1

I use a swap file (/mnt/swap). The swap works right. I need to get an access to the data stored in. When it's full of data in some part (which I can see typing "free" in terminal), I copy the file to another location and then open it in hex editor. The swap is full of "00" like it were empty (or it actually is?). I'm not advanced user of Linux and probably I'm doing something wrong, but all works when I do the same with /proc/kcore - I can see the data in the copy which was stored in ram during copying.

Moreover, can I try to open my swap file in hex editor when the swap is working (only for read)? Isn't it dangerous?

Gilles 'SO- stop being evil'
  • 829,060
user49847
  • 33
  • Why do you need to access data in the swap file? Since you don't really know which blocks were paged out, maybe all zero-filled blocks were paged out (though I'm surprised you don't see any non-zero data at all, like block pointers or other data structures). Accessing the swap file read-only should not be a problem. – Johnny Oct 24 '13 at 15:22
  • Thanks for your answer! The web browser which I'm currently using stores the history of browsing not in file but in RAM memory, I'm looking for it, so I think I should also search in swap file, which is almost full of data. Some more you can read here-this is what exactly I want to access swap for: http://unix.stackexchange.com/questions/97421/how-to-get-data-shown-out-of-workspace-or-directly-from-application – user49847 Oct 24 '13 at 15:28
  • Normally, only the least recently used memory blocks are paged out to the swap file -- unless your computer is very memory constrained, this probably won't include your browser history (which is accessed fairly often by the browser) -- your swap file probably contains blocks allocated by long running daemons that haven't been read in a long time. – Johnny Oct 24 '13 at 15:33
  • Ok, but is there any way to exoplore the swap like I do with RAM? I need to check swap also to be sure. – user49847 Oct 24 '13 at 15:38
  • Sure, the swap file is just a normal file, so you can copy it or open it and read it just as you described. Try running "strings" on it to quickly scan the entire file to printable strings: sudo strings /mnt/swap -- you just can't be certain where the blocks in the swap file came from. – Johnny Oct 24 '13 at 15:41
  • It was very helpful - I just opened the swap file without any copying and check using method suggested by you. No expected results, but now I can assume that swap is checked. Thanks a lot! – user49847 Oct 24 '13 at 16:54
  • How are you copying the swap file? What's the output of swapon -s? This is a very strange way of accessing the memory of a process: it won't work unless the part of memory you're interested is swapped out, and you'll have no indication of which parts of the swap belong to which process. Why not access the process's memory directly? – Gilles 'SO- stop being evil' Oct 24 '13 at 23:24
  • @Gilles Thanks for your hints. Now I know that looking for a specific data in swap has no sens, but generally I was suprised that the file is empty although during copying swap was full of data. Making a copy just with: sudo cp /mnt/swap /another/place. The output of swapon -s is: Filename Type Size Used Priority /mnt/swap file 2097148 1031568 -1. – user49847 Oct 25 '13 at 10:22
  • @Gilles Moreover, when I just open the swap file without copying it's exactly the same - no data inside (but in /proc/kcore I can see everything stored in ram). – user49847 Oct 25 '13 at 10:48

1 Answers1

0
swapoff -a
cp /proc/kcore backup

Do not depend on the data being in swap or not. Or even in this swap in particular (you may have a swap partition with higher priority elsewhere.) The way system decides what is in swap and what is in RAM is quite non-deterministic from user's point of view.

Simply make sure it's NOT in swap (by disabling swap) and then search RAM.

SF.
  • 2,941