Micro Focus eDirectory – Decoding TLS/LDAP Packet Trace Using Wireshark

Occasionally we run across a situation where there is a large load on an LDAP server. When this happens, it’s possible that the LDAP server would not able to adequately log events. This makes it difficult, if not impossible, to narrow down the details of what is happening with the LDAP operations.

This document’s steps are specific to NetIQ/Micro Focus eDirectory’s LDAP however, the concepts can be used on other LDAP servers. This was tested with RSA keys.

WARNING: Because the private key is required, we highly recommend caution in performing these steps. Keep the process internal and delete the private key afterward. Security should be at the forefront and internal processes should be used to delete sensitive data.

1) Use tcpdump on the Linux IDM server to start the packet trace. If this is a Windows Server running eDirectory, use Wireshark to gather the packet trace. When ready, run the below command and then ctlr-c the process and confirm the file is written out once the operation to be captured has completed.

tcpdump -i any -s0 -w /tmp/capture.cap
2) On a workstation, install the latest version of Wireshark. We used version 3.02.
3) With iManager, export the SSL Certificate DNS from the LDAP server (assuming this is what the LDAP server object has configured for the certificate). When you export the certificate, make sure to include the private key and specify a password.
4) In Wireshark, choose edit | preferences and choose RSA keys and click the add new keyfile. Then specify the path to the file and then the password you used to export it when prompted.
5) Load the capture.cap file into Wireshark.
6) On the filter line, type ldap.protocolOp and hit enter to only show LDAP packets

7) click analyze | decode as | + button to add | Field column set to TLS Port and set the current column to LDAP and choose Save. If it disappears, click add and select it again and then choose OK.

The data should now be decoded.

We hope this process helps in the event you run into an issue where your LDAP server isn’t adequately logging events.