That actually surprised me. The filtering and stream trace in Ethereal is one of the most powerful aspects of it IMO. When I am dealing with a multi-threaded LDAP app I think ethereal smokes netmon hands down for displaying the traces.
If you want to just say capture LDAP traffic you can set up a capture filter of "tcp port 389 or tcp port 3268". Last time I tried to do that in netmon you have to pick off the value at the offset into the raw packet. Netmon does allow for easy filtering by host but that is also not too difficult in Ethereal. For a capture filter a simple "host somehostname". I really like being able to do more filtering easily at the capture so traces can run longer and seemingly impact the machine a little less because a lot more traffic can be ignored (especially RDP traffic for instance if TSed into a machine). Also the buffering in Ethereal seems to be much better for larger traces. Note that the language for the display filters is different from the filters for capture. That is because the capture filters are passed down to WinPCAP. A sample display filter for ldap traffic would be "tcp.port==389 or tcp.port==3268" or "ip.host == somehostname", alternately you can use eq for == so "tcp.port eq 389 or tcp.port eq 3268". It definitely takes a bit to get used to when coming from netmon though. However once you get used to it you start wanting to look at all traces with it, even those taken with netmon. I know several MS guys that will use both netmon and ethereal. I think they mostly use netmon still at all because they have some special internal parsers they don't share with the public such as an RPC traffic parser. Back to the problem at hand, I may just look at the options I have with winpcap and using that to capture the packets from command line and parsing out the LDAP traffic and then see if I can go from there. Maybe make up a dumbed down LDAP query tool instead of using adfind to send the queries that just sends the exact queries that were intercepted. Still a ton of work though. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, December 06, 2005 11:45 PM To: [email protected] Subject: RE: [ActiveDir] LDAP Traffic Replay I can't figure out the filtering thing in ethereal. Netmon works great for me, and the installer is on at least one server in every wan site I have. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, December 06, 2005 11:13 PM To: [email protected] Subject: RE: [ActiveDir] LDAP Traffic Replay Yeah I have the full netmon available to me but Ethereal kind of punks netmon out. I stopped using netmon a couple of years ago now. ;o) Either way, both are simple monitors and that is a very small piece of what I need. The hard parts are the breaking out into a replayable format and replaying. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Tuesday, December 06, 2005 10:59 PM To: [email protected] Subject: Re: [ActiveDir] LDAP Traffic Replay Etherpeek is a network based tool. I think that is what wildpackets reference is but not sure. I have NO idea but if you have SMS 2003 in your environment they have a full-fledged network scanner. Its free and if you have it might be worth checking out. good luck. Steve Schofield Microsoft MVP - ASP/ASP.NET ASPInsider Member - MCP http://www.orcsweb.com/ Managed Complex Hosting #1 in Service and Support ----- Original Message ----- From: "joe" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Tuesday, December 06, 2005 12:31 PM Subject: [ActiveDir] LDAP Traffic Replay > Is anyone aware of a tool that will sit and watch LDAP traffic and > track the threads/clients/etc and then be able to replay that traffic? > > Basically I am looking for a way to better judge DC perf in relation > to Exchange LDAP queries. Setting up a whole Exchange environment to > test the DCs is testing both Exchange and the DC and I am looking to > try and narrow that to just AD so I can answer some of the questions > of GC/DC capacity better than the 4:1 ratio business which everyone > says isn't that great but doesn't seem to have anything easy to do > that is better. I would like to track traffic to production GC/DCs and > then be able to replay that LDAP load as desired over and over again > against various pieces of hardware with different configs. > > joe > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
