Wireshark-users: [Wireshark-users] SSL LDAP dialog - bad request interpretation?
From: Frantisek Hanzlik <franta@xxxxxxxxxxx>
Date: Tue, 26 Apr 2011 08:22:25 +0200
I use wireshark (Version 1.4.4 Linux Fedora 14 i686) to decode SSL LDAP communication between System Security Services Daemon (sssd) and openldap server. All three pieces SW (wireshark, sssd, slapd) runs on one machine, communication go through IPv4 loopback interface. It seems as wireshark bad decode (TLS/SSL) LDAP request: - in Packet List window is packet marked as "Malformed" - in Packed Detail is line: (Error/Undecoded): Filter length exceeds 4096. Giving up although packed itself has only 500 Byte (at TCP layer) - Packet Detail not contains all requests detail. Openldap server response seems fine and wireshark probably decode and display it fine too. Wireshark version details (copied from About window): ===== Compiled (32-bit) with GTK+ 2.22.0, with GLib 2.26.0, with libpcap 1.1.1, without libz, without POSIX capabilities, without libpcre, with SMI 0.4.8, without c-ares, without ADNS, with Lua 5.1, without Python, with GnuTLS 2.8.6, with Gcrypt 1.4.5, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Jul 28 2009), without AirPcap. Running on Linux 2.6.35.12-88.fc14.i686.PAE, with libpcap version 1.1.1, GnuTLS 2.8.6, Gcrypt 1.4.5. Built using gcc 4.5.1 20100924 (Red Hat 4.5.1-4). ===== Unfortunately I cannot send plain non-ssl dialog, as sssd daemon not allow that (even on loopback), I think. I attach printscreen and 5 packets LDAP dialog export to plain text. Excuse me in case when there is another problem, but I cannot explain this case in other manner. Can anyone? Thanks, Franta Hanzlik
Attachment:
ssl_ldap_dialog.png
Description: PNG image
No. Time Source Destination Protocol Info
10342 10041.386651 127.0.0.1 127.0.0.1 LDAP searchRequest(3558) "ou=users,dc=nkcr,dc=cz" wholeSubtree [Malformed Packet]
Frame 10342: 569 bytes on wire (4552 bits), 569 bytes captured (4552 bits)
Linux cooked capture
Internet Protocol, Src: 127.0.0.1 (127.0.0.1), Dst: 127.0.0.1 (127.0.0.1)
Transmission Control Protocol, Src Port: 45609 (45609), Dst Port: ldap (389), Seq: 1755190, Ack: 195327, Len: 501
Secure Socket Layer
TLSv1 Record Layer: Application Data Protocol: ldap
Content Type: Application Data (23)
Version: TLS 1.0 (0x0301)
Length: 496
Encrypted Application Data: c40d7f654480eb829c3cd29013a3f59f1884e14243043317...
Lightweight Directory Access Protocol
LDAPMessage searchRequest(3558) "ou=users,dc=nkcr,dc=cz" wholeSubtree
messageID: 3558
protocolOp: searchRequest (3)
searchRequest
baseObject: ou=users,dc=nkcr,dc=cz
scope: wholeSubtree (2)
derefAliases: neverDerefAliases (0)
sizeLimit: 0
timeLimit: 0
typesOnly: False
[Expert Info (Error/Undecoded): Filter length exceeds 4096. Giving up.]
[Message: Filter length exceeds 4096. Giving up.]
[Severity level: Error]
[Group: Undecoded]
[Malformed Packet: LDAP]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Message: Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]
Frame (569 bytes):
0000 00 00 03 04 00 06 00 00 00 00 00 00 00 00 08 00 ................
0010 45 00 02 29 15 da 40 00 40 06 24 f3 7f 00 00 01 E..)..@.@.$.....
0020 7f 00 00 01 b2 29 01 85 e5 04 0a e2 e4 9d c4 c4 .....)..........
0030 80 18 03 02 00 1e 00 00 01 01 08 0a 13 8e f1 f3 ................
0040 13 8d 77 4e 17 03 01 01 f0 c4 0d 7f 65 44 80 eb ..wN........eD..
0050 82 9c 3c d2 90 13 a3 f5 9f 18 84 e1 42 43 04 33 ..<.........BC.3
0060 17 de 01 65 4d bf 09 cc 84 a3 ed cd 1b d0 39 40 ...eM.........9@
0070 67 44 6a 14 46 31 c1 8a 47 d7 a0 8b 82 27 56 b1 gDj.F1..G....'V.
0080 9f 70 ee 16 61 09 61 18 68 b5 a0 e5 b7 13 c1 da .p..a.a.h.......
0090 9c 9d 3c c0 9d 45 9e d0 92 4e e8 3f 92 07 0a 6b ..<..E...N.?...k
00a0 0f 7f b8 18 1e 2e ca 5e 25 a6 13 e5 3e be 37 8a .......^%...>.7.
00b0 94 5d a6 0b 0c 0c 5f a5 5b 96 5a eb a2 b2 3d 83 .]...._.[.Z...=.
00c0 cd 53 c1 16 ac 71 7e 4a 11 c4 f6 24 0f a4 ec 8a .S...q~J...$....
00d0 0d 5a bc 6b 6c c1 05 01 df e9 51 3e 28 84 e2 ad .Z.kl.....Q>(...
00e0 aa 38 b0 21 ab 84 c4 15 02 ca 0d c3 1b bd 0a 77 .8.!...........w
00f0 25 3f ba 28 02 a1 81 36 ba e4 d6 ea 9c f6 83 73 %?.(...6.......s
0100 13 94 c7 32 8f 8e 7a f1 d0 30 2f df 0b df 56 91 ...2..z..0/...V.
0110 da 71 97 6c 5c 47 0b 68 44 75 cd 3e 9a 07 5b b6 .q.l\G.hDu.>..[.
0120 67 1d 06 0e f1 f7 8a d7 59 84 9a 6f 79 d5 72 40 g.......Y..oy.r@
0130 30 0b 6e 50 e2 da b6 fb 35 35 d2 d5 4c b1 58 c8 0.nP....55..L.X.
0140 c2 86 c8 e0 08 b9 a1 b4 1e 00 cf cf 52 5a 46 57 ............RZFW
0150 58 58 ee 5b a8 9c 0c 79 b3 5c 66 03 2e da e8 7c XX.[...y.\f....|
0160 4b 59 41 8e 77 67 29 33 2d 70 93 08 c2 bb 28 b6 KYA.wg)3-p....(.
0170 cb e0 ec be d4 3f 2c 96 61 b4 4a 13 c9 aa e6 79 .....?,.a.J....y
0180 3c ec 4a 9e 69 da 50 6b 00 2d 3e a1 43 e9 01 fd <.J.i.Pk.->.C...
0190 3e 21 3c fc 0a 85 f1 74 54 0e d4 cf f6 dd 25 87 >!<....tT.....%.
01a0 4e 89 91 a5 f7 4b 99 8c 6e 24 10 f2 91 d7 1f 9a N....K..n$......
01b0 f0 fb e1 c6 cc 13 83 1a db 34 c5 aa c3 cb c6 68 .........4.....h
01c0 f2 5d 79 c9 a1 91 c7 cc 75 8d 37 30 4d 9a a1 38 .]y.....u.70M..8
01d0 7c 47 5a f0 b2 34 fc 10 af 84 e7 47 d5 c2 55 45 |GZ..4.....G..UE
01e0 00 b9 cb 81 33 09 a4 07 73 f8 89 af 93 bc 62 74 ....3...s.....bt
01f0 8a 8a bd 52 8d f6 97 b3 95 1c 3c aa bd a7 19 1e ...R......<.....
0200 8b ef 83 75 25 61 8c b7 1a 3f 16 05 48 23 48 90 ...u%a...?..H#H.
0210 a5 07 b0 d9 75 ac ea 85 cf 81 6d 7b 8e 8e 7f 3f ....u.....m{...?
0220 13 0e b2 2c 69 e5 8b 9b 73 56 70 f6 6a 10 63 ae ...,i...sVp.j.c.
0230 5a b4 91 37 17 12 b7 49 50 Z..7...IP
Decrypted SSL data (474 bytes):
0000 30 82 01 d6 02 02 0d e6 63 82 01 ce 04 16 6f 75 0.......c.....ou
0010 3d 75 73 65 72 73 2c 64 63 3d 6e 6b 63 72 2c 64 =users,dc=nkcr,d
0020 63 3d 63 7a 0a 01 02 0a 01 00 02 01 00 02 01 00 c=cz............
0030 01 01 00 a0 33 a3 14 04 03 75 69 64 04 0d 66 68 ....3....uid..fh
0040 61 6e 7a 6c 69 6b 2e 6c 64 61 70 a3 1b 04 0b 6f anzlik.ldap....o
0050 62 6a 65 63 74 63 6c 61 73 73 04 0c 70 6f 73 69 bjectclass..posi
0060 78 41 63 63 6f 75 6e 74 30 82 01 6e 04 0b 6f 62 xAccount0..n..ob
0070 6a 65 63 74 43 6c 61 73 73 04 03 75 69 64 04 0c jectClass..uid..
0080 75 73 65 72 50 61 73 73 77 6f 72 64 04 09 75 69 userPassword..ui
0090 64 4e 75 6d 62 65 72 04 09 67 69 64 4e 75 6d 62 dNumber..gidNumb
00a0 65 72 04 05 67 65 63 6f 73 04 0d 68 6f 6d 65 44 er..gecos..homeD
00b0 69 72 65 63 74 6f 72 79 04 0a 6c 6f 67 69 6e 53 irectory..loginS
00c0 68 65 6c 6c 04 10 6b 72 62 50 72 69 6e 63 69 70 hell..krbPrincip
00d0 61 6c 4e 61 6d 65 04 02 63 6e 04 0f 6d 6f 64 69 alName..cn..modi
00e0 66 79 54 69 6d 65 73 74 61 6d 70 04 0f 6d 6f 64 fyTimestamp..mod
00f0 69 66 79 54 69 6d 65 73 74 61 6d 70 04 10 73 68 ifyTimestamp..sh
0100 61 64 6f 77 4c 61 73 74 43 68 61 6e 67 65 04 09 adowLastChange..
0110 73 68 61 64 6f 77 4d 69 6e 04 09 73 68 61 64 6f shadowMin..shado
0120 77 4d 61 78 04 0d 73 68 61 64 6f 77 57 61 72 6e wMax..shadowWarn
0130 69 6e 67 04 0e 73 68 61 64 6f 77 49 6e 61 63 74 ing..shadowInact
0140 69 76 65 04 0c 73 68 61 64 6f 77 45 78 70 69 72 ive..shadowExpir
0150 65 04 0a 73 68 61 64 6f 77 46 6c 61 67 04 10 6b e..shadowFlag..k
0160 72 62 4c 61 73 74 50 77 64 43 68 61 6e 67 65 04 rbLastPwdChange.
0170 15 6b 72 62 50 61 73 73 77 6f 72 64 45 78 70 69 .krbPasswordExpi
0180 72 61 74 69 6f 6e 04 0c 70 77 64 41 74 74 72 69 ration..pwdAttri
0190 62 75 74 65 04 11 61 75 74 68 6f 72 69 7a 65 64 bute..authorized
01a0 53 65 72 76 69 63 65 04 0e 61 63 63 6f 75 6e 74 Service..account
01b0 45 78 70 69 72 65 73 04 12 75 73 65 72 41 63 63 Expires..userAcc
01c0 6f 75 6e 74 43 6f 6e 74 72 6f 6c 04 0d 6e 73 41 ountControl..nsA
01d0 63 63 6f 75 6e 74 4c 6f 63 6b ccountLock
No. Time Source Destination Protocol Info
10343 10041.391049 127.0.0.1 127.0.0.1 LDAP searchResEntry(3558) "uid=fhanzlik.ldap,ou=users,dc=nkcr,dc=cz"
Frame 10343: 585 bytes on wire (4680 bits), 585 bytes captured (4680 bits)
Linux cooked capture
Internet Protocol, Src: 127.0.0.1 (127.0.0.1), Dst: 127.0.0.1 (127.0.0.1)
Transmission Control Protocol, Src Port: ldap (389), Dst Port: 45609 (45609), Seq: 195327, Ack: 1755691, Len: 517
Secure Socket Layer
TLSv1 Record Layer: Application Data Protocol: ldap
Content Type: Application Data (23)
Version: TLS 1.0 (0x0301)
Length: 512
Encrypted Application Data: d525d8909e7cd19ca941a328891bbcfc93bebbb81f273cb1...
Lightweight Directory Access Protocol
LDAPMessage searchResEntry(3558) "uid=fhanzlik.ldap,ou=users,dc=nkcr,dc=cz" [3 results]
messageID: 3558
protocolOp: searchResEntry (4)
searchResEntry
objectName: uid=fhanzlik.ldap,ou=users,dc=nkcr,dc=cz
attributes: 11 items
PartialAttributeList item cn
type: cn
vals: 1 item
Hanzlik, Franta, LDAP testovaci user
PartialAttributeList item uid
type: uid
vals: 1 item
fhanzlik.ldap
PartialAttributeList item uidNumber
type: uidNumber
vals: 1 item
10514
PartialAttributeList item loginShell
type: loginShell
vals: 1 item
/bin/sh
PartialAttributeList item homeDirectory
type: homeDirectory
vals: 1 item
/home/fhanzlik.ldap
PartialAttributeList item gidNumber
type: gidNumber
vals: 1 item
100
PartialAttributeList item objectClass
type: objectClass
vals: 4 items
posixAccount
shadowAccount
mozillaAbPerson
inetOrgPerson
PartialAttributeList item shadowLastChange
type: shadowLastChange
vals: 1 item
14790
PartialAttributeList item gecos
type: gecos
vals: 1 item
Hanzlik, Franta, LDAP testovaci user
PartialAttributeList item userPassword
type: userPassword
vals: 1 item
{MD5}NpEwjypML2mD8ogNMuKchA==
PartialAttributeList item modifyTimestamp
type: modifyTimestamp
vals: 1 item
20110425155454Z
Frame (585 bytes):
0000 00 00 03 04 00 06 00 00 00 00 00 00 00 00 08 00 ................
0010 45 00 02 39 7d fc 40 00 40 06 bc c0 7f 00 00 01 E..9}.@.@.......
0020 7f 00 00 01 01 85 b2 29 e4 9d c4 c4 e5 04 0c d7 .......)........
0030 80 18 2c 16 00 2e 00 00 01 01 08 0a 13 8e f1 f7 ..,.............
0040 13 8e f1 f3 17 03 01 02 00 d5 25 d8 90 9e 7c d1 ..........%...|.
0050 9c a9 41 a3 28 89 1b bc fc 93 be bb b8 1f 27 3c ..A.(.........'<
0060 b1 d0 9e 13 96 bf 10 22 85 b6 1e d5 1e 03 d1 25 .......".......%
0070 5c 7d e4 1f 46 be e8 a0 4c 3e ba df a1 c7 09 d0 \}..F...L>......
0080 9f c7 d7 87 07 e0 24 18 e0 c1 4f ae 16 a0 b0 34 ......$...O....4
0090 b2 ed b2 28 5b 10 70 db 4a 6b b3 f9 a2 b2 6a 44 ...([.p.Jk....jD
00a0 06 c8 6c 89 4e 7e 94 7c b0 c6 e8 bf 87 f9 9e 21 ..l.N~.|.......!
00b0 30 38 47 ed c6 71 4b fc cd 3e c0 41 20 82 ae 2e 08G..qK..>.A ...
00c0 bc d6 5b bf ff 22 18 68 be a3 6e 15 da 02 2d 40 ..[..".h..n...-@
00d0 31 4f 69 ad 79 41 7c 95 d0 34 32 5f 0e 34 e9 68 1Oi.yA|..42_.4.h
00e0 15 0c 84 55 a7 02 12 7c a2 f0 0e 58 ae 21 4f 38 ...U...|...X.!O8
00f0 0c 49 5f 7b 2f e6 73 fe 67 78 5a ec 3b a4 b2 ea .I_{/.s.gxZ.;...
0100 1d 19 0b 3d 8b 4b 69 60 46 ae f5 dd f5 7c ca 98 ...=.Ki`F....|..
0110 04 5a 32 ed 22 1d 3d 39 44 62 e4 08 e2 24 a7 1a .Z2.".=9Db...$..
0120 f4 dc 83 84 57 dc 47 ea 47 68 2e 16 cb dd d4 8d ....W.G.Gh......
0130 be 64 46 97 83 2b e4 96 42 90 97 b4 d2 3e 07 23 .dF..+..B....>.#
0140 65 72 dc 57 6e f1 fb e9 81 ed ab 69 81 e4 bd fe er.Wn......i....
0150 b1 e8 d6 b9 9a 4d 94 21 2b 7d 43 7f db 24 e4 29 .....M.!+}C..$.)
0160 53 49 c7 33 31 e8 c2 90 e0 ad 52 e4 57 fc 03 e0 SI.31.....R.W...
0170 73 4d ec 6a 7e 3d 7b 2b fb 51 4b 29 3e c1 d9 77 sM.j~={+.QK)>..w
0180 ff e5 67 e3 87 50 d7 31 8a 62 74 7f bd bc 36 27 ..g..P.1.bt...6'
0190 8e d8 31 53 a6 94 fa 4c 07 e8 9e 2f fd 1a 8d db ..1S...L.../....
01a0 91 a0 78 bf 70 74 8c 6a e2 2f 0e bf bd b3 c3 9f ..x.pt.j./......
01b0 c6 a5 ae ea 89 04 ae 52 cb 85 cf c2 c6 80 bb 23 .......R.......#
01c0 18 e2 22 0a 88 1c e9 0b 6c 56 f6 df 6d 1e 75 45 ..".....lV..m.uE
01d0 1a 25 d5 a8 5c 64 77 86 89 cd c4 1f 30 7d c9 50 .%..\dw.....0}.P
01e0 c6 8c b3 f5 d3 20 d2 f5 9e 77 11 b3 e4 64 fc 0a ..... ...w...d..
01f0 d4 7a ee 36 3f 5f 26 9a d4 2f 99 d4 ad 9c eb d9 .z.6?_&../......
0200 d0 71 6e 34 43 5e 91 5e 61 9c 0c 0f e4 f3 c4 6c .qn4C^.^a......l
0210 fa 1e e5 c2 b2 52 fc 79 7c 5f 0c e9 16 1a db a6 .....R.y|_......
0220 64 dd b8 d2 94 59 36 b7 aa 4a e7 ee 8e 98 03 c4 d....Y6..J......
0230 0c 66 8d 43 b5 91 44 70 0f 3c ab 7f 6e ba d1 38 .f.C..Dp.<..n..8
0240 94 0e 57 eb e6 22 a3 f5 2b ..W.."..+
Decrypted SSL data (478 bytes):
0000 30 82 01 da 02 02 0d e6 64 82 01 d2 04 28 75 69 0.......d....(ui
0010 64 3d 66 68 61 6e 7a 6c 69 6b 2e 6c 64 61 70 2c d=fhanzlik.ldap,
0020 6f 75 3d 75 73 65 72 73 2c 64 63 3d 6e 6b 63 72 ou=users,dc=nkcr
0030 2c 64 63 3d 63 7a 30 82 01 a4 30 2c 04 02 63 6e ,dc=cz0...0,..cn
0040 31 26 04 24 48 61 6e 7a 6c 69 6b 2c 20 46 72 61 1&.$Hanzlik, Fra
0050 6e 74 61 2c 20 4c 44 41 50 20 74 65 73 74 6f 76 nta, LDAP testov
0060 61 63 69 20 75 73 65 72 30 16 04 03 75 69 64 31 aci user0...uid1
0070 0f 04 0d 66 68 61 6e 7a 6c 69 6b 2e 6c 64 61 70 ...fhanzlik.ldap
0080 30 14 04 09 75 69 64 4e 75 6d 62 65 72 31 07 04 0...uidNumber1..
0090 05 31 30 35 31 34 30 17 04 0a 6c 6f 67 69 6e 53 .105140...loginS
00a0 68 65 6c 6c 31 09 04 07 2f 62 69 6e 2f 73 68 30 hell1.../bin/sh0
00b0 26 04 0d 68 6f 6d 65 44 69 72 65 63 74 6f 72 79 &..homeDirectory
00c0 31 15 04 13 2f 68 6f 6d 65 2f 66 68 61 6e 7a 6c 1.../home/fhanzl
00d0 69 6b 2e 6c 64 61 70 30 12 04 09 67 69 64 4e 75 ik.ldap0...gidNu
00e0 6d 62 65 72 31 05 04 03 31 30 30 30 4c 04 0b 6f mber1...1000L..o
00f0 62 6a 65 63 74 43 6c 61 73 73 31 3d 04 0c 70 6f bjectClass1=..po
0100 73 69 78 41 63 63 6f 75 6e 74 04 0d 73 68 61 64 sixAccount..shad
0110 6f 77 41 63 63 6f 75 6e 74 04 0f 6d 6f 7a 69 6c owAccount..mozil
0120 6c 61 41 62 50 65 72 73 6f 6e 04 0d 69 6e 65 74 laAbPerson..inet
0130 4f 72 67 50 65 72 73 6f 6e 30 1b 04 10 73 68 61 OrgPerson0...sha
0140 64 6f 77 4c 61 73 74 43 68 61 6e 67 65 31 07 04 dowLastChange1..
0150 05 31 34 37 39 30 30 2f 04 05 67 65 63 6f 73 31 .147900/..gecos1
0160 26 04 24 48 61 6e 7a 6c 69 6b 2c 20 46 72 61 6e &.$Hanzlik, Fran
0170 74 61 2c 20 4c 44 41 50 20 74 65 73 74 6f 76 61 ta, LDAP testova
0180 63 69 20 75 73 65 72 30 2f 04 0c 75 73 65 72 50 ci user0/..userP
0190 61 73 73 77 6f 72 64 31 1f 04 1d 7b 4d 44 35 7d assword1...{MD5}
01a0 4e 70 45 77 6a 79 70 4d 4c 32 6d 44 38 6f 67 4e NpEwjypML2mD8ogN
01b0 4d 75 4b 63 68 41 3d 3d 30 24 04 0f 6d 6f 64 69 MuKchA==0$..modi
01c0 66 79 54 69 6d 65 73 74 61 6d 70 31 11 04 0f 32 fyTimestamp1...2
01d0 30 31 31 30 34 32 35 31 35 35 34 35 34 5a 0110425155454Z
No. Time Source Destination Protocol Info
10344 10041.391062 127.0.0.1 127.0.0.1 TCP 45609 > ldap [ACK] Seq=1755691 Ack=195844 Win=49280 Len=0 TSV=328135159 TSER=328135159
Frame 10344: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Linux cooked capture
Internet Protocol, Src: 127.0.0.1 (127.0.0.1), Dst: 127.0.0.1 (127.0.0.1)
Transmission Control Protocol, Src Port: 45609 (45609), Dst Port: ldap (389), Seq: 1755691, Ack: 195844, Len: 0
0000 00 00 03 04 00 06 00 00 00 00 00 00 00 00 08 00 ................
0010 45 00 00 34 15 db 40 00 40 06 26 e7 7f 00 00 01 E..4..@.@.&.....
0020 7f 00 00 01 b2 29 01 85 e5 04 0c d7 e4 9d c6 c9 .....)..........
0030 80 10 03 02 fe 28 00 00 01 01 08 0a 13 8e f1 f7 .....(..........
0040 13 8e f1 f7 ....
No. Time Source Destination Protocol Info
10345 10041.391493 127.0.0.1 127.0.0.1 LDAP searchResDone(3558) success [3 results]
Frame 10345: 121 bytes on wire (968 bits), 121 bytes captured (968 bits)
Linux cooked capture
Internet Protocol, Src: 127.0.0.1 (127.0.0.1), Dst: 127.0.0.1 (127.0.0.1)
Transmission Control Protocol, Src Port: ldap (389), Dst Port: 45609 (45609), Seq: 195844, Ack: 1755691, Len: 53
Secure Socket Layer
TLSv1 Record Layer: Application Data Protocol: ldap
Content Type: Application Data (23)
Version: TLS 1.0 (0x0301)
Length: 48
Encrypted Application Data: 00a438bf84057a6c29e1217c723fa061a6d83ad419383e33...
Lightweight Directory Access Protocol
LDAPMessage searchResDone(3558) success [3 results]
messageID: 3558
protocolOp: searchResDone (5)
searchResDone
resultCode: success (0)
matchedDN:
errorMessage:
Frame (121 bytes):
0000 00 00 03 04 00 06 00 00 00 00 00 00 00 00 08 00 ................
0010 45 00 00 69 7d fd 40 00 40 06 be 8f 7f 00 00 01 E..i}.@.@.......
0020 7f 00 00 01 01 85 b2 29 e4 9d c6 c9 e5 04 0c d7 .......)........
0030 80 18 2c 16 fe 5d 00 00 01 01 08 0a 13 8e f1 f8 ..,..]..........
0040 13 8e f1 f7 17 03 01 00 30 00 a4 38 bf 84 05 7a ........0..8...z
0050 6c 29 e1 21 7c 72 3f a0 61 a6 d8 3a d4 19 38 3e l).!|r?.a..:..8>
0060 33 fc 08 73 0d d1 08 ec b9 cc 31 75 24 a5 4e 42 3..s......1u$.NB
0070 c9 31 31 66 b8 8d fe cc 89 .11f.....
Decrypted SSL data (15 bytes):
0000 30 0d 02 02 0d e6 65 07 0a 01 00 04 00 04 00 0.....e........
No. Time Source Destination Protocol Info
10346 10041.391502 127.0.0.1 127.0.0.1 TCP 45609 > ldap [ACK] Seq=1755691 Ack=195897 Win=49280 Len=0 TSV=328135160 TSER=328135160
Frame 10346: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Linux cooked capture
Internet Protocol, Src: 127.0.0.1 (127.0.0.1), Dst: 127.0.0.1 (127.0.0.1)
Transmission Control Protocol, Src Port: 45609 (45609), Dst Port: ldap (389), Seq: 1755691, Ack: 195897, Len: 0
0000 00 00 03 04 00 06 00 00 00 00 00 00 00 00 08 00 ................
0010 45 00 00 34 15 dc 40 00 40 06 26 e6 7f 00 00 01 E..4..@.@.&.....
0020 7f 00 00 01 b2 29 01 85 e5 04 0c d7 e4 9d c6 fe .....)..........
0030 80 10 03 02 fe 28 00 00 01 01 08 0a 13 8e f1 f8 .....(..........
0040 13 8e f1 f8 ....
- Follow-Ups:
- Re: [Wireshark-users] SSL LDAP dialog - bad request interpretation?
- From: Gerald Combs
- Re: [Wireshark-users] SSL LDAP dialog - bad request interpretation?
- Prev by Date: Re: [Wireshark-users] Strange problem
- Next by Date: Re: [Wireshark-users] SSL LDAP dialog - bad request interpretation?
- Previous by thread: Re: [Wireshark-users] Strange problem
- Next by thread: Re: [Wireshark-users] SSL LDAP dialog - bad request interpretation?
- Index(es):