This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

capture LDAP/AD authentication requests

0

I have an apache server where the .htaccess file on a specific directory look like this:

AuthType CAS
AuthName "Network Services"
AuthLDAPUrl "ldaps://ldap.here.ca/ou=people,dc=here,dc=com?uid?sub?(objectclass=*)"
AuthLDAPBindDN uid=user1,ou=nsids,ou=people,dc=here,dc=com
AuthLDAPBindPassword <password>

Require ldap-group cn=xct_staff,ou=ancillaryGroups,ou=groups,dc=here,dc=com

what I want to do is capthere all the traffic going to and coming from ldap.here.ca when the Require ldap-group is being used I tried ldap||msdp but no luck anyone have an idea I can try?

This question is marked "community wiki".

asked 25 Nov '16, 09:42

merrittr's gravatar image

merrittr
6112
accept rate: 0%


2 Answers:

0

Hello

I am newish to Wireshark, but I may be able to offer a tip. I believe I have the basics of your question (although I am not sure about the ldap-group part of your question)

Any way start of with

LDAP && (tcp contains ldap.here.ca || udp contains ldap.here.ca)

Hope this is some assistance

Ernie

answered 26 Nov '16, 11:47

EBrant's gravatar image

EBrant
1789
accept rate: 0%

err... I believe ldap.here.ca in the example is an FQDN, not an IP number, so udp contains "ldap.here.ca" would show packets which contain that string. Unfortunately, the FQDN of the LDAP server is not sent inside the LDAP PDUs themselves, so it won't show anything.

(26 Nov '16, 12:01) sindy

Hi Sindy, thanks for the info, I am new to Wireshark so learning too :) thanks for the tip, I hope someone can answer Merrittr's question

Ernue

(26 Nov '16, 12:14) EBrant

working on it ;-)

I've converted your previous post from an Answer (which it wasn't as it did not answer the original Question) to a Comment.

(26 Nov '16, 12:22) sindy

0

There are two key aspects here.

First, a display filter expression ldap only matches frames for which the LDAP dissector has been successfully invoked. As your configuration requires use of LDAPS (secure), the dissection ends at the TLS layer unless you provide sufficient key material and configuration (see details at Wireshark wiki). If you don't, the undecrypted TLS payload is shown as just "Encrypted Application Data" in the dissection tree.

Second, in order to display-filter (or even capture-filter) only the communication with ldap.here.ca, you have to convert the fqdn to an IP number first. As we deal with a single fqdn here, use dig (on *x systems) or nslookup (on Windows) to obtain a list of IP numbers which represent that fqdn, and use all of them in your filter expression with or between them, as the httpd may establish the LDAPS connection to any of them. In your case, the DNS query returns a single IP number, so a capture filter host 66.196.36.64 and/or display filter ip.addr == 66.196.36.64 is sufficient.

answered 26 Nov '16, 12:44

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 26 Nov '16, 14:06