Operating System - HP-UX
1748003 Members
4632 Online
108757 Solutions
New Discussion

Re: decode contents of wtmp file

 
SOLVED
Go to solution
NDO
Super Advisor

decode contents of wtmp file

 

Hi

 

I am trying to use the command last and lastb to check on successfull and unsuccessfully logings, and I got the following result>

#last -R 10
Invalid record size. Unable to continue ...

 

and

 lastb -R 10

BTMPS_FILE  begins at Fri Dec 31 07:45:40

 

So I search on this forums and I found the following post:

http://h30499.www3.hp.com/t5/System-Administration/last-command-amp-wtmps/td-p/4615210

 

In this post Robert  Jan come up with a solution, but I woud like to understand the contents of the files, like the output of the :

/usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp.tmp

 

I edit the file /tmp/wtmp.tmp and I found this:

 

esmd     esmd               2877  5 0000 0000 1254490132 Oct  2 15:28:52 2009
cimserve cim1               2878  5 0000 0000 1254490132 Oct  2 15:28:52 2009
sh       ems3               2879  5 0000 0000 1254490132 Oct  2 15:28:52 2009
sh       ems3               2879  8 0000 0000 1254490132 Oct  2 15:28:52 2009
p_client ems4               2882  5 0000 0000 1254490132 Oct  2 15:28:52 2009
icapd    icap               2883  5 0000 0000 1254490132 Oct  2 15:28:52 2009
utild    util               2884  5 0000 0000 1254490132 Oct  2 15:28:52 2009
krsd     krsd               2874  8 0011 0000 1254495221 Oct  2 16:53:41 2009
krsd     krsd               8950  5 0011 0000 1254495221 Oct  2 16:53:41 2009
utild    util               2884  8 0011 0000 1254495221 Oct  2 16:53:41 2009

 

 

 

Can someone explain what this means?

 

 

Regards

 

14 REPLIES 14
Dennis Handly
Acclaimed Contributor

Re: decode contents of wtmp file

>/usr/sbin/acct/fwtmp < /var/adm/wtmp > /tmp/wtmp.tmp

 

You should be looking a wtmps, not wtmp.  And you may need to use -X.

 

>I edit the file /tmp/wtmp.tmp and I found this:

 

All the way through or just after awhile?

NDO
Super Advisor

Re: decode contents of wtmp file

Hi

 

I did use the -X but I had a successfully output when using lastb -X, and I had the same error when using last -X, which was :

last -X
Invalid record size. Unable to continue ...

 

Now when using :

>/usr/sbin/acct/fwtmps < /var/adm/wtmps > /tmp/wtmps.tmp

 

the contents of wtmps.tmp are:

 

 13135  0 0000 63164 825438515 Feb 27 18:28:35 1996 127.255.214.224 5
                           2004842672  0 0000 0000 7 Jan  1 02:00:07 1970
                            808463924 11825 32000 0000 0 Jan  1 02:00:00 1970 0.0.0.1
                               0  0 0000 0000 0 Jan  1 02:00:00 1970 119.120.204.224
                               0  0 0000 0000 0 Jan  1 02:00:00 1970
                           -1065708960  0 0000 0000 0 Jan  1 02:00:00 1970 114.111.111.116
                               0  0 0000 0000 0 Jan  1 02:00:00 1970
                               0  0 0000 0000 0 Jan  1 02:00:00 1970
                               0  0 0000 0000 0 Jan  1 02:00:00 1970
                               0  0 0000 0000 0 Jan  1 02:00:00 1970
                           1718906980 12595 31465 34000 0 Jan  1 02:00:00 1970 127.255.214.228

                           -1073741824  0 1611 0000 0 Jan  1 02:00:00 1970
                               0  0 0000 0000 0 Jan  1 02:00:00 1970
                               0  0 0000 0000 0 Jan  1 02:00:00 1970 119.120.204.224
              `                0  0 0000 0016 0 Jan  1 02:00:00 1970
                               0  0 0000 0000 0 Jan  1 02:00:00 1970
                               0  0 0000 0000 0 Jan  1 02:00:00 1970
                               0  0 0000 0000 0 Jan  1 02:00:00 1970
                               0  0 0000 0000 0 Jan  1 02:00:00 1970
                            939589631  0 0000 0000 0 Jan  1 02:00:00 1970

 

 

Its a big file

 

regards

 

Fernando

NDO
Super Advisor

Re: decode contents of wtmp file

Hi

 

Will it be possible to also list the IP´s of the pc/laptops that connected into the system successfully and those that did not managed to login?

 

 

regards

 

Fernando

Matti_Kurkela
Honored Contributor

Re: decode contents of wtmp file

You can find a description of the contents of the wtmp and wtmps files in the system man pages: please run "man 4 wtmp" and "man 4 wtmps", respectively.

 

The output of the fwtmp/fwtmps commands should normally be similar to the actual wtmp/wtmps file structure, but with all the binary fields translated into human-readable ASCII.

 

However, the error message "invalid record size" from the "last" command and the confused-looking contents of your wtmps.tmp file (Dates for year 1970?? Loopback IP addresses like 127.255.214.224???) suggest that your wtmps file was corrupted at some point.The corruption would cause the fwtmps tool to go out of sync with the entries and mis-interpret them.

 

If you want to extract meaningful information from the file, you may have to find the corrupted entry/entries in your original binary wtmps file and remove them (probably with some hex editor) and then re-run the file through the fwtmps command.

 

If the wtmps file is large, finding and recognizing the corrupted entries may be a difficult and tedious job.

MK
NDO
Super Advisor

Re: decode contents of wtmp file

Hi

 

Thank you for the explanation. The file is huge, I really need to find who logged in the last 20 days (their IP addresses)

 

 

regards

Dennis Handly
Acclaimed Contributor

Re: decode contents of wtmp file

>I had the same error when using last -X, which was: Invalid record size. Unable to continue

 

The error won't go away since the file has been corrupted.  You could use tusc to see how much of the file is bad.

 

>Now when using: /usr/sbin/acct/fwtmps < /var/adm/wtmps > /tmp/wtmps.tmp

>the contents of wtmps.tmp are:

13135  0 0000 63164 825438515 Feb 27 18:28:35 1996 127.255.214.224 5

 

Here you may have to use -X?  The output seems bad at the start.

 

>The file is huge, I really need to find who logged in the last 20 days (their IP addresses)

 

You might want to look at some other topics with problems with wtmps and using dd(1) to fix them:

http://h30499.www3.hp.com/t5/System-Administration/who-r-not-working/m-p/5165196/

http://h30499.www3.hp.com/t5/System-Administration/last-returns-no-login-info/m-p/5269768/

 

What does "ll /var/adm/wtmps" show?  You might be able to get the data at the end of the file.

NDO
Super Advisor

Re: decode contents of wtmp file

Hi

 

I did try to use -X, but I had to cancel with ctrl + c because I had no response after quite a while.

 

>What does "ll /var/adm/wtmps" show? You might be able to get the data at the end of the file

it shows:

-rw-rw-r--   1 adm        adm        5770232 Mar  5 08:57 /var/adm/wtmps

 

it looks like the file has been writen to it. I will try and use the last 1000 lines of the wtmps file to read from it!!

 

regards

Dennis Handly
Acclaimed Contributor
Solution

Re: decode contents of wtmp file

>I did try to use -X, but I had to cancel with control + c because I had no response after quite a while.

 

I have to use -X for 11.23 and 11.31 when using fwtmp(1m):

/usr/sbin/acct/fwtmp < /var/adm/wtmps

 

If you use tusc on last(1), you'll see this pattern before it aborts:

[11273] open("/var/adm/wtmps", O_RDONLY, 0) .............. = 4

...

[11273] read(4, "\0\00288", 4) ........................... = 4
[11273] lseek(4, 652, SEEK_SET) .......................... = 652
[11273] read(4, "\0\00288", 4) ........................... = 4
...

Now it prints it out by going backwards:
[11273] lseek(4, 67051684, SEEK_SET) ..................... = 67051684
[11273] read(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0".., 648) = 648

>-rw-rw-r--   1 adm        adm        5770232 Mar  5 08:57 /var/adm/wtmps

>I will try and use the last 1000 lines of the wtmps file to read from it.

 

The file is binary, there are no lines.  You'll need to use dd(1) to copy from the end:

#!/usr/bin/ksh

# Dump out last 20 records of wtmps file

WTMP=/var/adm/wtmps

typeset -i wtmpsize=$(ll $WTMP | awk '{print $5 }')
typeset -i wtmprecord=$((648+4))
typeset -i wtmpdump=$((wtmprecord * 20))

echo "$wtmprecord: $((wtmpdump))"

# Add -v to not suppress duplicate lines
xd -tx4 -tc -j $(($wtmpsize - wtmpdump)) -N $((wtmpdump)) $WTMP

dd if=$WTMP of=wtmps.short bs=1 count=$wtmpdump skip=$(($wtmpsize - wtmpdump))

 

(You can comment out the xd(1) command if you aren't interested in the raw file format.)


And once you get wtmps.short you can check with:
$ /usr/sbin/acct/fwtmp -X < wtmps.short

 

And use last(1) to format it:
$ last -R -X -f wtmps.short

NDO
Super Advisor

Re: decode contents of wtmp file

Hi

 

It worked out fine, (your script), but only a few records, I am really interested who logged in in mid January and February. Would it be possible to change your script to give that kind of output?

 

regards