1SSDEEP(1) SSDEEP COMMAND SSDEEP(1)
2
6 ssdeep - Computes context triggered piecewise hashes (fuzzy hashes)
7
10 ssdeep [-m <file>] [-k <file>] [-vdprgsblcxa] [-t val] [FILES]
11 ssdeep [-V|h]
12
15 Computes a signature based on context triggered piecewise hashes for
16 each input file, also called a fuzzy hash. If requested, the program
17 matches those signatures against a file of known signatures and reports
18 any possible matches. It can also examine one or more files of signa‐
19 tures and find any matches in those files. Output is written to stan‐
20 dard out and errors to standard error.
21 -m <file>
24 Loads the specified file of known hashes to be used for match‐
25 ing. This file must be a previous output of the program. The
26 program then hashes each entry in FILES and compares these sig‐
27 natures to the known signatures. Any matches which score above
28 the threshold are displayed. This flag may be used multiple
29 times to load more known signatures. This flag may not be used
30 with the -k or -x flags.
31 -k <file>
34 Load the specified file of known hashes to be used for matching.
35 This file must be a previous output of the program. The program
36 then treats each entry in FILES as a set of known hashes as
37 well. The hashes in these FILES are compared to the known hashes
38 from this file. Matches which score above the threshold are dis‐
39 played. Both the file specified here and the input FILES should
40 contain fuzzy hashes. This flag may be used multiple times to
41 load more known signatures. This flag may not be used with the
42 -m, -d, or -p flags.
43 -v Verbose mode. The name of each file is printed to standard error
46 as it is being hashed.
47 -d Computes a signature for each entry in the FILES and compares it
50 to the set of known signatures. Matches which score above the
51 threshold are displayed. The computed signature is then added to
52 the set of known signatures. This flag may not be used with the
53 -k or -x flags.
54 -p Works like the -d flag, but displays all matches for each file.
57 That is, for two files A and B which match score above the
58 threshold, displays "A matches B" and "B matches A". This flag
59 may not be used with the -k or -x flags.
60 -r Enables recursive mode. All subdirectories are traversed.
63 Please note that recursive mode cannot be used to examine all
64 files of a given file extension. For example, invoking the pro‐
65 gram with -r *.txt will examine all files in directories that
66 end in .txt. If you want to process all files in a directory
67 tree with the .txt suffix, try using the find(1) command.
68 -g Similar files are grouped together into clusters. This can be
71 handy for finding more similar files. That is, if you are
72 searching for file A, which matches B, anything which matches B
73 will also be included in the cluster.
74 -s Silent mode. All error messages are suppressed.
77 -b Enables bare mode. Strips any leading directory information from
80 displayed filenames. This flag may not be used in conjunction
81 with the -l flag.
82 -l Enables relative file paths. Instead of printing the absolute
85 path for each file, displays the relative file path as indicated
86 on the command line. This flag may not be used in conjunction
87 with the -b flag.
88 -c Enables comma separated output mode. In any of the matching
91 modes -d, -p, or -m, displays the results as input file, known
92 file, matching score.
93 -x Signature file matching. Each entry in FILES must contain sig‐
96 natures generated by a previous output of the program. Each sig‐
97 nature is loaded and compared against the set of known hashes.
98 Match scores above the threshold are displayed. Each signature
99 is then added to the set of knowns. This flag may not be used
100 with the -m, -d, or -p flags.
101 -a Displays all matches in any of the matching mode, regardless of
104 score. Using the -a flag displays all results, even if the
105 match score is zero.
106 -t <val>
109 In any of the matching modes, only display matches when match
110 score is greater than the given value. The default threshold
111 value is zero.
112 -h Show a help screen and exit.
115 -V Show the version number and exit.
118
122 Returns 0 on success, 1 if there is a problem. Read errors, permission
123 denied, and encountering directories while not in recursive mode are
124 still considered successes. Problems are things like being unable to
125 load the matching file, specifying both bare and relative paths, etc.
126
129 ssdeep was written by Jesse Kornblum of Facebook,
130 research@jessekornblum.com
131
134 Copyright (C) 2002 Andrew Tridgell
135 Copyright (C) 2006, 2008, 2010 ManTech International Corporation
136 Copyright (C) 2012 Kyrus
137 Copyright (C) 2013 Helmut Grohne
138 Copyright (C) 2013, 2014 Facebook
139 Copyright (C) 2014 kikairoya
140 Copyright (C) 2014 Jesse Kornblum
141 Copyright (C) 2017 Tsukasa OI
142 This program is licensed under the terms of the General Public License.
144 See the file COPYING for details.
145
148 This program is based on SpamSum by Dr. Andrews Tridgell.
149 http://www.samba.org/ftp/unpacked/junkcode/spamsum/
150ssdeep Project Version 2.14.1 - 7 Nov 2017 SSDEEP(1)