When I use snoop to record/view traffic on my Solaris 10 server it automatically shows/decodes LDAP traffic for me if I specify port 389
But I also need to snoop on port 3268 (which is also LDAP traffic - to AD's "Global Catalog") but when I view the output there is no sign of LDAP
For using snoop, I think we're at step -1: Convince Oracle they need to make their software handle this.
Looking at the snoop manpage online, I find this:
ldap
True if the packet is an LDAP packet on port 389.
This suggests that the protocol decoding was written by someone who was thinking that LDAP is fundamentally connected with port 389.
I don't like that answer, so looking for another one:
Wireshark might be another option. It's available for Solaris and can understand capture files from snoop. Its documentation isn't clear on it being able to decode LDAP on an alternate port, so I searched to see if it could, and found this from https://osqa-ask.wireshark.org/questions/21358/failure-to-recognize-ldap-if-not-port-389:
Question:
... I am using port 50000. I am able to authenticate successfully and capture the traffic. However, wireshark interprets as TCP not LDAP and in the info field it does not say bind request, etc. Is this due to the port that I am using?
Answer:
You can either change the default port for LDAP in the preferences (click on protocols and then search for LDAP).
Or you can rightclick on a packet and use "Decode As..."
