# [solved] convert xt_recent time stamps into lcoaltime

## toralf

Hello,

with these 2 firewall rules :

```
        #       block brute force attacks against ssh acounts

        #

        $IPT -t filter -A INPUT -p tcp --destination-port 22 --match state --state NEW         --match recent --name FAILED_SSH_LOGIN --set

        $IPT -t filter -A INPUT -p tcp --destination-port 22 --match state --state ESTABLISHED --match recent --name FAILED_SSH_LOGIN --update --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset

```

I got entries like this 

```
tfoerste@n22 ~ $ tail -v /proc/net/xt_recent/*

==> /proc/net/xt_recent/FAILED_SSH_LOGIN <==

src=74.207.236.157 ttl: 115 last_seen: 33924648 oldest_pkt: 1 33924648

```

Now I'm wondering how to interpret "33924648" ?Last edited by toralf on Wed Dec 07, 2011 2:01 pm; edited 1 time in total

----------

## John R. Graham

Use strftime(). In AWK, it would look something like this:

```
$4 == "last_seen:" {

    $5 = strftime("%F %r",$5);

    print;

}
```

For more information on the supported format codes, see "man strftime".  :Wink: 

- John

----------

## toralf

Thx, seems that there's a time stamp offset :

```

tfoerste@n22 ~ $ perl -wane '$F[4] = localtime (time() - $F[4]/1000); print join (" ", @F), "\n"' /proc/net/xt_recent/FAILED_SSH_LOGIN

src=74.207.236.157 ttl: 115 last_seen: Wed Dec  7 05:33:20 2011 oldest_pkt: 1 33924648

```

 and furthermore the suspend/hibernate intervall isn't recognized (b/c I've a uptime of 20:24 now and _know_ that at 5:33 am in the morning the system was sleeping) ?

----------

