<div dir="ltr">Hi David,<div><br></div><div>Did you write the eventlog IDL? The IDL could be just wrong. Midlc doesn't validate the IDL at all.</div><div><br></div><div>Also what version of JCIFS are you using? At one point JCIFS did not implement multi-PDU requests (just responses). The current version does, but if you're using an older version that might be a factor.</div>
<div><br></div><div>Otherwise, to properly implement an RPC, the best and fastest way (and only way really) is to get a good packet capture of the oldest supported version of Windows (Windows XP SP3 currently) making the call you want to implement and then compare it side by side with precisely the same parameters so that it's a byte for byte comparison.</div>
<div><br></div><div>My experience is that once you get the IDL right, it works really well. So my first guess would be that your IDL is just wrong.</div><div><br></div><div>Mike</div><div><br></div><div><div>IMPORTANT NOTE TO EVERYONE: Do not post network packet captures to the mailing list. Every few years some <snip> posts a packet capture to the list and then I have to go chasing it down in the various archives and request deletes and that's annoying! Send packet captures only to me directly.</div>
</div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Nov 14, 2013 at 10:09 PM, Harris, David <span dir="ltr"><<a href="mailto:dharris@hp.com" target="_blank">dharris@hp.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Hello jcifs community<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">We have a weird problem with collecting event logs over RPC/SMB from windows servers (2003,2008)<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">This is an ArcSight agent collecting logs remotely over 3 network hops. It uses no netbios, it’s just SMB tcp/445<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">This agent attempts to seek to the last Index written. The problem is we are missing several events and we don’t want to miss any. It seems when these errors occur we get the DCERPC error and the indexing gets messed up.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">The MTU of the network between agent and server is 1460, however on the hop before the server it drops to 550<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I am trying to work out if fragging has a part to play<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">The server says do not frag when it sends out an RPC request. It simply has to frag as most of these packets will be be bigger than 550<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Is the below error actually complaining about frags?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Java.io.IOException: DCERPC pipe is no longer open<u></u><u></u></p>
<p class="MsoNormal">at jcifs.dcerpc.DcerpcPipeHandle.doSendFragment(DcerpcPipeHandle.java.63)<u></u><u></u></p>
<p class="MsoNormal">at jcifs.dcerpc.DcerpcPipeHandle.sendrecv(DcerpcHandle.java:190)<u></u><u></u></p>
<p class="MsoNormal">at com.arcsight.agent.yb.f.a(f.java:1459)<u></u><u></u></p>
<p class="MsoNormal">etc<u></u><u></u></p>
<p class="MsoNormal">etc<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Thanks in advance<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-family:"Futura Hv","sans-serif";color:#221e1f">David Harris</span><span lang="EN-AU" style="color:#221e1f"><br>
</span><span lang="EN-AU" style="font-size:9.0pt;font-family:"Futura Bk","sans-serif";color:#221e1f">Senior Security Consultant<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:9.0pt;font-family:"Futura Bk","sans-serif";color:#221e1f"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:9.0pt;font-family:"Futura Bk","sans-serif";color:#221e1f">HP Enterprise Security Products<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:9.0pt;font-family:"Futura Bk","sans-serif";color:#221e1f">Hewlett-Packard Company<br>
<br>
<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:9.0pt;font-family:"Futura Bk","sans-serif";color:#221e1f"><a href="tel:%2B61%20408%20351%20760" value="+61408351760" target="_blank">+61 408 351 760</a> / Mobile
<br>
<a href="mailto:bruce.coble@hp.com" title="Email Me" target="_blank">dharris@hp.com</a> / Email<br>
<br>
<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:9.0pt;font-family:"Futura Bk","sans-serif";color:#221e1f">410 Concord Road<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:9.0pt;font-family:"Futura Bk","sans-serif";color:#221e1f">Rhodes NSW<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:9.0pt;font-family:"Futura Bk","sans-serif";color:#221e1f">Australia 2138</span><span lang="EN-AU" style="color:#221e1f"><br>
<br>
</span><a href="http://www.hp.com/" target="_blank"><span style="color:blue;text-decoration:none"><img border="0" width="28" height="28" src="cid:image001.gif@01CEE20C.3D13DD40" alt="hp"></span></a><span lang="EN-AU" style="color:#221e1f"><br>
<br>
</span><span lang="EN-AU" style="font-size:9.0pt;color:#00b050">Please consider the environment before printing this email.</span><span lang="EN-AU" style="color:#221e1f">
</span><span lang="EN-AU" style="color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Michael B Allen<br>Java Active Directory Integration<br><a href="http://www.ioplex.com/">http://www.ioplex.com/</a>
</div>