Explanation for the meaning of content of the /var/run/utmp file

Question

I would like to understand the content of the following file system /var/run/utmp. When I use the command od to open it I see the following:

[john@iceman ~]$ od -c /var/run/utmp 
0000000 002  \0  \0  \0  \0  \0  \0  \0   ~  \0  \0  \0  \0  \0  \0  \0
0000020  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
0000040  \0  \0  \0  \0  \0  \0  \0  \0   ~   ~  \0  \0   r   e   b   o
0000060   o   t  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
0000100  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0   3   .   1   0
0000120   .   0   -   6   9   3   .   1   1   .   1   .   e   l   7   .
0000140   x   8   6   _   6   4  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
0000160  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0

What these numbers/characters means? In which coding system it was written? and how can it be translated into a meaningful text?

Answer 1

The text files only contain characters, whereas binary files contain all possible character values, including the control characters The command od with the flag -c (od stands for octal dump), displays files containing control characters.

When displaying a binary file to the screen, the control characters within the file can set undesirable modes for the workstation and can cause the output to appear not clear (i.e. gibberish), and even it may cause the workstation to stop responding. In order to find clues into the binary file (i.e. displaying it in a safe way), we can use commands cat, od or hexdump.

The command cat -v which will make the control characters visible in a safe way and won't put the screen into any strange modes. This command represents each control character by a Caret (^) and the corresponding printable character.

The command od stands for octal dump and it displays every word of a file or pipeline in octal using the base eight numbering system. For example, the command od would show the system file /var/run/utmp as follows:

$ od /var/run/utmp
0000000 000002 000000 000000 000000 000176 000000 000000 000000
0000020 000000 000000 000000 000000 000000 000000 000000 000000
0000040 000000 000000 000000 000000 077176 000000 062562 067542
0000060 072157 000000 000000 000000 000000 000000 000000 000000
0000100 000000 000000 000000 000000 000000 000000 027063 030061
0000120 030056 033055 031471 030456 027061 027061 066145 027067
0000140 034170 057466 032066 000000 000000 000000 000000 000000
0000160 000000 000000 000000 000000 000000 000000 000000 000000
. . . . 
. . . . 
. . . . 
. . . . 

Now, adding the flag -b (-b means select octal bytes) to the command od will break each word into two bytes or characters. For example, the previous text will show as follows:

$ od -b /var/run/utmp
0000000 002 000 000 000 000 000 000 000 176 000 000 000 000 000 000 000
0000020 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
0000040 000 000 000 000 000 000 000 000 176 176 000 000 162 145 142 157
0000060 157 164 000 000 000 000 000 000 000 000 000 000 000 000 000 000
0000100 000 000 000 000 000 000 000 000 000 000 000 000 063 056 061 060
0000120 056 060 055 066 071 063 056 061 061 056 061 056 145 154 067 056
0000140 170 070 066 137 066 064 000 000 000 000 000 000 000 000 000 000
0000160 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
. . . . 
. . . . 
. . . . 
. . . . 

Accordant to ASCII(7) man, lets match the numbers in the previous table with the ASCII:

• 000 means null.
• 002 means start of text
• in the first row, the number 176 represent he character ~

and so on, every number is coded in ASCII(7) table.

On the other side, adding the flag -c (stands for select printable characters or backslash escapes to the command od will show any printable characters within the output. The same previous example will look as follows:

$ od -c /var/run/utmp
0000000 002  \0  \0  \0  \0  \0  \0  \0   ~  \0  \0  \0  \0  \0  \0  \0
0000020  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
0000040  \0  \0  \0  \0  \0  \0  \0  \0   ~   ~  \0  \0   r   e   b   o
0000060   o   t  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
0000100  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0   3   .   1   0
0000120   .   0   -   6   9   3   .   1   1   .   1   .   e   l   7   .
0000140   x   8   6   _   6   4  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
0000160  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
. . . . 
. . . . 
. . . . 
. . . . 

In order to translate the previous table to a meaningful text we can use the command strings which will find any strings of printable characters with a length about four characters or longer. For example, in the previous table:

• Row <0000040> contain the letters r e b o.
• Row <0000060> contain the letters o t. As a results, the command strings would translate these letters into the word "reboot".

Similarly,

• Row <0000100> contain 3 . 1 0.
• Row <0000120> contain . 0 - 6 9 3 . 1 1 . 1 . e l 7 ..
• Row <0000140> contain x 8 6 _ 6 4.

The command string would translate these three rows into "3.10.0-693.11.1.el7.x86_64"

$ strings  /var/run/utmp 
reboot
3.10.0-693.11.1.el7.x86_64
. . . . 
. . . . 
. . . . 
. . . . 

Answer 2

od -c /var/run/utmp tries its best to output a meaningful text, printing the file char by char, in clear text where it can, and in a sort of binary / octal representation when it can't. You can influence od's behaviour by setting several options. utmp is a binary file with fixed records, and thus chances are low to actually read its contents without translation / interpretation / formatting.

Answer 3

To see what is written in this file ou can check utmpdump /var/run/utmp.

There you can see all the utmp entries in human readable form.