This wiki has been migrated to and is now deprecated. Please use that site instead.
Differences between revisions 9 and 10
Revision 9 as of 2008-04-12 17:50:31
Size: 2357
Editor: localhost
Comment: converted to 1.6 markup
Revision 10 as of 2009-12-03 19:23:41
Size: 2441
Deletions are marked like this. Additions are marked like this.
Line 52: Line 52:
 * [|LDAPv3 current - RFC 4510]] and following

Lightweight Directory Access Protocol (LDAP)

The Lightweight Directory Access Protocol: The protocol accessing data from directory services like OpenLDAP, Microsoft Active Directory, Netscape Directory Server or Novell eDirectory.


LDAP was developed as simple access protocol for X.500 databases.

Protocol dependencies

  • TCP/UDP: Typically, LDAP uses TCP or UDP (aka CLDAP) as its transport protocol. The well known TCP and UDP port for LDAP traffic is 389.

  • SSL/TLS: LDAP can also be tunneled through SSL/TLS encrypted connections. The well known TCP port for SSL is 636 while TLS is negotiated within a plain TCP connection on port 389.

Example traffic

TODO: - Add example traffic here (as plain text or Wireshark screenshot).


The LDAP dissector is (fully functional).

Preference Settings

TODO: - Add links to preference settings affecting how LDAP is dissected.

Example capture file

SampleCaptures/ldap-controls-dirsync-01.cap Sample LDAP PDU with DIRSYNC CONTROLS

SampleCaptures/ldap-krb5-sign-seal-01.cap Sample GSSAPI-KRB5 signed and sealed LDAP PDU

Display Filter

A complete list of LDAP display filter fields can be found in the LDAP display filter reference

  • Show only the LDAP based traffic:


Capture Filter

You cannot directly filter LDAP protocols while capturing. However, if you know the TCP port used (see above), you can filter on that one.

  • Capture LDAP traffic over the default port (389):

     tcp port 389 


LDAP (last edited 2013-05-30 16:06:57 by SakeBlok)