Thanks a lot for the detailed explanation. Currently I am taking a dump of the memory with the virsh dump ‘live’ flag and taking the snapshot with the memory file pointed to /dev/null, without even pausing the guest. I don’t have a use case to restore from the snapshot snapshot so hopefully this approach will not cause any issue.
On Mon, 26 Nov 2018 at 5:23 PM, Peter Krempa <pkrempa@redhat.com> wrote:
On Fri, Nov 23, 2018 at 20:08:13 +0530, Tanmoy Sinha wrote:
> Hi,
>
> I would like to get a clear picture on external snapshots memory dump (
> i.e. system-checkpoint) vs dumping the memory of the guest. I have created
> external snapshots which produces a disk file and a memory file. I am not
> able to use this memory file in any memory analysis tools, for instance
> volatility. However, the memory dump taken through "virsh dump" works just
> fine with such tools.

virsh dump allows to produce an elf-formatted memory image, while
snapshot uses the image in the qemu migration stream format so that it
can be restored.

> What am I missing here? The memory dump generated through external snapshot
> seems to be compressed, compared to the one generated by virsh dump. Can I
> specify the memory dump format in the snapshot XML?

The image is a 'libvirt-save-image' basically some headers followed by
the VM XML at the point when the image was taken and then followed by
the raw qemu migration stream (possibly compressed, depending on your
config in /etc/libvirt/qemu.conf). I presume the header is confusing
your memory analysis tool (if your tool is able to read qemu migration
stream image.)

No, the format of the memory image when doing snapshot is technically
internal implementation and can't be configured. For snapshots we need
it to be in a format that can be used to restore the VM again rather
than provide way for simple memory analysis.

Note that you can pause the VM and then take a snapshot (without memory,
just to freeze the disk contents) and then use virsh dump to use the
dump which is usable in your memory analyzer.