[jcifs] DCERPC errors driving me insane

Harris, David dharris at hp.com
Thu Nov 14 20:09:00 MST 2013


Hello jcifs community

We have a weird problem with collecting event logs over RPC/SMB from  windows servers (2003,2008)

This is an ArcSight agent collecting logs remotely over 3 network hops. It uses no netbios, it's just SMB tcp/445

This agent attempts to seek to the last Index written. The problem is we are missing several events and we don't want to miss any. It seems when these errors occur we get the DCERPC error and the indexing gets messed up.

The MTU of the network between agent and server is 1460, however on the hop before the server it drops to 550

I am trying to work out if fragging has a part to play

The server says do not frag when it sends out an RPC request. It simply has to frag as most of these packets will be be bigger than 550


Is the below error actually complaining about frags?

Java.io.IOException: DCERPC pipe is no longer open
at jcifs.dcerpc.DcerpcPipeHandle.doSendFragment(DcerpcPipeHandle.java.63)
at jcifs.dcerpc.DcerpcPipeHandle.sendrecv(DcerpcHandle.java:190)
at com.arcsight.agent.yb.f.a(f.java:1459)
etc
etc



Thanks in advance



David Harris
Senior Security Consultant

HP Enterprise Security Products
Hewlett-Packard Company

+61 408 351 760 / Mobile
dharris at hp.com<mailto:bruce.coble at hp.com> / Email

410 Concord Road
Rhodes NSW
Australia 2138

[hp]<http://www.hp.com/>

Please consider the environment before printing this email.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/jcifs/attachments/20131115/5d8cb5c5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 1358 bytes
Desc: image001.gif
URL: <http://lists.samba.org/pipermail/jcifs/attachments/20131115/5d8cb5c5/attachment.gif>


More information about the jCIFS mailing list