Ask Your Question
0

Help to read this trace

asked 2017-11-28 12:23:32 +0000

alhmami gravatar image

updated 2017-11-28 12:38:04 +0000

grahamb gravatar image

I'm trying to synchronize our BPX with LDAP active directory all the configuration is correct but no result in search. Please help me to read this trace PBX IP is 10.253.4.3 LDAP IP is 10.140.8.233

No.     Time           Source                Destination           Protocol Length Info
   9183 19.048491      10.253.4.3            10.140.8.233          TCP      66     10131 → 636 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 WS=1

Frame 9183: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)

Ethernet II, Src: HewlettP_97:7c:84 (00:9c:02:97:7c:84), Dst: Cisco_ff:fc:88 (00:08:e3:ff:fc:88)

Internet Protocol Version 4, Src: 10.253.4.3, Dst: 10.140.8.233

Transmission Control Protocol, Src Port: 10131, Dst Port: 636, Seq: 0, Len: 0

    Source Port: 10131
    Destination Port: 636
    [Stream index: 4]
    [TCP Segment Len: 0]
    Sequence number: 0    (relative sequence number)
    Acknowledgment number: 0
    Header Length: 32 bytes
    Flags: 0x002 (SYN)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...0 .... = Acknowledgment: Not set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..1. = Syn: Set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ··········S·]
    Window size value: 5840
    [Calculated window size: 5840]
    Checksum: 0x0068 [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    Options: (12 bytes), Maximum segment size, No-Operation (NOP), No-Operation (NOP), SACK permitted, No-Operation (NOP), Window scale
        Maximum segment size: 1460 bytes
        No-Operation (NOP)
        No-Operation (NOP)
        TCP SACK Permitted Option: True
        No-Operation (NOP)
        Window scale: 0 (multiply by 1)


No.     Time           Source                Destination           Protocol Length Info

   9184 19.048923      10.140.8.233          10.253.4.3            TCP      66     636 → 10131 [SYN, ACK] Seq=0 Ack=1 Win=8192 

Len=0 MSS=1380 WS=256 SACK_PERM=1

Frame 9184: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)

Ethernet II, Src: Cisco_ff:fc:88 (00:08:e3:ff:fc:88), Dst: HewlettP_97:7c:84 (00:9c:02:97:7c:84)

Internet Protocol Version 4, Src: 10.140.8.233, Dst: 10.253.4.3

Transmission Control Protocol, Src Port: 636, Dst Port: 10131, Seq: 0, Ack: 1, Len: 0

    Source Port: 636
    Destination Port: 10131
    [Stream index: 4]
    [TCP Segment Len: 0]
    Sequence number: 0    (relative sequence number)
    Acknowledgment number: 1    (relative ack number)
    Header Length: 32 bytes
    Flags: 0x012 (SYN, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..1. = Syn: Set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······A··S·]
    Window size value: 8192
    [Calculated window size: 8192]
    Checksum: 0xcdf1 [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted
        Maximum segment size: 1380 bytes
        No-Operation (NOP)
        Window scale: 8 (multiply by 256)
        No-Operation (NOP)
        No-Operation (NOP)
        TCP SACK ...
(more)
edit retag flag offensive close merge delete

Comments

It's a little bit hard as you've only posted the text output and not a pcap file.

For me it looks like the LDAP server is resetting the connection after receiving the first 14 bytes from the client.

As the connection is using 636/tcp I guess you want to use LDAPS. The first data should therefore be as SSL ClientHello. However this record should be bigger than 14 bytes.

Maybe your client is trying to use plaintext ldap (starting with a bindRequest) over port 636/tcp. If so the server would reset the connection.

=> Have a look at the payload of frame 9186.

Uli gravatar imageUli ( 2017-11-28 12:51:18 +0000 )edit

Hi Uli, please see this pcap file. if u can help me, please https://drive.google.com/file/d/1IWse...

alhmami gravatar imagealhmami ( 2017-11-28 14:17:46 +0000 )edit

port 636 is LDAP over SSL i cant post the whole document as i don't have privileges to do so, i hope this is of some help at least.

nitefox gravatar imagenitefox ( 2017-12-09 17:19:50 +0000 )edit

1 Answer

Sort by » oldest newest most voted
3

answered 2017-11-28 14:43:18 +0000

Uli gravatar image

updated 2017-11-28 19:05:50 +0000

Your client is trying to use plaintext LDAP on port 636/tcp. Normally this port is used for LDAPS. Therefore the server resets the connection as it doesn't receive a ClientHello packet (which is expected).

=> Check the client settings. Switch to port 389/tcp for plaintext LDAP or enable SSL/TLS for connections on port 636/tcp.

You can spot the bindRequest in Wireshark in your trace by using 'Analyze' -> 'Decode As...' -> Field: 'TCP port', Value: '636', Current: 'LDAP'

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2017-11-28 12:23:32 +0000

Seen: 7,323 times

Last updated: Dec 09 '17