This wiki has been migrated to and is now deprecated. Please use that site instead.
Differences between revisions 6 and 7
Revision 6 as of 2006-06-05 03:19:18
Size: 2216
Editor: localhost
Revision 7 as of 2006-11-27 13:50:28
Size: 2315
Editor: 203
Deletions are marked like this. Additions are marked like this.
Line 53: Line 53:
 * [ Summarization of LDAP]

Lightweight Directory Access Protocol (LDAP)

The Lightweight Directory Access Protocol: The protocol accessing data from directory services like [ OpenLDAP], [ Microsoft Active Directory], [ Netscape Directory Server] or [ Novell eDirectory].


LDAP was developed as simple access protocol for ["X.500"] databases.

Protocol dependencies

  • ["TCP"]/["UDP"]: Typically, LDAP uses ["TCP"] or ["UDP"] as its transport protocol. The well known TCP and UDP port for LDAP traffic is 389.
  • ["SSL"]/["TLS"]: LDAP can also be tunneled through ["SSL"]/["TLS"] encrypted connections. The well known TCP port for ["SSL"] is 636 while ["TLS"] is negotiated within a plain ["TCP"] connection on port 389.

Example traffic

TODO: - Add example traffic here (as plain text or Wireshark screenshot).


The LDAP dissector is (fully functional).

Preference Settings

TODO: - Add links to preference settings affecting how LDAP is dissected.

Example capture file

attachment:SampleCaptures/ldap-controls-dirsync-01.cap Sample LDAP PDU with DIRSYNC CONTROLS

attachment:SampleCaptures/ldap-krb5-sign-seal-01.cap Sample GSSAPI-KRB5 signed and sealed LDAP PDU

Display Filter

A complete list of LDAP display filter fields can be found in the [ LDAP display filter reference]

  • Show only the LDAP based traffic:


Capture Filter

You cannot directly filter LDAP protocols while capturing. However, if you know the ["TCP"] port used (see above), you can filter on that one.

  • Capture LDAP traffic over the default port (389):

     tcp port 389 


LDAP (last edited 2013-05-30 16:06:57 by SakeBlok)