I. Overview

In this lab you will do two activities:

1. Decode a dump of an EXT2 disk (included in this handout) to find various values.
2. Dump an EXT2 system in the lab or your own and compare the output of the tune2fs command and your analysis of the dump.

Before getting to the lab problem, first you need to know how to use several LINUX commands.

II. LINUX Comamnds in this Lab

A. mount to find a device name

Use mount with no parameters to find a device name. For example, mount might produce:

B. dd to dump a disk

You can dump part of a disk to a file using the LINUX "dd" command.

WARNING: Be sure you understand the "dd" command. Improper use can erase your entire drive and it cannot be recovered!!

The general format of dd is:

dd if=device1 of=device2

For our lab, we want to copy the first blocks of a filesystem into a file so that we can examine them as a hex dump. Therefore we will use a command like:

sudo dd if=device-of-partition of=/tmp/dump count=10

Notice that the dd command is unlike all other UNIX/LINUX commands in that it does not preceed parameters with a "-" sign but rather uses the format keyword=value.

C. xxd to display hex dumps

The xxd command displays a file in hex dump format. To display a file in hex dump format:

xxd filename

xxd writes to standard out. Therefore, we usually run xxd either redirected or piped to another location like:

xxd /tmp/dump | less

D. dumpe2fs to display superblock information

This command can display the superblock and block group information. For our lab, we will use it to display superblock information with the command:

E. tune2fs to alter the filesystem (not used in lab)

We will not use this command in the lab. It allows the system administrator to actually change tunable items in the filesystem such as number of reserved blocks. Some parameters, such as block size, cannot be changed since changing them would require completely rebuilding the file system!

III. Reading Intel little Endian Numbers

Recall that Intel machines use little endian format. Numbers in the superblock are stored in little endian format. For example, if we have a four byte value in a hex dump:

0020 4501

We first must flip the two words (2 bytes) to get:

4501 0020

Then we must flip the bytes within the words to get:

0145 2000

0 * 167 = 0
1 * 166 = 16,777,216
4 * 165 = 4,194,304
5 * 164 = 327,680
2 * 163 = 8192
0 * 162 = 0
0 * 161 = 0
0 * 160 = 0
-------------------
         21,307,392

Using bc to convert to decimal

LINUX has a calculator called bc you can use to convert hexadecimal (base 16) to decimal. To use bc you type bc, press ENTER and then enter math commands. So to do the above example, we will tell bc to take input data in hex, output data as decimal and then put in the number. So I would type:

bc
ibase=16
014A201C
   (program will display 341450780
quit

Note: Hex digits A-F in "bc" must uppercase.

I could have used the command "obase=10", but this is the default so is not required.

IV. Lab Activity I

In this activity, you will decode a hex dump of a superblock.

NOTE: In the documentation of the superblock, the displacements are given in decimal, not hex. The addresses on the left side of an xxd dump are in hex! So when the documenation says the displacement of the "s_state" field is "58", that is 58 decimal. 58 is X'3A' (3 * 16 + 10). So the s_state field is at X'400' (start of superblock) + X'38' = X'0438' in the dump.

Questions

Use the dump displayed below to answer these questions:

1. Circle the "magic number" in the dump.

2. Underline the total block count in the dump.

3. Decode the value of the total block cound.

   Value in Hex (after flipping bytes): _________________________________

   Value in decimal: ______________________________

4. Circle the value for the number of times the file system has been mounted since it was fully verified (s_mount_count).

   Value in Hex (after flipping bytes): _________________________________

   Value in decimal: ______________________________

5. Find what the file system should do when errors occur (s_errors):

   Value in Hex (after flipping bytes): _________________________________

   Value in decimal: ______________________________

Dump from these commands

sudo dd if=/dev/sda3 of=/tmp/d1 count=5
xxd /tmp/d1 | less

The portion below displays only the relevant lines. The first 1K (1024 bytes) of the partition are reserved for a boot sector so the superblock starts at 1024 (hex 400).

V. Lab Activity II

On a live LINUX system:

1. Use the mount command to find the device name of an EXT2 or EXT3 file system.

   Device name found: ______________________________

3. Use the dumpe2fs command to dump just the superblock. Print the output of the command (you will need to either redirect the command output to a file and print that with a2ps or pipe the output of the command to lpr.)

4. Use dd to dump some of the disk:

   sudo dd if=/dev/???? of=/tmp/junk count=4
   

5. Now use xxd to look at the dump.

   xxd /tmp/junk | less
   

6. Find the start of the superblock. Confirm that you have the right place by finding the magic number field at displacement decimal 56 (hex 38).

7. What are the first four bytes?

   _____________________________________

8. This number is the number of i_nodes in the file system. Convert this number to decimal:

   Value in Hex (after flipping bytes): _________________________________

   Value in decimal: ______________________________

9. Compare this value to the output of the dumpe2fs command.

   Are they the same? ______________________ Are they close? _______________

10. Find the total number of free blocks in the file system.

    Value in Hex (after flipping bytes): _________________________________

11. Compare the value to the value from dumpe2fs.

    Value in decimal: ______________________________

    Are they the same? _____________________ Are they close? ________________

VI. To turn in

1. This handout with answers written in
2. Printed output of dumpe2fs command.