Many of the LDAP fields (filter reference) are of type Label with an explanation here: What is a field type of label?
If you want to search on the string "invalidCredentials" which appears in the Info column, there is a Lua plugin (filtcols) that can do that.
Or filter on the LDAP fields that are available:
(ldap.protocolOp == 1) && (ldap.resultCode == 49)
This is an example of the traffic
ldap.bindrequest:
698 2020-12-16 17:30:27.531252 0.000005 10.1.1.97 10.9.4.200 LDAP 255 255 68 138 138 70 31022 bindRequest(**8752915**) "CN=U101681,OU=Usuarios,DC=domain,DC=corp" simple
ldap.bindresponse:
760 2020-12-16 17:30:27.537191 0.000005 10.9.4.200 10.1.1.97 LDAP 298 127 138 138 251 113 65344 bindResponse(**8752915**) invalidCredentials (80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 775, v2580)
I would like to filter the ldap.bindrequest containing the username and the ldap.bindresponse containing the message "invalidCredentials" related to the bindrequest that was sent.
Best regards,
TM
That's going to take two passes - one to get the message ID of packets with invalidCredentials then a second to grab all packets with those message IDs.
1. If you want something in the Wireshark Gui, consider a Lua script.
2. On the command line, tshark could be used. Here is @SYN-bit covering that at Sharkfest: SF19US - 04 Solving (SharkFest) packet capture challenges with only tshark (Sake Blok)
3. A combination would be to create a display filter of the matching message IDs then copy/paste that into Wireshark:
$ cat LDAP_errs
#!/bin/bash
TSHARK="tshark.exe"
INFILE=$1
MESG_ID=`$TSHARK -r $INFILE -Y ldap.resultCode==49 -T fields -e ldap.messageID | tr -d '\r' | tr '\n' ' '`
echo "(ldap.messageID in {$MESG_ID})"
$ ./LDAP_errs filein.pcapng
(ldap.messageID in {8 14 20 })
Asked: 2020-12-16 00:55:26 +0000
Seen: 1,772 times
Last updated: Dec 16 '20