This isn't for a particular problem, just an observation that I had I'm not quite able wrap my head around.
I was given a pcap with a display filter only showing "ldap" and one after another you see the binds, the SASL packets the unbind, just a textbook example of request after request being answered without issue. All on 389.
The destination is an active directory server, the PDC in fact. I wouldn't think anything of it except if you RDP into the windows source box and do a netstat, there's no 389 connection to that domain controller, the only 389 connections are to the other DC at the location.
Why the discrepancy?
