Capturing LDAP Over TLS Messages

To capture decrypted LDAP over TLS (LDAPS) packets

1. Navigate to Tools > Packet Monitor.
2. In the Hex Dump section, click Configure. The Packet Monitor Configuration dialog displays.
3. Click Advanced Monitor Filter.
4. Select Monitor intermediate Packets.
5. Select Monitor intermediate decrypted LDAP over TLS packets.
6. Click OK.

The packets are marked with (ldp) in the ingress/egress interface field. They have dummy Ethernet, TCP, and IP headers, so some values in these fields might not be correct. The LDAP server port is set to 389 so that an external capture analysis program (such as Wireshark) knows to decode these packets as LDAP. Passwords in captured LDAP bind requests are obfuscated. The LDAP messages are not decoded in the Packet Monitor display, but the capture can be exported and displayed in WireShark to view them decoded.

This enables decrypted LDAPS packets to be fed to the packet monitor, but any monitor filters are still applied to them.

LDAPS capture only works for connections from the firewall’s LDAP client, and does not display LDAP over TLS connections from an external LDAP client that pass through the firewall.