Module Contents



utmp maintains a full accounting of the current status of the system


Base class for plugins.


dissect.target.plugins.os.unix.log.utmp.UTMP_FIELDS = [('datetime', 'ts'), ('string', 'ut_type'), ('string', 'ut_user'), ('varint', 'ut_pid'),...
dissect.target.plugins.os.unix.log.utmp.c_utmp = Multiline-String
Show Value
#define UT_LINESIZE     32
#define UT_NAMESIZE     32
#define UT_HOSTSIZE     256

typedef uint32 pid_t;

enum Type : char {
    EMPTY           = 0x0,
    RUN_LVL         = 0x1,
    BOOT_TIME       = 0x2,
    NEW_TIME        = 0x3,
    OLD_TIME        = 0x4,
    INIT_PROCESS    = 0x5,
    LOGIN_PROCESS   = 0x6,
    USER_PROCESS    = 0x7,
    DEAD_PROCESS    = 0x8,
    ACCOUNTING      = 0x9,

struct exit_status {
    uint16 e_termination;
    uint16 e_exit;

struct {
    uint32 tv_sec;
    uint32 tv_usec;
} timeval;

struct entry {
    uint32  ut_type;
    pid_t   ut_pid;
    char    ut_line[UT_LINESIZE];
    char    ut_id[4];
    char    ut_user[UT_NAMESIZE];
    char    ut_host[UT_HOSTSIZE];
    struct  exit_status ut_exit;
    long    ut_session;
    struct  timeval ut_tv;
    int32_t ut_addr_v6[4];         // Internet address of remote host; IPv4 address uses just ut_addr_v6[0]
    char    __unused[20];
class dissect.target.plugins.os.unix.log.utmp.UtmpFile(target: dissect.target.target.Target, path: dissect.target.helpers.fsutil.TargetPath)

utmp maintains a full accounting of the current status of the system

class dissect.target.plugins.os.unix.log.utmp.UtmpPlugin(target: dissect.target.Target)

Bases: dissect.target.plugin.Plugin

Base class for plugins.

Plugins can optionally be namespaced by specifying the __namespace__ class attribute. Namespacing results in your plugin needing to be prefixed with this namespace when being called. For example, if your plugin has specified test as namespace and a function called example, you must call your plugin with test.example:

A Plugin class has the following private class attributes:

  • __namespace__

  • __record_descriptors__

With the following three being assigned in register():

  • __plugin__

  • __functions__

  • __exports__

Additionally, the methods and attributes of Plugin receive more private attributes by using decorators.

The export() decorator adds the following private attributes

  • __exported__

  • __output__: Set with the export() decorator.

  • __record__: Set with the export() decorator.

The internal() decorator and InternalPlugin set the __internal__ attribute. Finally. args() decorator sets the __args__ attribute.


target – The Target object to load the plugin for.

WTMP_GLOB = '/var/log/wtmp*'
BTMP_GLOB = '/var/log/btmp*'
check_compatible() None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.


UnsupportedPluginError – If the plugin could not be loaded.

btmp() Iterator[BtmpRecord]

Return failed login attempts stored in the btmp file.

On a Linux system, failed login attempts are stored in the btmp file located in the var/log/ folder.


wtmp() Iterator[WtmpRecord]

Return the content of the wtmp log files.

The wtmp file contains the historical data of the utmp file. The utmp file contains information about users logins at which terminals, logouts, system events and current status of the system, system boot time (used by uptime) etc.