系统过程分析

为了达到一个目的，而进行的命令组合与分析

 

新装centos6.5-minimal所必须要做的初始动作，修改一些默认的东西

vi /boot/grub/grub.conf在内核行后加入vga=ask或788就启用了framebuffer

cp /etc/DIR_COLORS ~/.dir_colors

控制台设置白底黑字

setterm -foreground black -background white -store

 

 

一。先列出系统中进程的pid，用ps或pstree都可以，哪个方便用哪个

[root@250-shiyan ~]# pstree -p

init(1)─┬─auditd(934)───{auditd}(935)

        ├─crond(1130)

        ├─master(1120)─┬─pickup(9284)

        │              └─qmgr(1129)

        ├─mfsmount(5061)─┬─{mfsmount}(5062)

        │                ├─{mfsmount}(5063)

        │                ├─{mfsmount}(5064)

        │                ├─{mfsmount}(5065)

        │                ├─{mfsmount}(5066)

        │                ├─{mfsmount}(5067)

        │                ├─{mfsmount}(5068)

        │                ├─{mfsmount}(5069)

        │                ├─{mfsmount}(5071)

        │                ├─{mfsmount}(5072)

        │                └─{mfsmount}(5089)

        ├─mingetty(1143)

        ├─mingetty(1145)

        ├─mingetty(1147)

        ├─mingetty(1149)

        ├─mingetty(1151)

        ├─mingetty(1153)

        ├─rpc.idmapd(14858)

        ├─rpc.mountd(14820)

        ├─rpc.statd(991)

        ├─rpcbind(973)

        ├─rsyslogd(2453)─┬─{rsyslogd}(2454)

        │                ├─{rsyslogd}(2456)

        │                └─{rsyslogd}(2457)

        ├─sshd(12432)─┬─sshd(3634)───bash(3636)

        │             └─sshd(7655)───bash(7657)───pstree(9361)

        └─udevd(379)─┬─udevd(1159)

                     └─udevd(1160)

[root@250-shiyan ~]# ps -C rsyslogd

  PID TTY          TIME CMD

 2453 ?        00:00:00 rsyslogd



二。再查看相关线程信息

[root@250-shiyan ~]# pstack 2453

Thread 4 (Thread 0x7f59c23ac700 (LWP 2454)):

#0  0x00007f59c3a005bc in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0

#1  0x00007f59c4078184 in wtiWorker ()

#2  0x00007f59c4077c1a in ?? ()

#3  0x00007f59c39fc9d1 in start_thread () from /lib64/libpthread.so.0

#4  0x00007f59c3127b6d in clone () from /lib64/libc.so.6

Thread 3 (Thread 0x7f59c19ab700 (LWP 2456)):

#0  0x00007f59c31205e3 in select () from /lib64/libc.so.6

#1  0x00007f59c25c4d51 in ?? () from /lib64/rsyslog/imuxsock.so

#2  0x00007f59c4086b6a in ?? ()

#3  0x00007f59c39fc9d1 in start_thread () from /lib64/libpthread.so.0

#4  0x00007f59c3127b6d in clone () from /lib64/libc.so.6

Thread 2 (Thread 0x7f59c0faa700 (LWP 2457)):

#0  0x00007f59c3a0375d in read () from /lib64/libpthread.so.0

#1  0x00007f59c23afd04 in klogLogKMsg () from /lib64/rsyslog/imklog.so

#2  0x00007f59c23af16c in ?? () from /lib64/rsyslog/imklog.so

#3  0x00007f59c4086b6a in ?? ()

#4  0x00007f59c39fc9d1 in start_thread () from /lib64/libpthread.so.0

#5  0x00007f59c3127b6d in clone () from /lib64/libc.so.6

Thread 1 (Thread 0x7f59c403c700 (LWP 2453)):

#0  0x00007f59c31205e3 in select () from /lib64/libc.so.6

#1  0x00007f59c40592f5 in ?? ()

#2  0x00007f59c405a9fa in realMain ()

#3  0x00007f59c305dd1d in __libc_start_main () from /lib64/libc.so.6

#4  0x00007f59c4056629 in _start ()

 

对待每一个守护进程都是这个过程。

一。先查看系统中都有哪些进程在运行

[root@84-monitor logs]# pstree

init─┬─auditd───{auditd}

     ├─crond───4*[crond─┬─sendmail───postdrop]

     │                  └─sh───sh───sh───sh───mail───mail]

     ├─httpd───8*[httpd]

     ├─java───23*[{java}]

     ├─master─┬─cleanup

     │        ├─local

     │        ├─pickup

     │        └─qmgr

     ├─6*[mingetty]

     ├─mysqld_safe───mysqld───9*[{mysqld}]

     ├─rpc.statd

     ├─rpcbind

     ├─rsyslogd───3*[{rsyslogd}]

     ├─sshd─┬─sshd───bash───pstree

     │      └─3*[sshd───bash───bash───ssh]

     └─udevd───2*[udevd]



二。其次列出以rsys开头的进程打开的所有文件

[root@84-monitor 972]# lsof -c rsys

COMMAND  PID USER   FD   TYPE             DEVICE SIZE/OFF       NODE NAME

rsyslogd 972 root  cwd    DIR              253,0     4096          2 /

rsyslogd 972 root  rtd    DIR              253,0     4096          2 /

rsyslogd 972 root  txt    REG              253,0   396064     521732 /sbin/rsyslogd

rsyslogd 972 root  mem    REG              253,0    27232     521711 /lib64/rsyslog/imklog.so

rsyslogd 972 root  mem    REG              253,0   340568     521717 /lib64/rsyslog/imuxsock.so

rsyslogd 972 root  mem    REG              253,0   110960     521867 /lib64/libresolv-2.12.so

rsyslogd 972 root  mem    REG              253,0    27424     521245 /lib64/libnss_dns-2.12.so

rsyslogd 972 root  mem    REG              253,0    65928     521865 /lib64/libnss_files-2.12.so

rsyslogd 972 root  mem    REG              253,0    26984     521718 /lib64/rsyslog/lmnet.so

rsyslogd 972 root  mem    REG              253,0  1921176     521231 /lib64/libc-2.12.so

rsyslogd 972 root  mem    REG              253,0    90880     521844 /lib64/libgcc_s-4.4.7-20120601.so.1

rsyslogd 972 root  mem    REG              253,0    43880     521868 /lib64/librt-2.12.so

rsyslogd 972 root  mem    REG              253,0    19536     521861 /lib64/libdl-2.12.so

rsyslogd 972 root  mem    REG              253,0   142640     521255 /lib64/libpthread-2.12.so

rsyslogd 972 root  mem    REG              253,0    88600     521285 /lib64/libz.so.1.2.3

rsyslogd 972 root  mem    REG              253,0   154624     521489 /lib64/ld-2.12.so

rsyslogd 972 root    0u  unix 0xffff88001fbd06c0      0t0      10252 /dev/log

rsyslogd 972 root    1w   REG              253,0      292     786284 /var/log/messages

rsyslogd 972 root    2w   REG              253,0  1191255     785232 /var/log/cron

rsyslogd 972 root    3r   REG                0,3        0 4026532040 /proc/kmsg

rsyslogd 972 root    4w   REG              253,0   564219     785245 /var/log/maillog

rsyslogd 972 root    5w   REG              253,0     1004     786285 /var/log/secure



三。随后进入到972的fd目录，列出文件列表，打开了5个文件

[root@84-monitor 972]# cd /proc/972/fd

[root@84-monitor fd]# ll

total 0

lrwx------. 1 root root 64 Mar 18 09:39 0 -> socket:[10252]

l-wx------. 1 root root 64 Mar 18 09:39 1 -> /var/log/messages

l-wx------. 1 root root 64 Mar 18 09:39 2 -> /var/log/cron

lr-x------. 1 root root 64 Mar 18 09:39 3 -> /proc/kmsg

l-wx------. 1 root root 64 Mar 18 09:39 4 -> /var/log/maillog

l-wx------. 1 root root 64 Mar 18 09:39 5 -> /var/log/secure



四。查漏补缺

FD列

txt  program text (code and data);

rtd  root directory;

cwd  current working directory;

cwd,rtd这两个经常是一样的，因为如果没有具体的目录的话，默认全放到根下。

mem  memory-mapped file;

u    for read and write access;

TYPE列

unix     for a UNIX domain socket;

REG    for a regular file;

DIR    for a directory;



一。

[root@84-monitor fd]# lsof -c rpcbind

COMMAND   PID USER   FD   TYPE             DEVICE SIZE/OFF    NODE NAME

rpcbind 32580  rpc  cwd    DIR              253,0     4096       2 /

rpcbind 32580  rpc  rtd    DIR              253,0     4096       2 /

rpcbind 32580  rpc  txt    REG              253,0    54408  521226 /sbin/rpcbind

rpcbind 32580  rpc  mem    REG              253,0    65928  521865 /lib64/libnss_files-2.12.so

rpcbind 32580  rpc  mem    REG              253,0  1921176  521231 /lib64/libc-2.12.so

rpcbind 32580  rpc  mem    REG              253,0   142640  521255 /lib64/libpthread-2.12.so

rpcbind 32580  rpc  mem    REG              253,0    19536  521861 /lib64/libdl-2.12.so

rpcbind 32580  rpc  mem    REG              253,0    36584  521220 /lib64/libgssglue.so.1.0.0

rpcbind 32580  rpc  mem    REG              253,0   113432  521863 /lib64/libnsl-2.12.so

rpcbind 32580  rpc  mem    REG              253,0   162016  521225 /lib64/libtirpc.so.1.0.10

rpcbind 32580  rpc  mem    REG              253,0    40792  521329 /lib64/libwrap.so.0.7.6

rpcbind 32580  rpc  mem    REG              253,0   154624  521489 /lib64/ld-2.12.so

rpcbind 32580  rpc    0u   CHR                1,3      0t0    3782 /dev/null

rpcbind 32580  rpc    1u   CHR                1,3      0t0    3782 /dev/null

rpcbind 32580  rpc    2u   CHR                1,3      0t0    3782 /dev/null

rpcbind 32580  rpc    3r   REG              253,0        0  786245 /var/run/rpcbind.lock

rpcbind 32580  rpc    4u  sock                0,6      0t0 3617563 can't identify protocol

rpcbind 32580  rpc    5u  unix 0xffff88001dfc3080      0t0 3617538 /var/run/rpcbind.sock

rpcbind 32580  rpc    6u  IPv4            3617540      0t0     UDP *:sunrpc

rpcbind 32580  rpc    7u  IPv4            3617542      0t0     UDP *:955

rpcbind 32580  rpc    8u  IPv4            3617543      0t0     TCP *:sunrpc (LISTEN)

rpcbind 32580  rpc    9u  IPv6            3617545      0t0     UDP *:sunrpc

rpcbind 32580  rpc   10u  IPv6            3617547      0t0     UDP *:955

rpcbind 32580  rpc   11u  IPv6            3617548      0t0     TCP *:sunrpc (LISTEN)



二。查漏补缺

TYPE列

sock    for a socket of unknown domain;

IPv4    for an IPv4 socket;

IPv6    for an open IPv6 network file - even if its address is IPv4, mapped in an IPv6 address;

 

程序占用内存分析

一。
[root@250-shiyan ~]# top

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND

 5061 root       1 -19  649m  17m  908 S  0.0  3.6   1:17.03 mfsmount

二。

[root@250-shiyan ~]# lsof -c mfsmount

COMMAND   PID USER   FD   TYPE             DEVICE SIZE/OFF    NODE NAME

mfsmount 5061 root  cwd    DIR              253,0     4096  781826 /root

mfsmount 5061 root  rtd    DIR              253,0     4096       2 /

mfsmount 5061 root  txt    REG              253,0   236648  403887 /usr/bin/mfsmount

mfsmount 5061 root  mem    REG              253,0    65928  260640 /lib64/libnss_files-2.12.so

mfsmount 5061 root  mem    REG              253,0  1921216  260624 /lib64/libc-2.12.so

mfsmount 5061 root  mem    REG              253,0   142640  260648 /lib64/libpthread-2.12.so

mfsmount 5061 root  mem    REG              253,0   596264  260632 /lib64/libm-2.12.so

mfsmount 5061 root  mem    REG              253,0    43832  260652 /lib64/librt-2.12.so

mfsmount 5061 root  mem    REG              253,0   258504  402028 /usr/lib64/libpcap.so.1.4.0

mfsmount 5061 root  mem    REG              253,0    19536  260630 /lib64/libdl-2.12.so

mfsmount 5061 root  mem    REG              253,0   221728  261115 /lib64/libfuse.so.2.8.3

mfsmount 5061 root  mem    REG              253,0   154520  260617 /lib64/ld-2.12.so

mfsmount 5061 root    0u   CHR                1,3      0t0    3782 /dev/null

mfsmount 5061 root    1u   CHR                1,3      0t0    3782 /dev/null

mfsmount 5061 root    2u   CHR                1,3      0t0    3782 /dev/null

mfsmount 5061 root    3r  FIFO                0,8      0t0 1586590 pipe

mfsmount 5061 root    4u  IPv4            1892119      0t0     TCP 192.168.2.250:44567->mfsmaster:9421 (ESTABLISHED)

mfsmount 5061 root    5u  unix 0xffff88001fb876c0      0t0 1616111 socket

mfsmount 5061 root    6u  IPv4            1616113      0t0     TCP localhost:44911 (LISTEN)

mfsmount 5061 root    8u   CHR             10,229      0t0    6954 /dev/fuse

[root@250-shiyan ~]# bc

bc 1.06.95

Copyright 1991-1994, 1997, 1998, 2000, 2004, 2006 Free Software Foundation, Inc.

This is free software with ABSOLUTELY NO WARRANTY.

For details type `warranty'.

65928+1921216+142640+596264+43832+258504+19536+221728+154520

3424168

[root@250-shiyan ~]# ll /usr/bin/mfsmount

-rwxr-xr-x 1 root root 236648 Feb 10 19:27 /usr/bin/mfsmount

[root@250-shiyan ~]# size /usr/bin/mfsmount

   text    data     bss     dec     hex filename

 229679    4352 16923472        17157503        105cd7f /usr/bin/mfsmount

229679+4352+16923472=17157503

[root@250-shiyan ~]# pmap -x 5061

5061:   mfsmount /mnt/mfs1

Address           Kbytes     RSS   Dirty Mode   Mapping

----------------  ------  ------  ------

total kB          664836   17980   17072

三。分析

top中显示的某一个进程的RES列大小，与size某个文件显示的dec列是一样的，lsof中的SIZE列只是size命令中所显示的text列

即：

top-RES=size-dec

lsof-SIZE=size-text

 

一。先查看哪个用户从哪来，时长等信息。w与who都可以

[root@109-com1 ~]# w

 09:55:16 up 106 days, 21:48,  2 users,  load average: 1.11, 1.14, 1.02

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

root     pts/2    192.168.2.84     09:43    0.00s  0.08s  0.00s w

root     pts/3    1.85.49.230      09:44    7:17   0.08s  0.04s vi FLTPsThread.cpp

[root@109-com1 ~]# who -a

           system boot  2014-12-02 11:59

           run-level 3  2014-12-02 11:59

LOGIN      tty2         2014-12-02 12:04              1499 id=2

LOGIN      tty3         2014-12-02 12:04              1501 id=3

LOGIN      tty1         2014-12-02 12:04              1497 id=1

LOGIN      tty4         2014-12-02 12:04              1505 id=4

LOGIN      tty5         2014-12-02 12:04              1507 id=5

LOGIN      tty6         2014-12-02 12:04              1509 id=6

           pts/0        2015-02-09 13:51             27045 id=ts/0  term=0 exit=0

           pts/1        2015-03-10 22:16             11075 id=ts/1  term=0 exit=0

root     + pts/2        2015-03-19 09:43   .         12395 (192.168.2.84)

root     + pts/3        2015-03-19 09:44 00:07       12448 (1.85.49.230)

           pts/4        2015-03-11 10:29             24135 id=ts/4  term=0 exit=0

二。再根据终端，pid，目录查看他在干什么，运用了哪些资源

[root@109-com1 ~]# lsof /dev/pts/3

COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

bash    12448 root    0u   CHR  136,3      0t0    6 /dev/pts/3

bash    12448 root    1u   CHR  136,3      0t0    6 /dev/pts/3

bash    12448 root    2u   CHR  136,3      0t0    6 /dev/pts/3

bash    12448 root  255u   CHR  136,3      0t0    6 /dev/pts/3

vi      12736 root    0u   CHR  136,3      0t0    6 /dev/pts/3

vi      12736 root    1u   CHR  136,3      0t0    6 /dev/pts/3

vi      12736 root    2u   CHR  136,3      0t0    6 /dev/pts/3

[root@109-com1 ~]# lsof -p 12448

COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME

bash    12448 root  cwd    DIR  253,0     4096 141592 /usr/local/ps/src

bash    12448 root  rtd    DIR  253,0     4096      2 /

bash    12448 root  txt    REG  253,0   903336 651864 /bin/bash

bash    12448 root  mem    REG  253,0 99158576 138120 /usr/lib/locale/locale-archive

bash    12448 root  mem    REG  253,0    65928 651834 /lib64/libnss_files-2.12.so

bash    12448 root  mem    REG  253,0  1921216 651818 /lib64/libc-2.12.so

bash    12448 root  mem    REG  253,0    19536 651824 /lib64/libdl-2.12.so

bash    12448 root  mem    REG  253,0   135896 651863 /lib64/libtinfo.so.5.7

bash    12448 root  mem    REG  253,0   154520 655746 /lib64/ld-2.12.so

bash    12448 root  mem    REG  253,0    26060 264514 /usr/lib64/gconv/gconv-modules.cache

bash    12448 root    0u   CHR  136,3      0t0      6 /dev/pts/3

bash    12448 root    1u   CHR  136,3      0t0      6 /dev/pts/3

bash    12448 root    2u   CHR  136,3      0t0      6 /dev/pts/3

bash    12448 root  255u   CHR  136,3      0t0      6 /dev/pts/3

[root@109-com1 ~]# lsof +D /usr/local/ps

COMMAND     PID USER   FD   TYPE DEVICE  SIZE/OFF   NODE NAME

FLTServic 11167 root  cwd    DIR  253,0      4096 141580 /usr/local/ps/log

FLTServic 11167 root  txt    REG  253,0   2264102 141634 /usr/local/ps/bin/FLTService

FLTServic 11167 root    3u   REG  253,0 626612286 136213 /usr/local/ps/log/debug20150319.log

bash      12448 root  cwd    DIR  253,0      4096 141592 /usr/local/ps/src

vi        12736 root  cwd    DIR  253,0      4096 141592 /usr/local/ps/src

vi        12736 root    4u   REG  253,0     16384 141668 /usr/local/ps/src/.FLTPsThread.cpp.swp

 

目的：分析出uid与euid

一。linux系统中每个进程都有2个ID，分别为用户ID（uid）和有效用户ID（euid），UID一般表示进程的创建者（属于哪个用户创建），而EUID表示进程对于文件和资源的访问权限（具备等同于哪个用户的权限）。C语言中，可以通过函数getuid()和geteuid（）来获得进程的两个ID值。

当一个用户登陆系统时，系统会将UID和EUID都赋值为/etc/passwd文件中的UID，一般情况下2个ID是相同的，但是某些情况下会出现2个ID不同的情况。gid和egid同理。



新建用户

[root@250-shiyan ~]# useradd test2

[root@250-shiyan ~]# passwd test2

用新用户去登录

[test2@250-shiyan ~]$ id

uid=503(test2) gid=503(test2) groups=503(test2)

下面一段C代码将解释区别："printid.c"

[test2@250-shiyan ~]$ vi printid.c

#include <stdlib.h>

#include <stdio.h>

#include <unistd.h>

#include <sys/types.h>



int main(void)

{

    printf(" UID\t= %d\n", getuid());

    printf(" EUID\t= %d\n", geteuid());

    printf(" GID\t= %d\n", getgid());

    printf(" EGID\t= %d\n", getegid());



    return EXIT_SUCCESS;

}

[test2@250-shiyan ~]$ gcc -o printid printid.c

[test2@250-shiyan ~]$ id

uid=503(test2) gid=503(test2) groups=503(test2)

[test2@250-shiyan ~]$ ./printid

 UID    = 503

 EUID   = 503

 GID    = 503

 EGID   = 503

看看/etc/passwd里uid和gid：

[test2@250-shiyan ~]$ cat /etc/passwd|grep "\<test2\>"|awk -F ':' '{print "uid:"$3,"tgid:"$4}'

uid:503 tgid:503

以上是相同的例子。





下面演示uid和euid不同的例子。

首先，修改一下文件属性，setuid或setgid

[test2@250-shiyan ~]$ chmod u+s printid #这样一来，文件在执行阶段具有文件所有者的权限。

还可以再补充一个：

[test2@250-shiyan ~]$ chmod g+s printid #这样一来，文件在执行阶段具有文件所属组的权限。

其次，变成其他用户，再来试验一下，比如变成root；

[test2@250-shiyan ~]$ su

Password:

[root@250-shiyan test2]# ll

total 12

-rwsrwxr-x 1 test2 test2 7055 Mar 24 10:31 printid

-rw-rw-r-- 1 test2 test2  284 Mar 24 10:30 printid.c

[root@250-shiyan test2]# ./printid

 UID    = 0

 EUID   = 503

 GID    = 0

 EGID   = 0

这时uid虽是0，但EUID却是503，即文件所有者的权限

Linux系统就是使用setuid来解决这个矛盾的问题：如果一个程序被设置了setuid位，那么它无论被哪个用户启用，都会具备程序所有者的权限。而passwd程序的所有者是root用户，passwd的权限如下所示，那么任何用户执行该程序，程序的EUID就会变成root用户的EUID,而不是执行该程序的UID。



可以使用chmod u+s 或chmod g+s来设置二进制的可执行文件的euid。setuid只能对二进制的可执行设置。

 

[root@84-monitor httpd]# vi /etc/httpd/conf/httpd.conf

# prefork MPM

# StartServers: number of server processes to start

# MinSpareServers: minimum number of server processes which are kept spare

# MaxSpareServers: maximum number of server processes which are kept spare

# ServerLimit: maximum value for MaxClients for the lifetime of the server

# MaxClients: maximum number of server processes allowed to start

# MaxRequestsPerChild: maximum number of requests a server process serves

<IfModule prefork.c>

StartServers       8

MinSpareServers    5

MaxSpareServers   20

ServerLimit      256

MaxClients       256

MaxRequestsPerChild  4000

</IfModule>

[root@84-monitor httpd]# pstree -p|grep httpd

        |-httpd(13367)-+-httpd(13370)

        |              |-httpd(13371)

        |              |-httpd(13372)

        |              |-httpd(13373)

        |              |-httpd(13374)

        |              |-httpd(13375)

        |              |-httpd(13376)

        |              |-httpd(13377)



在客户端浏览器F5刷新http://125.76.228.16:2002/about.php这个页面，就产生下面13个资源请求

总共13个对象，总共有8个进程在循环等待请求到来

[root@84-monitor httpd]# tail -f access_log.1428364800

1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13372 "GET /about.php HTTP/1.1" 200 10569 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"

1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13375 "GET /cacti/include/main.css HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"

1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13377 "GET /cacti/include/layout.js HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"

1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13376 "GET /cacti/images/left_border.gif HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"

1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13371 "GET /cacti/images/tab_console_down.gif HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"

1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13373 "GET /cacti/images/tab_graphs.gif HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"

1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13374 "GET /cacti/images/transparent_line.gif HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"

1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13370 "GET /cacti/images/cacti_logo.gif HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"



1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13372 "GET /images/cacti_about_logo.gif HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"

1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13377 "GET /cacti/images/cacti_backdrop.gif HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"

1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13375 "GET /cacti/images/shadow_gray.gif HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"

1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13376 "GET /cacti/images/shadow.gif HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"

1.85.49.230 - - [07/Apr/2015:16:00:08 +0800] 13371 "GET /cacti/images/menu_line.gif HTTP/1.1" 304 - "http://125.76.228.16:2002/about.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"