (in order) when a
# kernel crash has happened and the kdump kernel has been loaded.  Directives in
# this file are only applicable to the kdump initramfs, and have no effect if
# the root filesystem is mounted and the normal init scripts are processed
#
# Currently only one dump target and path may be configured at a time. If dump
# to configured dump target fails, the default action will be preformed.
# Default action may be configured with the "default" directive below.
#
# Basics commands supported are:
# path <path>           - Append path to the filesystem device which you are
#                         dumping to.  Ignored for raw device dumps.
#                         If unset, will default to /var/crash.
#
# core_collector <command> <options>
#                       - This allows you to specify the command to copy the
#                         vmcore.  You could use the dump filtering program
#                         makedumpfile, the default one, to retrieve your core,
#                         which on some arches can drastically reduce core file
#                         size. See /usr/sbin/makedumpfile --help for a list of
#                         options. Note that the -i and -g options are not
#                         needed here, as the initrd will automatically be
#                         populated with a config file appropriate for the
#                         running kernel.
#                         For ssh dump, scp should be used instead of cp.
#
# raw <partition>       - Will write /proc/vmcore into raw <partition>.
#
# nfs <nfs mount>       - Will mount fs and copy /proc/vmcore to
#                         <mnt>/<path>/%HOST-%DATE/, supports DNS.
#
# nfs4 <nfs mount>      - Will use NFSv4 instead of NFSv3
#
# net <nfs mount>       - This is a deprecated option to transfer vmcore over
#                         nfs.  Use "nfs" option instead.
#
# ssh <user@server>     - Will copy /proc/vmcore to
#                         <user@server>:<path>/%HOST-%DATE/ via SSH,
#                         supports DNS. If makedumpfile is the core_collector,
#                         it is piped to an "ssh" shell, otherwise use the
#                         specified core_collector like scp.
#                         NOTE: make sure user has necessary write
#                         permissions on server
#
# net <user@server>     - This is a deprecated option to transfer vmcore over
#                         ssh.  Use "ssh" option instead.
#
# <fs type> <partition> - Will mount -t <fs type> <partition> /mnt and copy
#                         /proc/vmcore to /mnt/<path>/127.0.0.1-%DATE/.
#                         NOTE: <partition> can be a device node, label or uuid.
#
# disk_timeout <seconds>
#                       - Number of seconds to wait for disks to appear prior
#                         to continue to save dump. By default kdump waits
#                         180 seconds for the disks to show up it needs. This
#                         can be useful in some cases if disk never shows up
#                         (Either because disk was removed or because kdump is
#                         waiting on wrong disk).
#
# link_delay <seconds>
#                       - Some network cards take a long time to initialize, and
#                         some spanning tree enabled networks do not transmit
#                         user traffic for long periods after a link state
#                         changes.  This optional parameter defines a wait
#                         period after a link is activated in which the
#                         initramfs will wait before attempting to transmit
#                         user data.
#
# kdump_post <binary | script>
#                       - This directive allows you to run a specified
#                         executable just after the memory dump process
#                         terminates. The exit status from the dump process
#                         is fed to the kdump_post executable, which can be
#                         used to trigger different actions for success or
#                         failure.
#
# kdump_pre <binary | script>
#                       - works just like the kdump_post directive, but instead
#                         of running after the dump process, runs immediately
#                         before.  Exit status of this binary is interpreted
#                         as follows:
#                         0 - continue with dump process as usual
#                         non 0 - reboot/halt the system
#
# extra_bins <binaries | shell scripts>
#                       - This directive allows you to specify additional
#                         binaries or shell scripts you'd like to include in
#                         your kdump initrd. Generally only useful in
#                         conjunction with a kdump_post binary or script that
#                         relies on other binaries or scripts.
#
# extra_modules <module(s)>
#                       - This directive allows you to specify extra kernel
#                         modules that you want to be loaded in the kdump
#                         initrd, typically used to set up access to
#                         non-boot-path dump targets that might otherwise
#                         not be accessible in the kdump environment. Multiple
#                         modules can be listed, separated by a space, and any
#                         dependent modules will automatically be included.
#                         Module name should be specified without ".ko" suffix.
#
# options <module> <option list>
#                       - This directive allows you to specify options to apply
#                         to modules in the initramfs.  This directive overrides
#                         options specified in /etc/modprobe.conf. Module name
#                         should be specified without ".ko" suffix.
#
# blacklist <module|directory>
#                       - Prevents modules from being loaded in the initframfs,
#                         either directly during auto-created insmod calls or as
#                         a dependency of another module load. A specific module
#                         or a directory can be specified. In the latter case,
#                         all modules found below the specified directory will
#                         be excluded. This directive can be specified multiple
#                         times or as a space separated list. Module name should
#                         be specified without ".ko" suffix.
#
# sshkey <path>
#                       - Specifies the path of the ssh identity file you want
#                         to use when doing ssh dump. It must be a private key,
#                         the default value is /root/.ssh/kdump_id_rsa. When
#                         progagating public key, the key is assumed to be
#                         identity_file.pub which by default is
#                         /root/.ssh/kdump_id_rsa.pub.
#
# default <reboot | halt | poweroff | shell | mount_root_run_init>
#                       - Action to preform in case dumping to intended target
#                         fails. If no default action is specified, "reboot"
#                         is assumed default.
#
#                         reboot: If the default action is reboot simply reboot
#                                 the system and loose the core that you are
#                                 trying to retrieve.
#                         halt:   If the default action is halt, then simply
#                                 halt the system after attempting to capture
#                                 a vmcore, regardless of success or failure.
#                         poweroff: The system will be powered down
#                         shell:  If the default action is shell, then drop to
#                                 an hush session inside the initramfs from
#                                 where you can try to record the core manually.
#                                 Exiting this shell reboots the system.
#            mount_root_run_init: Mount root filesystem and run init. Kdump
#                                   initscript will try to save dump to root
#                                   filesystem in /var/crash dir. This will
#                                   likely require a lot more memory to
#                                   be reserved for kdump kernel.
#
# debug_mem_level <0-3>
#                       - Turns on debug/verbose output of kdump scripts
#                         regarding free/used memory at various points of
#                         execution. Higher level means more debugging output.
#                         0 - no output
#                         1 - partial /proc/meminfo
#                         2 - /proc/meminfo
#                         3 - /proc/meminfo + /proc/slabinfo
#
# force_rebuild <0 | 1>
#                       - By default, kdump initrd only will be rebuilt when
#                         necessary. Specify 1 here to force rebuilding kdump
#                         initrd every time when kdump service starts.

暴力密码破解工具--关键在于字典

http://www.ha97.com/5186.html

  • PS:这款暴力密码破解工具相当强大,支持几乎所有协议的在线密码破解,其密码能否被破解关键在于字典是否足够强大。对于社会工程型渗透来说,有时能够得到事半功倍的效果。

一、简介

hydra是著名黑客组织thc的一款开源的暴力密码破解工具,可以在线破解多种密码。官 网:http://www.thc.org/thc-hydra ,可支持AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP等类型密码。

二、安装

如果是Debian和Ubuntu发行版,源里自带hydra,直接用apt-get在线安装:

1
sudo apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev firebird2.1-dev libncp-dev hydra

Redhat/Fedora发行版的下载源码包编译安装,先安装相关依赖包:

1
yum install openssl-devel pcre-devel ncpfs-devel postgresql-devel libssh-devel subversion-devel

hydra下载地址: http://www.thc.org/releases/hydra-7.3.tar.gz

1
2
3
4
5
# tar zxvf hydra-7.0-src.tar.gz
# cd hydra-7.0-src
# ./configure
# make
# make install

hydra支持GUI图形界面。

三、参数说明

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns]
[-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-f] [-s PORT] [-S] [-vV] server service [OPT]
-R 继续从上一次进度接着破解。
-S 采用SSL链接。
-s PORT 可通过这个参数指定非默认端口。
-l LOGIN 指定破解的用户,对特定用户破解。
-L FILE 指定用户名字典。
-p PASS 小写,指定密码破解,少用,一般是采用密码字典。
-P FILE 大写,指定密码字典。
-e ns 可选选项,n:空密码试探,s:使用指定用户和密码试探。
-C FILE 使用冒号分割格式,例如“登录名:密码”来代替-L/-P参数。
-M FILE 指定目标列表文件一行一条。
-o FILE 指定结果输出文件。
-f 在使用-M参数以后,找到第一对登录名或者密码的时候中止破解。
-t TASKS 同时运行的线程数,默认为16。
-w TIME 设置最大超时的时间,单位秒,默认是30s。
-v / -V 显示详细过程。

server 目标ip service 指定服务名,支持的服务和协议:telnet ftp pop3[-ntlm] imap[-ntlm] smb smbnt http-{head|get} http-{get|post}-form http-proxy cisco cisco-enable vnc ldap2 ldap3 mssql mysql oracle-listener postgres nntp socks5 rexec rlogin pcnfs snmp rsh cvs svn icq sapr3 ssh smtp-auth[-ntlm] pcanywhere teamspeak sip vmauthd firebird ncp afp等等。 OPT 可选项

四、各种用法实例

简单演示:

破解成功,直接显示结果,上图画红线的地方就是破解出来的密码,也可以通过参数-o输出到文件里。如果字典够强大,结合社工,密码不用很久就出来。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
1、破解ssh:
hydra -l 用户名 -p 密码字典 -t 线程 -vV -e ns ip ssh
hydra -l 用户名 -p 密码字典 -t 线程 -o save.log -vV ip ssh

2、破解ftp:
hydra ip ftp -l 用户名 -P 密码字典 -t 线程(默认16) -vV
hydra ip ftp -l 用户名 -P 密码字典 -e ns -vV

3、get方式提交,破解web登录:
hydra -l 用户名 -p 密码字典 -t 线程 -vV -e ns ip http-get /admin/
hydra -l 用户名 -p 密码字典 -t 线程 -vV -e ns -f ip http-get /admin/index.php

4、post方式提交,破解web登录:
hydra -l 用户名 -P 密码字典 -s 80 ip http-post-form "/admin/login.php:username=^USER^&password=^PASS^&submit=login:sorry password"


hydra -t 3 -l admin -P pass.txt -o out.txt -f 10.36.16.18 http-post-form "login.php:id=^USER^&passwd=^PASS^:<title>wrong username or password</title>"

(参数说明:-t同时线程数3,-l用户名是admin,字典pass.txt,保存为out.txt,
-f 当破解了一个密码就停止, 10.36.16.18目标ip,
http-post-form表示破解是采用http的post方式提交的表单密码破解,
<title>中 的内容是表示错误猜解的返回信息提示。)

5、破解https:
hydra -m /index.php -l muts -P pass.txt 10.36.16.18 https

6、破解teamspeak:
hydra -l 用户名 -P 密码字典 -s 端口号 -vV ip teamspeak

7、破解cisco:
hydra -P pass.txt 10.36.16.18 cisco
hydra -m cloud -P pass.txt 10.36.16.18 cisco-enable

8、破解smb:
hydra -l administrator -P pass.txt 10.36.16.18 smb

9、破解pop3:
hydra -l muts -P pass.txt my.pop3.mail pop3

10、破解rdp:
hydra ip rdp -l administrator -P pass.txt -V

11、破解http-proxy:
hydra -l admin -P pass.txt http-proxy://10.36.16.18

12、破解imap:
hydra -L user.txt -p secret 10.36.16.18 imap PLAIN
hydra -C defaults.txt -6 imap://[fe80::2c:31ff:fe12:ac11]:143/PLAIN

makedumpfile.8

makedumpfile.8

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
NAME

       makedumpfile - make a small dumpfile of kdump

SYNOPSIS

       makedumpfile    [OPTION] [-x VMLINUX|-i VMCOREINFO] VMCORE DUMPFILE
       makedumpfile -F [OPTION] [-x VMLINUX|-i VMCOREINFO] VMCORE
       makedumpfile -R DUMPFILE
       makedumpfile   --split   [OPTION]  [-x  VMLINUX|-i  VMCOREINFO]  VMCORE
       DUMPFILE1 DUMPFILE2 [DUMPFILE3 ..]
       makedumpfile --reassemble DUMPFILE1 DUMPFILE2 [DUMPFILE3 ..] DUMPFILE
       makedumpfile -g VMCOREINFO -x VMLINUX
       makedumpfile  -E  [--xen-syms   XEN-SYMS|--xen-vmcoreinfo   VMCOREINFO]
       VMCORE DUMPFILE
       makedumpfile --dump-dmesg [-x VMLINUX|-i VMCOREINFO] VMCORE LOGFILE
       makedumpfile -h
       makedumpfile -v

DESCRIPTION

       With  kdump,  the  memory  image  of the first kernel (called "panicked
       kernel") can be taken as /proc/vmcore while the second  kernel  (called
       "kdump   kernel"   or  "capture  kernel")  is  running.  This  document
       represents /proc/vmcore as VMCORE. makedumpfile makes a small  DUMPFILE
       by  compressing  dump  data  or  by  excluding  unnecessary  pages  for
       analysis,  or  both.  makedumpfile  needs  the  first  kernel's   debug
       information,  so that it can distinguish unnecessary pages by analyzing
       how the first kernel uses the memory.  The  information  can  be  taken
       from VMLINUX or VMCOREINFO.

       makedumpfile  can  exclude  the  following types of pages while copying
       VMCORE to DUMPFILE, and a user can choose which type of pages  will  be
       excluded.
       - Pages filled with zero
       - Cache pages
       - User process data pages
       - Free pages

       makedumpfile  provides  two  DUMPFILE  formats  (the ELF format and the
       kdump-compressed format). By default, makedumpfile makes a DUMPFILE  in
       the  kdump-compressed  format.  The kdump-compressed format is readable
       only with the crash utility, and it can be smaller than the ELF  format
       because of the compression support. The ELF format is readable with GDB
       and the crash utility.  If a user wants to use GDB, DUMPFILE format has
       to be explicitly specified to be the ELF format.

       To  analyze  the first kernel's memory usage, makedumpfile can refer to
       VMCOREINFO instead of VMLINUX. VMCOREINFO contains the  first  kernel's
       information  (structure  size,  field  offset, etc.), and VMCOREINFO is
       small enough to be included into the second kernel's initrd.
       If the second kernel is running on its initrd without mounting  a  root
       file  system,  makedumpfile  cannot refer to VMLINUX because the second
       kernel's initrd cannot include a large file like VMLINUX. To solve  the
       problem,  makedumpfile  makes  VMCOREINFO  beforehand, and it refers to
       VMCOREINFO instead of VMLINUX while the second kernel is running.
       VMCORE has contained VMCOREINFO since linux-2.6.24, and a user does not
       need to specify neither -x nor -i option.

       If the second kernel is running on its initrd without mounting any file
       system, a user needs to transport the dump data to a  remote  host.  To
       transport  the  dump data by SSH, makedumpfile outputs the dump data in
       the intermediate format (the flattened format) to the standard  output.
       By piping the output data to SSH, a user can transport the dump data to
       a remote host. Note that  analysis  tools  cannot  read  the  flattened
       format directly, so on a remote host the received data in the flattened
       format needs  to  be  rearranged  to  a  readable  DUMPFILE  format  by
       makedumpfile (or makedumpfile-R.pl).

       makedumpfile can read a DUMPFILE in the kdump-compressed format instead
       of VMCORE and re-filter it. This feature is useful  in  situation  that
       users need to reduce the file size of DUMPFILE for sending it somewhere
       by ftp/scp/etc. (If all of the page types, which are specified by a new
       dump_level,  are  excluded  from  an  original  DUMPFILE already, a new
       DUMPFILE is the same as an original DUMPFILE.)
       For example, makedumpfile can create a DUMPFILE of dump_level  31  from
       the one of dump_level 3 like the following:
       Example:
       # makedumpfile -c -d 3 /proc/vmcore dumpfile.1
       # makedumpfile -c -d 31 dumpfile.1 dumpfile.2

OPTIONS

       -c     Compress dump data by each page.
              A  user  cannot  specify this option with -E option, because the
              ELF format does not support compressed data.
              Example:
              # makedumpfile -c -d 31 -x vmlinux /proc/vmcore dumpfile

       -d dump_level
              Specify the type of unnecessary page for analysis.
              Pages of the specified type are not copied to DUMPFILE. The page
              type  marked  in  the  following  table  is excluded. A user can
              specify multiple page types by setting the sum of each page type
              for  dump_level.  The  maximum  of dump_level is 31. Note that a
              dump_level for Xen dump filtering is 0 or 1 on a  machine  other
              than  x86_64  (On an x86_64 machine, it is possible to specify 2
              or bigger as a dump_level).
              If specifying  multiple  dump_levels  with  the  delimiter  ',',
              makedumpfile  retries  to  create a DUMPFILE by other dump_level
              when "No  space  on  device"  error  happens.  For  example,  if
              dump_level  is  "11,31" and makedumpfile fails by dump_level 11,
              makedumpfile retries it by dump_level 31.
              Example:
              # makedumpfile -d 11 -x vmlinux /proc/vmcore dumpfile
              # makedumpfile -d 11,31 -x vmlinux /proc/vmcore dumpfile

                dump | zero | cache|cache  | user | free
               level | page | page |private| data | page
              -------+------+------+-------+------+------
                   0 |      |      |       |      |
                   1 |  X   |      |       |      |
                   2 |      |  X   |       |      |
                   3 |  X   |  X   |       |      |
                   4 |      |  X   |  X    |      |
                   5 |  X   |  X   |  X    |      |
                   6 |      |  X   |  X    |      |
                   7 |  X   |  X   |  X    |      |
                   8 |      |      |       |  X   |
                   9 |  X   |      |       |  X   |
                  10 |      |  X   |       |  X   |
                  11 |  X   |  X   |       |  X   |
                  12 |      |  X   |  X    |  X   |
                  13 |  X   |  X   |  X    |  X   |
                  14 |      |  X   |  X    |  X   |
                  15 |  X   |  X   |  X    |  X   |
                  16 |      |      |       |      |  X
                  17 |  X   |      |       |      |  X
                  18 |      |  X   |       |      |  X
                  19 |  X   |  X   |       |      |  X
                  20 |      |  X   |  X    |      |  X
                  21 |  X   |  X   |  X    |      |  X
                  22 |      |  X   |  X    |      |  X
                  23 |  X   |  X   |  X    |      |  X
                  24 |      |      |       |  X   |  X
                  25 |  X   |      |       |  X   |  X
                  26 |      |  X   |       |  X   |  X
                  27 |  X   |  X   |       |  X   |  X
                  28 |      |  X   |  X    |  X   |  X
                  29 |  X   |  X   |  X    |  X   |  X
                  30 |      |  X   |  X    |  X   |  X
                  31 |  X   |  X   |  X    |  X   |  X

       -E     Create DUMPFILE in the ELF format.
              This option cannot be specified with -c option, because the  ELF
              format does not support compressed data.
              Example:
              # makedumpfile -E -d 31 -x vmlinux /proc/vmcore dumpfile

       -f     Force existing DUMPFILE to be overwritten.
              Example:
              # makedumpfile -f -d 31 -x vmlinux /proc/vmcore dumpfile
              This command overwrites DUMPFILE even if it already exists.

       -x VMLINUX
              Specify  the  first  kernel's  VMLINUX with debug information to
              analyze the first kernel's memory usage.
              This option is necessary if VMCORE does not contain  VMCOREINFO,
              [-i VMCOREINFO] is not specified, and dump_level is 2 or more.
              The  page  size of the first kernel and the second kernel should
              match.
              Example:
              # makedumpfile -d 31 -x vmlinux /proc/vmcore dumpfile

       -i VMCOREINFO
              Specify VMCOREINFO instead of VMLINUX for  analyzing  the  first
              kernel's memory usage.
              VMCOREINFO  should  be  made  beforehand by makedumpfile with -g
              option, and it contains the first kernel's information.
              This option is necessary if VMCORE does not contain  VMCOREINFO,
              [-x VMLINUX] is not specified, and dump_level is 2 or more.
              Example:
              # makedumpfile -d 31 -i vmcoreinfo /proc/vmcore dumpfile

       -g VMCOREINFO
              Generate  VMCOREINFO  from the first kernel's VMLINUX with debug
              information.
              VMCOREINFO must be generated on the system that is  running  the
              first  kernel.  With  -i  option,  a user can specify VMCOREINFO
              generated on the other system that is  running  the  same  first
              kernel. [-x VMLINUX] must be specified.
              Example:
              # makedumpfile -g vmcoreinfo -x vmlinux

       -F     Output  the  dump  data  in the flattened format to the standard
              output for transporting the dump data by SSH.
              Analysis tools cannot read the flattened  format  directly.  For
              analysis,  the  dump  data  in  the  flattened  format should be
              rearranged to a normal DUMPFILE (readable with  analysis  tools)
              by  -R  option. By which option is specified with -F option, the
              format of the rearranged DUMPFILE is fixed.  In other words,  it
              is  impossible to specify the DUMPFILE format when the dump data
              is rearranged with -R option. If specifying -E  option  with  -F
              option, the format of the rearranged DUMPFILE is the ELF format.
              Otherwise, it is the kdump-compressed format. All  the  messages
              are  output  to  standard  error  output  by  -F  option because
              standard output is used for the dump data.
              Example:
              # makedumpfile -F -c -d 31 -x vmlinux /proc/vmcore \
              | ssh user@host "cat > dumpfile.tmp"
              # makedumpfile -F -c -d 31 -x vmlinux /proc/vmcore \
              | ssh user@host "makedumpfile -R dumpfile"
              # makedumpfile -F -E -d 31 -i vmcoreinfo  /proc/vmcore \
              | ssh user@host "makedumpfile -R dumpfile"
              # makedumpfile -F -E --xen-vmcoreinfo VMCOREINFO /proc/vmcore \
              | ssh user@host "makedumpfile -R dumpfile"

       -R     Rearrange the  dump  data  in  the  flattened  format  from  the
              standard  input  to  a  normal  DUMPFILE (readable with analysis
              tools).
              Example:
              # makedumpfile -R dumpfile < dumpfile.tmp
              # makedumpfile -F -d 31 -x vmlinux /proc/vmcore \
              | ssh user@host "makedumpfile -R dumpfile"

              Instead of using -R option, a  perl  script  "makedumpfile-R.pl"
              rearranges  the  dump  data  in the flattened format to a normal
              DUMPFILE, too. The perl script does not depend on  architecture,
              and  most systems have perl command.  Even if a remote host does
              not have makedumpfile, it is possible to rearrange the dump data
              in  the flattened format to a readable DUMPFILE on a remote host
              by running this script.
              Example:
              # makedumpfile -F -d 31 -x vmlinux /proc/vmcore \
              | ssh user@host "makedumpfile-R.pl dumpfile"

       --split
              Split the dump  data  to  multiple  DUMPFILEs  in  parallel.  If
              specifying  DUMPFILEs on different storage devices, a device can
              share I/O load with other devices and it reduces time for saving
              the  dump  data.  The file size of each DUMPFILE is smaller than
              the system memory  size  which  is  divided  by  the  number  of
              DUMPFILEs.  This  feature  supports  only  the  kdump-compressed
              format.
              Example:
              # makedumpfile --split -d 31 -x vmlinux  /proc/vmcore  dumpfile1
              dumpfile2

       --reassemble
              Reassemble  multiple  DUMPFILEs,  which  are  created by --split
              option,  into  one  DUMPFILE.  dumpfile1   and   dumpfile2   are
              reassembled into dumpfile on the following example.
              Example:
              # makedumpfile --reassemble dumpfile1 dumpfile2 dumpfile

       --xen-syms XEN-SYMS
              Specify the XEN-SYMS with debug information to analyze the xen's
              memory  usage.   This  option  extracts  the  part  of  xen  and
              domain-0.  -E option must be specified with this option.
              Example:
              # makedumpfile -E --xen-syms xen-syms /proc/vmcore dumpfile

       --xen-vmcoreinfo VMCOREINFO
              Specify  VMCOREINFO  instead of XEN-SYMS for analyzing the xen's
              memory usage.
              VMCOREINFO should be made beforehand  by  makedumpfile  with  -g
              option,  and  it contains the xen's information.  -E option must
              be specified with this option.
              Example:
              #  makedumpfile  -E  --xen-vmcoreinfo  VMCOREINFO   /proc/vmcore
              dumpfile

       -X     Exclude  all  the user domain pages from Xen kdump's VMCORE, and
              extracts the part  of  xen  and  domain-0.  If  VMCORE  contains
              VMCOREINFO  for  Xen,  it is not necessary to specify --xen-syms
              and --xen-vmcoreinfo.  -E option must  be  specified  with  this
              option.
              Example:
              # makedumpfile -E -X /proc/vmcore dumpfile

       --xen_phys_start xen_phys_start_address
              This    option    is    only    for    x86_64.     Specify   the
              xen_phys_start_address, if the xen code/data is relocatable  and
              VMCORE does not contain xen_phys_start_address in the CRASHINFO.
              xen_phys_start_address can be taken from the line of "Hypervisor
              code  and  data" in /proc/iomem. For example, specify 0xcee00000
              as xen_phys_start_address if /proc/iomem is the following:
                -------------------------------------------------------
                # cat /proc/iomem
                ...
                  cee00000-cfd99999 : Hypervisor code and data
                ...
                -------------------------------------------------------

              Example:
              # makedumpfile -E -X  --xen_phys_start  0xcee00000  /proc/vmcore
              dumpfile

       --message-level message_level
              Specify the message types.
              Users  can  restrict outputs printed by specifying message_level
              with this option. The message type  marked  with  an  X  in  the
              following table is printed. For example, according to the table,
              specifying 7 as message_level means progress  indicator,  common
              message,  and  error  message are printed, and this is a default
              value. Note that the maximum value of message_level is 31.

               message | progress | common  | error   | debug   | report
               level   | indicator| message | message | message | message
              ---------+----------+---------+---------+---------+---------
                     0 |          |         |         |         |
                     1 |    X     |         |         |         |
                     2 |          |    X    |         |         |
                     3 |    X     |    X    |         |         |
                     4 |          |         |    X    |         |
                     5 |    X     |         |    X    |         |
                     6 |          |    X    |    X    |         |
                   * 7 |    X     |    X    |    X    |         |
                     8 |          |         |         |    X    |
                     9 |    X     |         |         |    X    |
                    10 |          |    X    |         |    X    |
                    11 |    X     |    X    |         |    X    |
                    12 |          |         |    X    |    X    |
                    13 |    X     |         |    X    |    X    |
                    14 |          |    X    |    X    |    X    |
                    15 |    X     |    X    |    X    |    X    |
                    16 |          |         |         |         |    X
                    17 |    X     |         |         |         |    X
                    18 |          |    X    |         |         |    X
                    19 |    X     |    X    |         |         |    X
                    20 |          |         |    X    |         |    X
                    21 |    X     |         |    X    |         |    X
                    22 |          |    X    |    X    |         |    X
                    23 |    X     |    X    |    X    |         |    X
                    24 |          |         |         |    X    |    X
                    25 |    X     |         |         |    X    |    X
                    26 |          |    X    |         |    X    |    X
                    27 |    X     |    X    |         |    X    |    X
                    28 |          |         |    X    |    X    |    X
                    29 |    X     |         |    X    |    X    |    X
                    30 |          |    X    |    X    |    X    |    X
                    31 |    X     |    X    |    X    |    X    |    X

       --vtop virtual_address
              This option is useful, when user debugs the translation  problem
              of  virtual  address. If specifing virtual_address, its physical
              address is printed. It makes debugging  easy  by  comparing  the
              output  of  this option with the one of "vtop" subcommand of the
              crash utility.  "--vtop"  option  only  prints  the  translation
              output, and it does not affect the dumpfile creation.

       --dump-dmesg
              This  option  overrides  the  normal  behavior  of makedumpfile.
              Instead of  compressing  and  filtering  a  VMCORE  to  make  it
              smaller,  it  simply  extracts  the  dmesg log from a VMCORE and
              writes it to the specified LOGFILE. If a VMCORE does not contain
              VMCOREINFO for dmesg, it is necessary to specfiy [-x VMLINUX] or
              [-i VMCOREINFO].

              Example:
              # makedumpfile --dump-dmesg /proc/vmcore dmesgfile
              # makedumpfile --dump-dmesg -x vmlinux /proc/vmcore dmesgfile

       -D     Print debugging message.

       -h     Show help message.

       -v     Show the version of makedumpfile.

ENVIRONMENT VARIABLES

       TMPDIR  This environment variable is  for  a  temporary  memory  bitmap
               file.   If  your machine has a lots of memory and you use tmpfs
               on /tmp, makedumpfile can fail for a little memory in  the  2nd
               kernel because makedumpfile makes a very large temporary memory
               bitmap file in this case. To avoid this failure, you can set  a
               TMPDIR  environment  variable.  If  you  do  not  set  a TMPDIR
               environment variable, makedumpfile uses /tmp  directory  for  a
               temporary bitmap file as a default.

DIAGNOSTICS

       makedumpfile exits with the following value.

       0 : makedumpfile succeeded.

       1 : makedumpfile failed without the following reasons.

       2  :  makedumpfile failed due to the different version between  VMLINUX
       and VMCORE.

       3 : makedumpfile failed due to the analysis error of the memory.

AUTHORS

       Written by Masaki Tachibana, and Ken'ichi Ohmichi.

precise (8) makedumpfile.8.gz

Provided by: makedumpfile_1.3.7-2_i386