This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Failure to recognize LDAP if not port 389?

1

I am using AD LDS (Active Directory Lightweight Services) and connecting to it using ldp.exe (from microsoft). I am using port 50000. I am able to authenticate successfully and capture the traffic. However, wireshark interprets as TCP not LDAP and in the info field it does not say bind request, etc. Is this due to the port that I am using?

Thanks.

asked 21 May '13, 15:41

malhenry's gravatar image

malhenry
21559
accept rate: 0%

edited 10 Jun '13, 23:57

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


2 Answers:

5

You can either change the default port for LDAP in the preferences (click on protocols and then search for LDAP).

Or you can rightclick on a packet and use "Decode As..."

answered 21 May '13, 15:45

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Decode works....thanks.

(30 May '13, 09:02) malhenry

Hi,

Your answer above was working for awhile. In fact it seemed to look at all of the packets in the capture and change the appropriate ones to LDAP which was great.

Today for some reason I cannot decode the packets in new streams. I am pretty certain that I am capturing the correct packet stream. Do you know what I could be doing wrong?

Thanks.

(07 Jun '13, 14:25) malhenry

Can you post the new capture somewhere we can look at it, maybe Cloudshark?

(08 Jun '13, 12:21) grahamb ♦

I would rather not post the traffic. Could you possibly tell me what to look for or possible explanations of my problem? I appreciate your help. I just bought the Wireshark 101 book and am finding it to be a good read so far...

(10 Jun '13, 06:25) malhenry

It might be easier if you explain what you see and do, i.e. your displays and actions from choosing a packet to right click on and use "Decode As ...". Also describe the source and dest ports of the packets and which is the ldap server.

(10 Jun '13, 06:33) grahamb ♦

Ok. I goto x.x.x.31 and start a wireshark capture Then I go to my Ldap server, y.y.y.151, and start wireshark Then I go to .31 and run ldp.exe to successfully connect and bind. Then on each machine: I stop wireshark filter: ip.host eq y.y.y.151 I see the 3 way handshake packets So I right click the 4th packet, decode as > transport tab > LDAP I do not see any tcp packets get transformed to ldap packets

Thanks.

(10 Jun '13, 08:03) malhenry

My ldap server is using SSL on port 50005. Maybe SSL is preventing a proper decode to LDAP?

(10 Jun '13, 08:06) malhenry

I can go to another ldap server that is not running SSL and decode the TCP packets successfully as LDAP using the method above. So is SSL preventing my from decoding to LDAP? Thanks.

(10 Jun '13, 08:18) malhenry

Ran ssl with the second ldap server (where I could decode non-ssl to ldap). This time I could not decode packets. So it appears that decode to LDAP will not work if packets are coming over SSL. Can you please confirm this is correct? Thanks.

(10 Jun '13, 08:26) malhenry
showing 5 of 9 show 4 more comments

2

My ldap server is using SSL on port 50005. Maybe SSL is preventing a proper decode to LDAP?

the LDAP dissector is only able to detect the LDAP protocol if it is able to read the communication, which is impossible if the communication is encrypted.

So it appears that decode to LDAP will not work if packets are coming over SSL. Can you please confirm this is correct?

confirmed.

HOWEVER: You can decrypt the SSL data, if you have access to the private key of the SSL server (your LDAP server). Is that the case?

Regards
Kurt

answered 10 Jun '13, 08:33

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 10 Jun '13, 08:35

lets say that I can. What would be my next steps? Some kind of IKEv2 config? If I go down this route, will I be able to decode as LDAP?

(10 Jun '13, 10:22) malhenry

Take a look at these links:

http://wiki.wireshark.org/SSL
http://www.youtube.com/watch?v=vQtur8fqErI

(10 Jun '13, 11:33) Kurt Knochner ♦

Awesome...thanks!

(10 Jun '13, 14:08) malhenry