----- Original Message ----- > I tried to use crash without entering the system.map or the vmlinux > since the live system use the same kernel but I got this output: > > root@o:/home/amer# crash > > crash 4.1.0 > Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Red Hat, > Inc. > Copyright (C) 2004, 2005, 2006 IBM Corporation > Copyright (C) 1999-2006 Hewlett-Packard Co > Copyright (C) 2005, 2006 Fujitsu Limited > Copyright (C) 2006, 2007 VA Linux Systems Japan K.K. > Copyright (C) 2005 NEC Corporation > Copyright (C) 1999, 2002, 2007 Silicon Graphics, Inc. > Copyright (C) 1999, 2000, 2001, 2002 Mission Critical Linux, Inc. > This program is free software, covered by the GNU General Public > License, > and you are welcome to change it and/or distribute copies of it under > certain conditions. Enter "help copying" to see the conditions. > This program has absolutely no warranty. Enter "help warranty" for > details. > > crash: cannot find booted kernel -- please enter namelist argument > > > Usage: > crash [-h [opt]][-v][-s][-i file][-d num] [-S] [mapfile] [namelist] > [dumpfile] Ok, so your Ubuntu system does not put the vmlinux, or you have not put the vmlinux file in one of the several "known" locations. > > > when I enter the system.map and the vmlinux , it works perfectly and > it reads from the /dev/crash. but if I specify the /dev/crash in the > argument like this: > > root@o:/home/amer/Desktop# crash /boot/System.map-2.6.32-25-generic > vmlinux /dev/crash (or dd /dev/crash > image.dd) > > I got this output: > crash: /dev/crash: not a supported file format First, you're using a version of the crash utility (4.1.0) that is well over two years old. Using "/dev/crash" on the command line has never been supported until crash-5.1.1, which was only released 12/23/10. >From http://people.redhat.com/anderson/crash.changelog.html#5_1_1 : 5.1.1 - Fix for the potential to miss tasks when walking the pid_hash table ... [ cut ] ... - Fix to allow "/dev/crash" to be entered on the command line for live sessions. Because it is used automatically if it exists, it is never necessary to enter it on the command line. However, if it is used, without the patch, the session fails during initializaion with the error message "crash: /dev/crash: No such file or directory" if the crash.ko driver is a module (RHEL4/RHEL5), or "crash: /dev/crash: not a supported file format" if the driver is built into the kernel (RHEL6). (anderson@xxxxxxxxxx) > > I don't know If I'm missing something ,but the link below shows that > dd /dev/crash > image.dd can work in crash > > http://gleeda.blogspot.com/2009/08/devcrash-driver.html Well, that refers to a patched derivative of the crash utility. I can assure you that using the output of a bunch of bytes with no header has *never* been supported as a dumpfile type from the versions posted upstream at http://people.redhat.com/anderson. Note that in that blog, there is this: Now let's test the newly obtained memory dump to see if it works. I'm going to use the RH Crash Utility with the volatile patch which you can find here: # ./crash -f /boot/System.map-2.6.27-14-generic /usr/src/linux-source-2.6.27/vmlinux crash.dd --volatile crash 4.0-8.9 Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Red Hat, Inc. ... I can also assure you that the upstream crash utility has never had a "--volatile" command line argument, so perhaps that "volatile patch" has something to do with it? Dave > Thanks for help Dave, and looking forward to your feedback, > > Amer -- Crash-utility mailing list Crash-utility@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/crash-utility