Viewing ADLDS traffic with Netmon – where is my LDAP?
Hi, its Linda Taylor here from the UK Directory Services Team! I have decided to make a return to the blog to show you a nice tip on how make Network traffic from ADLDS (Active Directory Lightweight Directory Services) look more readable…or in other words - to enable Netmon to parse it as LDAP.
Note: Throughout this post I will refer to ADLDS but everything also applies to ADAM.
Since I haven’t seen many customers run ADLDS on port 389 I can imagine that this will be useful to many. I will use port 50000 in my example, but you can do this for any port or even a number of different ports if you have different instances running on different ports.
By default, Network Monitor will only parse traffic on port 389 as LDAP so for ADLDS we can edit the parser and add our desired port(s).
Here is how to do that:
1. Go to C:\Programdata\Microsoft\Network Monitor 3\NPL\Network Monitor Parsers\Base and open the properties of TCP.NPL.
Uncheck the “read only” box.
Note: ProgramData is a hidden folder by default.
2. Now you can edit the parser. To do this from inside Netmon:
- Select the parsers Tab
- Expand “Parser Files” on the left hand side
- Navigate to TCP.NPL and select it (the parser file will open on the right)
- Search for “389” and you will see a piece of code like this:
Case 389:
LDAP Ldap;
3. Now add another case statement with the port your ADLDS uses (for example, 50000) like this:
Case 389:
Case 50000:
LDAP Ldap;
4. Save the parser and Reload it.
Now the ADLDS traffic which previously showed as TCP will show up as LDAP and you can filter and look at it in the normal way.
Note: Don’t forget to then go and check “read only” again on the TCP.NPL file.
Finally, there is a more generic post on editing Netmon parsers here on the Netmon team blog:
https://blogs.technet.com/b/netmon/archive/2006/10/04/npl-_1320_-the-power-behind-the-parsers.aspx
Cheers!
Linda “Blighty” Taylor, Escalation Engineer for Directory Services.