Hex Dump Explained
How to read hex dump output: the three-column layout, common tools, and practical applications for debugging and forensics.
What Is a Hex Dump?
A hex dump is a representation of binary data that shows each byte as a two-digit hexadecimal number, organized in rows with three columns: the byte offset, the hex values, and the ASCII interpretation. It is the standard way to inspect raw data in computing, used by debuggers, forensic tools, protocol analyzers, and hex editors.
The concept dates back to the earliest days of computing, when operators needed to examine memory contents. The format has remained virtually unchanged because it is optimized for the way humans process binary data: the hex column gives exact byte values, and the ASCII column provides contextual hints about the data's meaning.
Anatomy of a Hex Dump Line
Here is a single line from a hex dump of the text "Hello, World!":
00000000 48 65 6C 6C 6F 2C 20 57 6F 72 6C 64 21 |Hello, World!|This line contains three distinct sections:
1. Offset Column (00000000)
The leftmost value is the byte offset of the first byte on this line, expressed in hexadecimal. On the first line of a dump, this is always 00000000. The second line (if 16 bytes per line) shows 00000010 (16 in hex), the third shows 00000020 (32), and so on. This column lets you navigate to specific positions in the data.
In a file hex dump, the offset tells you the exact byte position from the start of the file. If you see an interesting pattern at offset 00000A40, you can jump directly to byte 2,624 (0xA40) using your hex editor or the dd command.
2. Hex Column (48 65 6C ...)
The center section shows each byte as two hex digits, separated by spaces. A standard hex dump shows 16 bytes per line, often split into two groups of 8 with an extra space between them. This grouping makes it easier to count positions and aligns with the 8-byte boundaries common in 64-bit systems.
If the last line of the file has fewer than 16 bytes, the remaining positions are filled with spaces to keep the ASCII column aligned. This padding is visible in our example, where "Hello, World!" is only 13 bytes: the last three positions are empty.
3. ASCII Column (|Hello, World!|)
The rightmost section shows the ASCII interpretation of each byte, enclosed in pipe characters. Printable ASCII characters (bytes 0x20 through 0x7E) are shown as-is. Non-printable bytes (control characters, high-byte values) are replaced with a dot (.). This column gives instant visual context: you can often identify text strings, embedded filenames, URLs, and other human-readable content at a glance.
Common Hex Dump Tools
xxd
The most widely used hex dump tool on Unix-like systems. Bundled with Vim, it produces the standard three-column format shown above. It can also reverse a hex dump back into binary data with the -r flag.
# Basic hex dump
xxd file.bin
# Dump first 64 bytes
xxd -l 64 file.bin
# Reverse: hex dump back to binary
xxd -r dump.txt > output.bin
# Plain hex output (no offset/ASCII)
xxd -p file.binhexdump / hd
Another standard Unix tool, often aliased as hd. It offers more formatting flexibility through format strings but is less commonly used than xxd.
# Canonical hex dump (same layout as xxd)
hexdump -C file.bin
# First 32 bytes
hexdump -C -n 32 file.binod (Octal Dump)
The oldest of the three, od defaults to octal output but can produce hex with the -A x -t x1z flags. Rarely used directly now, but it exists on every Unix system.
Reading Hex Dumps in Practice
Identifying Text Strings
Look at the ASCII column for recognizable words. In binary files, embedded strings (error messages, configuration keys, format identifiers) stand out clearly against the dots of non-printable bytes. The strings command extracts these automatically, but a hex dump shows their exact byte positions.
Spotting Patterns and Repetition
Repeated byte sequences are immediately visible in the hex column. A run of 00 00 00 00 indicates zero-filled padding. A run of FF FF FF FF often indicates uninitialized flash memory or erased data. Repeating patterns like AB AB AB AB are common debug fill patterns used by memory allocators.
Finding File Boundaries
In concatenated files or disk images, magic bytes mark the start of each embedded file. Scanning for 89 50 4E 47 (PNG) or FF D8 FF (JPEG) reveals embedded images. The offset column tells you exactly where each file begins, which you need for extraction with dd or a carving tool.
Debugging Network Protocols
When a protocol behaves unexpectedly, a hex dump of the raw bytes is the definitive source of truth. It shows exactly what was sent or received, without any interpretation by a parser. This is essential for debugging custom protocols, verifying TLS handshakes, and analyzing malformed packets.
Hex Dump and Security
Hex dumps are a core tool in security work:
- Malware analysis: Examining suspicious binaries at the byte level reveals embedded C2 addresses, encoded strings, anti-analysis tricks, and payload injection points.
- Forensics: Recovering deleted files, analyzing disk images, and examining memory dumps all rely on hex dump analysis. File carving tools use magic bytes found in hex dumps to reconstruct files from raw disk sectors.
- Exploit development: Understanding buffer overflow payloads, shellcode, and ROP chains requires reading and writing hex at the byte level.
- CTF challenges: Many Capture the Flag challenges include hex-encoded flags, embedded data in image files, or protocol analysis puzzles that require hex dump proficiency.
Tips for Reading Hex Dumps Efficiently
- Memorize the ASCII values for common characters: space is
20, 0-9 are30-39, A-Z are41-5A, a-z are61-7A - Look at the ASCII column first for orientation, then zoom into the hex column for exact values
- Use the search function to find specific byte patterns rather than scanning visually
- Keep a magic bytes reference handy for identifying file formats
- Remember that the offset column is in hex, not decimal.
0x100is byte 256, not byte 100
Try It Yourself
Our Hex Dump tab generates interactive xxd-style output where you can click any byte to highlight it across both the hex and ASCII columns. Use the File Viewer to drop any file and inspect its bytes with automatic magic byte detection and hex pattern search.
Further Reading
- xxd Manual — Linux Man Pages
Official documentation for the xxd hex dump utility.
- Hex editor — Wikipedia
Overview of hex editing tools and their applications.
- File Carving — SANS Digital Forensics
How forensic analysts use hex dumps and magic bytes to recover files.
- Gary Kessler File Signatures Table
Authoritative reference of magic bytes and file signatures used alongside hex dump analysis.
- The Absolute Minimum Every Developer Must Know About Unicode — Joel Spolsky
Essential context for understanding the ASCII column in hex dumps and multi-byte character encodings.