Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 6004 Source: EventLog

Source
Level
Description
A driver packet received from the I/O subsystem was invalid. The data is the packet.
Comments
 
The same problem wirth Symantec Endpoint Protection Version 11.0.2000.1567. The Update to Version 11.0.5002.333 fixed the problem. No error information in the eventlog since the update to the new version.
I am running Win2k Pro on a Dell Precision 420 with a 3com Etherlink 10/100 (3c905c-tx) Nic card. I installed McAfee VirusScan 8.0i and the EventID 6004 showed up in the Event log. I then installed the Patch 11 from McAfee, rebooted the system and still received the error message. I went to the Dell website and downloaded the "3Com 3C905C Customer Diagnostics App for Windows 2000" software update. The error no longer showed up.
If you have an AV product like VirusScan Enterprise 8.0i patch 10, then you will see these benign errors. McAfee says that AV patch 11 will correct the problem.
Patch 11 is now out. I quote from Patch 11 readme.txt:
“An event is captured by the Event log service with the ID of 6004. This only occurred after installing VirusScan Enterprise 8.0i, and occurred when the McAfee TDI filter driver was loaded. BZ214636. RESOLUTION: This is resolved with the updated McAfee TDI filter driver”.
My problem was caused by a mismatch between the server’s NIC and the switch port. Ensure that the speed and flow control are hard-set on both.
McAfee has published an article about this event, Solution ID: KB39113. In brief, the event is caused by “mrxsmb.sys” and will have to be investigated by Microsoft. Go to the "McAfee Knowledge Search" page and search for the specified solution.


As per Microsoft: "The driver is functioning properly but is logging incorrectly formatted packets in the event log". See MSW2KDB for more details.
In my case, this error happened with a W2K Dell 530. The 3Com driver installed for my NIC was from the OS CD. I installed the one from the Dell site and the problem went away.
As per ME171332, this can occur if a user types invalid characters other than (0-9 A-F) or types more than 12 characters for the media access control address by not using hyphens between bytes (Some network adapter drivers allow an administrator to assign locally administered addresses or universally administered addresses (UAA) for the installed adapter card).

Another suggestion from Microsoft (not too useful):
"The driver is functioning properly but is logging incorrectly formatted packets in the event log. Examine the data in the event log in Event Viewer for the Unicode version of the driver's name and replace the packets or contact the supplier of the driver."

A newsgroup posts suggests that this might be a faulty network card (or network card drivers) - the replacement of the card fixing the issue.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...