Tutorial: Lightweight Discovery Access Protocol (LDAP)

This tutorial discusses the plugin ldapDecode.


Before we start we need to prepare T2. If you did not complete the tutorials before just follow the procedure described below.

First I recommend to set T2 into a pristine state by removing all unnecessary or older plugins from the default plugin folder ~/.tranalyzer/plugins. Just as a precaution if you have some old plugins or files there. If you like to keep them, please copy them away.

$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied

Then compile the following plugins

$ t2build tranalyzer2 basicFlow ldapDecode txtSink


If you did not create a separate data and results directory yet, please do it now in another cmd window, it facilitates your workflow:

$ mkdir ~/data ~/results

Download the sample pcap here: . Now you’re all set.


Let’s look at the plugin configuration first:

$ ldapDecode
$ vi src/ldapDecode.h

Run t2 on the supplied pcap.

$ t2 -r ~/data/ -w ~/results/ -s

So the aggregated ldapStat tells us there is LDAP.

$ tawk -V ldapStat
The ldapStat column is to be interpreted as follows:

   bit | ldapStat | Description
     0 | 0x01     | LDAP_DETECT
     1 | 0x02     |
     2 | 0x04     |
     3 | 0x08     | LDAP_SASL
     4 | 0x10     | LDAP_NXT_PKT
     5 | 0x20     |
     6 | 0x40     | LDAP_LEN_OVRN
     7 | 0x80     | LDAP_ERR
$ cd ~/results
$ tcol

Don’t forget to reset the plugin configuration for the next tutorial.

$ t2conf ldapDecode --reset && t2build ldapDecode

Have fun analyzing.