Using WireShark when I do a follow TCP stream on a Telnet packet it just gives a value like : Sat Nov 27 20:11:43 for the Last Login details. How can I get the year corresponding to this date for any telnet packet. Thanks Abhishek K asked 22 Sep '13, 15:09 MetalGeek7 |
2 Answers:
Follow TCP stream collects the bytes transferred in a conversation, so the date you see is what the telnet server sent to the telnet client (obviously the date of the last login). Wireshark cannot reformat that date, as it's just some text sent in the telnet connection. If the server did not send the year (the message actually comes from the login process), there is nothing Wireshark can do about it. Most certainly it would be the current year. So, if you need the year, you could look at the time stamp of the packet. It's the second column in the GUI (Time). You can change the time format like this:
However that will just reflect the date/time on the machine that captured the data at the time it did capture the data. That is not necessarily the 'real' date/time. If the date of the capture machine was off by several years, you wouldn't be able to detect that. Let's say: The telnet session took place at: 2012 Nov 27 20:11:43. Follow TCP stream shows only: Nov 27 20:11:43 So, if you now assume that the last login was at: 2010 Nov 27 20:11:43, that would be (obviously) wrong.
Can you please add some information about this? I don't understand what you are asking for. It it's what I'm describing above, just ignore this question. Regards answered 22 Sep '13, 16:13 Kurt Knochner ♦ edited 23 Sep '13, 01:57 |
That's because the operating system on the machine to which you telnetted printed out "Sat Nov 27 20:11:43" as the last login date when you logged in, without printing the year. That has nothing to do with Telnet, and everything to do with the program on that machine that implements the login process. If it's not printing the year of the last login, you would have to either:
answered 23 Sep '13, 00:57 Guy Harris ♦♦ |
Hi Kurt,
What I meant was to just get the complete information about the last login for the telnet session. I saw while doing a follow TCP stream that the year information was missing in the last login attribute, so just wanted to know if there is any way by which I can get that.
Thanks
As I tried to explain: That is just a text string sent from the server to the client. As the year is not included, Wireshark cannot display it. So, there is nothing you can do about it, as the information about the year is simply not there (in the capture file).
The "problem" is the login process on the system where your logged in. Maybe you can change the behavior of that. See 'man login' on your Linux/Unix system.