I have an app server that authenticates against Active Directory using LDAPS. I am connecting to the AD server over port 636.
I'm trying to troubleshoot/debug some performance issues and am beginning to suspect that the lag is either coming from AD itself or the connection between the app server and AD. I would like to run a tcpdump (my first ever!) to capture the traffic during a period of bad authentication performance (users are logging in and just wait in front of a churning browser). So far, from this tutorial my command is looking like:
tcpdump port <???> -v -i eth0 -w ~/capture.log
However, since this is my first ever tcpdump, I'm caught up on a few things surrounding ports. I know that my app server connects to AD on AD's port #636, but I have no idea what port (on the app server VM) we are initiating that connection on. I also don't know what sort of outbound/inbound ports LDAPS uses for its protocol, and Google didn't provide much help in this department. For instance, I know that FTP always uses 2 TCP connections (command + data); I'm wondering if LDAPS does something similar?
I guess all this to ask: if I'm doing the tcpdump on the app server VM, what port # should I be capturing traffic on? And, if LDAPS uses multiple ports for its protocol, can I run tcpdump on multiple ports at the same time (if so, how)?
And, if it helps, the app server uses the Java ldaptive library to initiate the LDAPS-based authentication with AD.
Best Answer
The source port (initiating port) is variable (changes every time), but is also irrelevant in this case; when you use "port 636" as your filter, that will match either source or destination port, and we know that the destination port will always be 636 in this case.
So: capture on port 636. If you needed to capture on another port as well, say 389:
would work.