I would set up an address filter to capture only the traffic between the backup server and a single machine.
Per http://wiki.wireshark.org/DCOM, you can't do a capture filter, but you can do a display filter afterward. Kurt On Wed, Feb 5, 2014 at 8:02 AM, Jesse Rink <[email protected]> wrote: > I admit little experience with DCOM. > > > > Here's my situation. I have a W2008R2 server running Backup Exec Media > Server (2012) and nothing else except the standard HP Agent Software that's > loaded on it. No roles associated with it except an MS iSCSI Target. > > > > Oddly enough, I am getting countless DCOM errors showing up in the servers > System Log. Event id 10006, source is DistributedCOM. The messages are > "DCOM got error "2147944122" from computer (computer-name here) when > attempting to activate the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820} > > > > I believe the error is because the machines are turned off, however, **my > BIGGER interest is WHY** this server, which only serves as a backup server, > is attempting to contact PCs using DCOM. It happens only once a day, and > seems to occur between 10:30am and 12:30pm most of the time. I just don't > understand what application or process is doing this and WHY. These DCOM > errors have been showing in the SYSTEM log, once per day (well, once per > attempt of EACH computer, once per day) for over 12 months... so it's > definitely not anything new. I'm just finally getting around to looking > into it. > > > > I'm thinking about setting up a wireshark capture during that time period, > but wireshark captures tend to get really BIG and I don't know what to > filter on for DCOM. > > > > Thoughts?
