utmpdump

Dump the /var/log/wtmp file to stdout as plain text

$ utmpdump [/var/log/wtmp]

$ utmpdump [[-r|--reverse]] [dumpfile] > [/var/log/wtmp]

utmpdump [OPTIONS] [FILE...]

-f utmp|wtmp|btmp
--filetype=utmp|wtmp|btmp
    Specifies the type of utmp file being dumped. This helps utmpdump correctly interpret the structure based on known variations for utmp, wtmp, or btmp entries.

-o output_file
--output=output_file
    Redirects the human-readable output to the specified output_file instead of standard output (stdout).

-s
--show-structure
    Displays the internal structure of the utmp entry, including field offsets and sizes, which can be useful for debugging or understanding the binary format.

-v
--verbose
    Provides more verbose output, potentially showing additional details about each entry or processing information.

FILE...
    One or more paths to utmp-like files (e.g., /var/log/wtmp) to be processed. If no file is specified, utmpdump typically defaults to /var/run/utmp.

utmpdump is a utility designed to interpret and display the contents of system accounting files like /var/run/utmp, /var/log/wtmp, and /var/log/btmp. These files store binary records of user logins, logouts, system reboots, and other session-related information. Since these files are in a binary format, they are not directly human-readable. utmpdump parses these binary structures and presents the data in a formatted, plain-text output, making it easier for administrators and users to inspect login activity, session durations, and system uptime events.

It is a valuable tool for debugging login issues or performing basic system auditing by providing a detailed, field-by-field view of each utmp entry, which can be particularly useful when other high-level commands like last or who do not provide sufficient detail.

Platform and Version Dependency: The exact structure of utmp, wtmp, and btmp entries can vary slightly between different Linux distributions and even kernel versions. utmpdump typically handles common variations, but might misinterpret entries from highly unusual or very old systems.
Endianness: While usually not an issue on modern Linux systems, differences in byte order (endianness) could theoretically affect interpretation if files are moved between systems with different architectures.
Not Universally Installed: utmpdump is not always installed by default on all Linux distributions. It often comes as part of packages like sysvinit-tools or similar system utilities.

The primary files processed by utmpdump are:
/var/run/utmp: Records current logins.
/var/log/wtmp: Records all logins and logouts, system reboots, and system time changes.
/var/log/btmp: Records bad (failed) login attempts. This file is not always present by default and might require specific configuration or PAM modules (e.g., pam_tally2).

These files are crucial for system accounting and security auditing. They provide a historical record of who accessed the system, from where, and for how long, as well as system events like reboots. Commands like who, w, last, and lastb all rely on these binary files, making utmpdump an invaluable tool for understanding the raw data these commands process when troubleshooting or conducting forensic analysis.

The utmpdump utility's history is closely tied to the evolution of the utmp, wtmp, and btmp file formats themselves, which have been fundamental components of Unix-like operating systems for tracking user sessions and system events since their early days. While utmpdump itself isn't a universally standardized command with a prominent development history like ls or grep, various utilities performing the 'dumping' function have existed. The specific utmpdump implementation, often found in packages like sysvinit-tools, provides a convenient, standardized way to inspect these binary files, adapting to minor changes in the utmp structure over time. Its development has focused on providing a reliable tool for system administrators to debug and audit user activity records.

who(1), w(1), last(1), lastb(1), ac(8), utmp(5)