How to capture and filter LDAP transactions with Wireshark

Document created by Ujwol Shrestha Employee on Oct 9, 2014Last modified by Ujwol Shrestha Employee on May 30, 2018
Version 5Show Document
  • View in full screen mode

Summary :

Often while troubleshooting LDAP authentication/authorization use cases, we need to lookup the actual LDAP queries excecuted by the IAM products like CA SSO Policy server etc. and the corresponding response returned by LDAP directory. In this guide we will see how we can capture LDAP queries & response with Wireshark.

Assumption :

  • Non secure LDAP connection
  • Wireshark version >= 2.6.0

Instructions :

1. Run Wireshark and Start capturing the network traffic from IAM server host (e.g CA SSO Policy server) by selecting appropriate network interface.


In the test setup I had only one “Local Area Connection” network interface. In your setup you may have more than one, select the appropriate network interface.

2. In the display filter search box, add the following filter and hit ENTER:

tcp.dstport == <LDAP PORT> || tcp.srcport == <LDAP PORT>

(this will filter two way traffic from LDAP directory),

You can also add additional filter to filter network packet for specific LDAP server.

for e.g

( tcp.dstport == <LDAP PORT> || tcp.srcport == <LDAP PORT> ) && ip.addr == <LDAP_SERVER_IP>


3. Perform LDAP transaction (e.g ldap_search, ldap_bind , ldap_add etc).

For this test, I am using CA SSO Admin UI interface to perform a user search for LDAP directory.

LDAP search

4. Stop network capture by clicking the RED stop button.

5. Select Analyze –> Decode As


6.  Click the Plus (+) button. Choose TCP Port Value = <LDAP PORT>. Choose Protcol = LDAP  . Click OK.


7.  Now, you can further add additional filter for LDAP protocol in the display filter search box as below :

(tcp.dstport == <LDPA_PORT>|| tcp.srcport == <LDPA_PORT>) && ip.addr == <LDAP_SERVER_IP> && ldap


8. Next, select the frame where you see searchRequest in the Info column and review the search filter


9. Then, you can click on the “Response In: ***” hyperlink to navigate to the LDAP search response packet.


Note : On Linux operating system, you can capture network traffic using tcpdump and can then open the dump file with Wireshark to view the packets.

tcpdump -i <interface> -s 65535 -dst <destination_ip> -w <some-file>

example :

tcpdump -i eth0 -s 65535 -w tcmpdump.pcap

2 people found this helpful