ssdeep

Compute fuzzy hash of files

$ ssdeep [file1] [file2]

$ ssdeep -r [directory/]

$ ssdeep -p [file1] [file2] [file3]

$ ssdeep -m [known_hashes.txt] [files_to_check]

$ ssdeep -k [known.txt] [computed.txt]

$ ssdeep -p -t [50] [files]

$ ssdeep -c [files]

ssdeep [-m file] [-k file] [-vprdsblcxa] [-t val] [files]

ssdeep computes context-triggered piecewise hashes (CTPH), also called fuzzy hashes. Unlike cryptographic hashes that produce completely different outputs for slightly different inputs, fuzzy hashes can identify files that are similar but not identical.
The tool is useful for malware analysis, identifying modified documents, finding near-duplicate files, and digital forensics. Two files with a match score above zero share some common sequences of bytes. Scores range from 0 (no match) to 100 (very similar or identical).
Output format includes the block size, two hash components, and the filename. This output can be saved and used later for matching with the -m or -k options.

-m file

Load known hashes from file and match against computed hashes from input files.

Compare known signatures in file against pre-computed signatures in input files.

Pretty matching mode. Compare all input files against each other.

Match each file against known set, then add its hash to the known set.

Recursive mode. Traverse all subdirectories.

Match threshold (0-100). Only display matches above this score. Default: 0.

Display all matches regardless of score.

Verbose mode. Print filename to stderr while hashing.

Use bare filenames (no path) in output.

Use relative paths in output.

Output in CSV format.

Silent mode. Suppress warnings.

Display signature with filename (compact output).

Fuzzy hashing is not a replacement for cryptographic hashes when verifying exact file integrity. Small files may not produce meaningful fuzzy hashes. Match scores are approximate; manual verification may be needed for forensic use. The tool cannot detect similarity if files have been significantly restructured.

ssdeep was created by Jesse Kornblum based on the spamsum algorithm developed by Dr. Andrew Tridgell for spam detection. The project provides both a command-line tool and the libfuzzy library for programmatic access. It's widely used in digital forensics, malware analysis, and security research. The tool is distributed under the GNU General Public License.

md5sum(1), sha256sum(1), hashdeep(1), tlsh(1)