This is our old Q&A Site. Please post any new questions and answers at

Is there a way in wireshark that I can see the LDAP connection string? ie. LDAP://server:port/....

I have captured the traffic and see LDAP packets, but not sure where to look for this string.


asked 30 May '13, 09:05

malhenry's gravatar image

accept rate: 0%

I am trying to debug a failed bind request...thanks.

(30 May '13, 09:07) malhenry

That string will not appear in the capture file. As it is a configuration item which tells the system to open an LDAP session to port "port" on "server". So when you do find the ldap packets, look at the requests and then use the IP destination as "server" and the TCP destination port as "port". Be aware though that there might have been a hostname configured, not an IP address. So if you are capturing on the device that is initiating the LDAP session, look for DNS requests too...

permanent link

answered 30 May '13, 09:15

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

I know the server and port. I am really looking for what is being passed as the rest of the connection string...such as the user which can be specified in more than one format. My reason for doing this is one client program can successfully authenticate, but another fails with bad user or pw. Not that it matters, but I am authenticating (trying) to a windows AD LDS instance. Thanks.

(30 May '13, 11:17) malhenry

also I am attempting to use the same credentials in each of my two client programs.

(30 May '13, 11:18) malhenry

such as the user which can be specified in more than one format. My reason for doing this is one client program can successfully

Look for LDAP bind requests and for LDAP bind responses.

Filter: ldap.bindRequest or ldap.bindResponse

Then open the LDAP fields in Wireshark and check if you can find the reason.

However: There are several ways to protect the authentication information (SSL/TLS, SASL, etc.), so you might not see anything useful.

If the client does not use SSL/TLS and the authentication scheme is 'simple' you will be able to see the user and the password, as well as the error message of the LDAP server.


(30 May '13, 12:20) Kurt Knochner ♦

As long as this is in clear text, you should be able to see the request:

27842 2013-06-02 06:00:28.623270000 LDAP 135 bindRequest(1) "cn=user1,ou=users,dc=willeke,dc=com" simple

an d response: 42775 2013-06-02 06:03:53.739349000 LDAP 119 bindResponse(1) invalidCredentials (NDS error: failed authentication (-669))


permanent link

answered 02 Jun '13, 03:09

jwilleke's gravatar image

accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 30 May '13, 09:05

question was seen: 13,716 times

last updated: 02 Jun '13, 03:09

p​o​w​e​r​e​d by O​S​Q​A