explainshell.com - hashdeep(1) - Compute, compare, or audit multiple message digests

-c <alg1>[,<alg2>...]
       Computation mode. Compute hashes of FILES using the algorithms specified. Legal  values  are  md5,
       sha1, sha256, tiger, and whirlpool.

-k     Load  a file of known hashes.  This flag is required when using any of the matching or audit modes
       (i.e. -m, -x, -M, -X, or -a) This flag may be used more than once to add multiple  sets  of  known
       hashes.

       Loading  sets with different hash algorithms can sometimes generate spurrious hash collisions. For
       example, let's say we have two hash sets, A and B, which have some overlapping files. For example,
       the  file  /usr/bin/bad  is  in  both  sets.  In A we've recorded the MD5 and SHA-256.  In B we've
       recorded the MD5, SHA-1, and SHA-256. Because these two records are different, they will  both  be
       loaded. When the program computes all three hashes and compares them to the set of knowns, we will
       get an exact match from the record in B and a collision from the record in A.

-a     Audit mode. Each input file is compared against the set of knowns.  An audit is said  to  pass  if
       each  input  file is matched against exactly one file in set of knowns. Any collisions, new files,
       or missing files will make the audit fail. Using this flag alone produces a message, either "Audit
       passed" or "Audit Failed". Use the verbose modes, -v, for more details. Using -v prints the number
       of files in each category. Using -v a second time prints any discrepancies. Using -v a third  time
       prints the results for every file examined and every known file.
       Due to limitations in the program, any filenames with Unicode characters will appear to have moved
       during an audit. See the section "UNICODE SUPPORT" below.

-m     Positive matching, requires at least one use of the -k flag.  The input files are examined one  at
       a  time,  and only those files that match the list of known hashes are output. The only acceptable
       format for known hashes is the output of previous hashdeep runs.
        If standard input is used with the -m flag, displays "stdin" if the  input  matches  one  of  the
       hashes in the list of known hashes. If the hash does not match, the program displays no output.
         This flag may not be used in conjunction with the -x, -X, or -a flags.  See the section "UNICODE
       SUPPORT" below.

-x     Negative matching.  Same as the -m flag above, but does negative matching.  That  is,  only  those
       files NOT in the list of known hashes are displayed.
         This flag may not be used in conjunction with the -m, -M, or -a flags.  See the section "UNICODE
       SUPPORT" below.

-w     When used with positive matching modes (-m,-M) displays  the  filename  of  the  known  hash  that
       matched the input file.  See the section "UNICODE SUPPORT" below.

-M and -X
       Same  as  -m  and  -x above, but displays the hash for each file that does (or does not) match the
       list of known hashes.

-r     Enables recursive mode. All subdirectories are traversed. Please note that recursive  mode  cannot
       be  used  to  examine  all files of a given file extension. For example, calling hashdeep -r *.txt
       will examine all files in directories that end in .txt.

-e     Displays a progress indicator and estimate of time remaining for each file being  processed.  Time
       estimates  for  files larger than 4GB are not available on Windows. This mode may not be used with
       th -p mode.

-i <size>
       Size threshold mode. Only hash files smaller than the given the threshold. Sizes may be  specified
       using IEC multipliers b,k,m,g,t,p, and e.

-o <bcpflsd>
       Enables  expert mode. Allows the user specify which (and only which) types of files are processed.
       Directory processing is still controlled with the -r flag. The expert mode options allowed are:
       f - Regular files
       b - Block Devices
       c - Character Devices
       p - Named Pipes
       l - Symbolic Links
       s - Sockets
       d - Solaris Doors

-s     Enables silent mode. All error messages are supressed.

-p     Piecewise mode. Breaks files into chunks  before  hashing.  Chunks  may  be  specified  using  IEC
       multipliers b,k,m,g,t,p, and e. (Never let it be said that the author didn’t plan ahead.)

-b     Enables  bare  mode. Strips any leading directory information from displayed filenames.  This flag
       may not be used in conjunction with the -l flag.

-l     Enables relative file paths. Instead of printing the absolute path for  each  file,  displays  the
       relative file path as indicated on the command line. This flag may not be used in conjunction with
       the -b flag.

-v     Enables verbose mode. Use again to make  the  program  more  verbose.   This  mostly  changes  the
       behvaior of the audit mode, -a.

-h     Show a help screen and exit.

-V     Show the version number and exit.