binding requests – see LDAP, filter display binding requests
binding responses – see LDAP, filter display binding responses
How To Capture from the Command Prompt with Wireshark
Display Filter Reference (for LDAP)
ip.addr == 123.45.67.89
or
ip.src_host == 123.45.67.89
or
ip.dst_host == 123.45.67.89
filter to capture only LDAP traffic – see LDAP, filter to capture only packets pertaining to LDAP traffic
filter view to see only packets pertinant to LDAP Server Signing – see LDAP, filter to view only packets pertaining to LDAP Server Signing
(frame.time >= "Oct 16, 2023 11:15:14") && (frame.time <= "Oct 16, 2023 11:15:15")
IP address, filter results by – see filter by IP address
ldap.protocolOp == 0
ldap.protocolOp == 1
other binding:
| Value | Meaning |
| 0 | Bind request |
| 1 | Bind response |
| 2 | Unbind request |
| 3 | Search request |
| 4 | Search result entry |
| 5 | Search result done |
| 6 | Modify request |
| 7 | Modify response |
| 8 | Add request |
| 9 | Add response |
| 10 | Delete request |
| 11 | Delete response |
| 12 | Modify DN request |
| 13 | Modify DN response |
| 14 | Compare request |
| 15 | Compare response |
| 16 | Abandon request |
| 17 | Extended request |
| 18 | Extended response |
Server Signing filter to view only packets pertaining to Server Signing
to display of packets already captured to find packets pertaining to LDAP Server Signing
ldap.requestName == 1.3.6.1.4.1.1466.20037 or ldap.responseName == 1.3.6.1.4.1.1466.20037
for port 387 or
ldap.requestName == 1.3.6.1.4.1.1466.20036 or ldap.responseName == 1.3.6.1.4.1.1466.20036
for port 686 (LDAPS)
LDAP, filter capture LDAP traffic
port 389 or port 636
timestamp, display instead of seconds since begin recording session
In the View menu click Time Display Format and choose one of the Time of Day options.
time by, filter results by range – see filter by time