This is our old Q&A Site. Please post any new questions and answers at

I have an apache server where the .htaccess file on a specific directory look like this:

AuthType CAS
AuthName "Network Services"
AuthLDAPUrl "ldaps://,dc=here,dc=com?uid?sub?(objectclass=*)"
AuthLDAPBindDN uid=user1,ou=nsids,ou=people,dc=here,dc=com
AuthLDAPBindPassword <password>

Require ldap-group cn=xct_staff,ou=ancillaryGroups,ou=groups,dc=here,dc=com

what I want to do is capthere all the traffic going to and coming from when the Require ldap-group is being used I tried ldap||msdp but no luck anyone have an idea I can try?

This question is marked "community wiki".

asked 25 Nov '16, 09:42

merrittr's gravatar image

accept rate: 0%


I am newish to Wireshark, but I may be able to offer a tip. I believe I have the basics of your question (although I am not sure about the ldap-group part of your question)

Any way start of with

LDAP && (tcp contains || udp contains

Hope this is some assistance


permanent link

answered 26 Nov '16, 11:47

EBrant's gravatar image

accept rate: 0%

err... I believe in the example is an FQDN, not an IP number, so udp contains "" would show packets which contain that string. Unfortunately, the FQDN of the LDAP server is not sent inside the LDAP PDUs themselves, so it won't show anything.

(26 Nov '16, 12:01) sindy

Hi Sindy, thanks for the info, I am new to Wireshark so learning too :) thanks for the tip, I hope someone can answer Merrittr's question


(26 Nov '16, 12:14) EBrant

working on it ;-)

I've converted your previous post from an Answer (which it wasn't as it did not answer the original Question) to a Comment.

(26 Nov '16, 12:22) sindy

There are two key aspects here.

First, a display filter expression ldap only matches frames for which the LDAP dissector has been successfully invoked. As your configuration requires use of LDAPS (secure), the dissection ends at the TLS layer unless you provide sufficient key material and configuration (see details at Wireshark wiki). If you don't, the undecrypted TLS payload is shown as just "Encrypted Application Data" in the dissection tree.

Second, in order to display-filter (or even capture-filter) only the communication with, you have to convert the fqdn to an IP number first. As we deal with a single fqdn here, use dig (on *x systems) or nslookup (on Windows) to obtain a list of IP numbers which represent that fqdn, and use all of them in your filter expression with or between them, as the httpd may establish the LDAPS connection to any of them. In your case, the DNS query returns a single IP number, so a capture filter host and/or display filter ip.addr == is sufficient.

permanent link

answered 26 Nov '16, 12:44

sindy's gravatar image

accept rate: 24%

edited 26 Nov '16, 14:06

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 25 Nov '16, 09:42

question was seen: 22,311 times

last updated: 26 Nov '16, 14:06

p​o​w​e​r​e​d by O​S​Q​A