This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

LDAP dissector

0

I may have a rather stupid question here, but what makes Wireshark "decide" if e.g. ldap traffic is indeed ldap traffic? Is it because of the used tcp port 389, or is there more intelligence in this decision? The issue I'm facing is that I can see ldap errors to/from a server that is built by an external company, and they claim that the server is not using ldap at all... The server just opens tcp sessions with random tcp ports... (I'' m running latest version of wireshark 1.12.8) Thanks for your help!

asked 24 Nov '15, 03:45

profke's gravatar image

profke
10779
accept rate: 0%


One Answer:

1

Wireshark dissectors for a particular protocol can be called to dissect packets for a number of reasons:

  • The dissector has registered to be called for packets on a particular port, e.g. tcp/389 for LDAP, usually via a preferences setting for the dissector.
  • The dissector has registered as a "heuristic" dissector and has determined, possibly incorrectly, that the packets it has been handed are indeed of the expected protocol type.
  • The dissector registers has a handler for a particular "type" of data, e.g. "text/plain" and the dissector for a another protocol has determined that the data is of the specified type.
  • The user has made a "Decode As .. " setting to decode all packets on a particular Link Type\Network Type\Transport Port as the specified protocol.
  • Other ways I've forgotten or didn't even know about.

In summary, yes a dissector can be called for packets that are not of the correct type and various forms of oddness will ensue depending on how the dissector is coded.

answered 24 Nov '15, 04:06

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 26 Nov '15, 09:13

Thanks Graham, there are no special decode settings, all is default. But if I see successfull bind responses, I guess then it is really ldap, not some other traffic using the same tcp port as ldap's default one? I'd like to show you some screen shots, but don't know how-to...

(24 Nov '15, 04:24) profke

Analysis by screenshot is ... painful.

You can share a capture in a publicly accessible spot, e.g. CloudShark, Google Drive, DropBox etc.

(24 Nov '15, 04:36) grahamb ♦

Yes, agree, but I can't share the pcap files. Meanwhile things are clear now; the traffic is indeed LDAP. Thx for your help.

(26 Nov '15, 07:34) profke

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(26 Nov '15, 09:13) grahamb ♦