[jcifs] DCERPC errors driving me insane

Fri Nov 15 17:15:26 MST 2013

Hi David,

Did you write the eventlog IDL? The IDL could be just wrong. Midlc doesn't
validate the IDL at all.

Also what version of JCIFS are you using? At one point JCIFS did not
implement multi-PDU requests (just responses). The current version does,
but if you're using an older version that might be a factor.

Otherwise, to properly implement an RPC, the best and fastest way (and only
way really) is to get a good packet capture of the oldest supported version
of Windows  (Windows XP SP3 currently) making the call you want to
implement and then compare it side by side with precisely the same
parameters so that it's a byte for byte comparison.

My experience is that once you get the IDL right, it works really well. So
my first guess would be that your IDL is just wrong.

Mike

IMPORTANT NOTE TO EVERYONE: Do not post network packet captures to the
mailing list. Every few years some <snip> posts a packet capture to the
list and then I have to go chasing it down in the various archives and
request deletes and that's annoying! Send packet captures only to me
directly.

On Thu, Nov 14, 2013 at 10:09 PM, Harris, David <dharris at hp.com> wrote:

>
>
> Hello jcifs community
>
>
>
> We have a weird problem with collecting event logs over RPC/SMB from
>  windows servers (2003,2008)
>
>
>
> This is an ArcSight agent collecting logs remotely over 3 network hops. It
> uses no netbios, it’s just SMB tcp/445
>
>
>
> This agent attempts to seek to the last Index written. The problem is we
> are missing several events and we don’t want to miss any. It seems when
> these errors occur we get the DCERPC error and the indexing gets messed up.
>
>
>
> The MTU of the network between agent and server is 1460, however on the
> hop before the server it drops to 550
>
>
>
> I am trying to work out if fragging has a part to play
>
>
>
> The server says do not frag when it sends out an RPC request. It simply
> has to frag as most of these packets will be be bigger than 550
>
>
>
>
>
> Is the below error actually complaining about frags?
>
>
>
> Java.io.IOException: DCERPC pipe is no longer open
>
> at jcifs.dcerpc.DcerpcPipeHandle.doSendFragment(DcerpcPipeHandle.java.63)
>
> at jcifs.dcerpc.DcerpcPipeHandle.sendrecv(DcerpcHandle.java:190)
>
> at com.arcsight.agent.yb.f.a(f.java:1459)
>
> etc
>
> etc
>
>
>
>
>
>
>
> Thanks in advance
>
>
>
>
>
>
>
> David Harris
> Senior Security Consultant
>
>
>
> HP Enterprise Security Products
>
> Hewlett-Packard Company
>
>  +61 408 351 760 / Mobile
> dharris at hp.com <bruce.coble at hp.com> / Email
>
>  410 Concord Road
>
> Rhodes NSW
>
> Australia 2138
>
> [image: hp] <http://www.hp.com/>
>
> Please consider the environment before printing this email.
>
>
>

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/jcifs/attachments/20131115/552f5ae8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 1358 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/jcifs/attachments/20131115/552f5ae8/attachment.gif>