[jcifs] Re: eventlog.patch issues

Michael B Allen ioplex at gmail.com
Wed Aug 20 21:10:33 GMT 2008

On Wed, Aug 20, 2008 at 4:02 PM, Marasim <marasim at gmail.com> wrote:
>> If you can see some event log records and not others, my guess would
>> be that it's either some kind of "access mask" or permissions issue.
>> The best way to debug this sort of thing is to get a packet capture of
>> the Event Log Viewer looking at the target records and then compare
>> that to a capture of JCIFS doing the same thing using WireShark. Then
>> you'll see definitively if the target information is even in the
>> server response.
>> Mike
> Thanks a lot for your quick response. How do we do a packet capture of the event
> log viewer?
> Also, when you say using Wireshark to do capture of JCIFS you mean connecting to
> the server using JCIFS and running Wireshark to get the tcpdump, correct?

Capture with tcpdump as described here:


and then open the .pcap file with WireShark.

The frames you're interested in will probably be called "DCERPC" and
the structure of the packets should roughly correspond to the IDL
definitions in the patch file.


Michael B Allen
PHP Active Directory SPNEGO SSO

More information about the jcifs mailing list