Windows Vista and newer support ETW tracing for LDAP Client. This allows for LDAP application traffic analysis when the network traffic by the application is encrypted using SSL, TLS or SASL encryption based on NTLM and Kerberos session keys.
This is especially useful when ADInsight does not work (which hooks wldap32.dll to capture client side LDAP calls). This tool only works on the x86 platform and is not maintained anymore.
To turn on LDAP client tracing, follow these steps:
1. Create the following registry key:
"ProcessName" is the full name of the process that you want to trace, including its extension, for example "ldp.exe". Inside this key, you can place an optional value of type DWORD that is named "PID". If this optional value is set to a process ID, only the instance of the application with this process ID will be traced.
2. To start a tracing session, execute the following command:
logman create trace "ds_ds" -ow -o c:\ds_ds.etl -p "Microsoft-Windows-LDAP-Client" 0x1a59afa3 0xff -nb 16 16 -bs 1024 -mode Circular -f bincirc -max 4096 -ets
See the "traceFlags" reference below.
3. Now reproduce the behavior you wish to investigate.
4. To stop a tracing session, execute the following command:
logman stop "ds_ds" -ets
To view the trace, you have several options:
1. Open the ETL file in Network Monitor 3.4 or newer. The log lines will show as payload data in the "frames". Using the Simple Text Search Expert you can search for object names to locate the LDAP transaction referencing key objects.
2. You can also use the XPREF Viewer "XPERFVIEW" to show these log entries. When the ETL is loaded, select the time-interval to cover all events shown as squares. Right-click the selection and select "Summary Table". In the new window, expand the Task Name "0". The LDAP client activity will look like log lines already. The viewer does not allow to search or filter the events.
You can select Log lines and copy them to the clipboard and from there to a text editor to search and filter the log lines.
3. Another option to create text-based logs is to decode the ETL file as TXT:
netsh trace convert input=c:\ds_ds.etl output=LDAP_CLIENT-formatted.txt
See the 'NETSH trace convert' help for more output options.The "traceflags" could be one of the following value or a combination of the bits
Windows Vista/Server 2008:
Windows 7/Server 2008 R2 and most likely newer OS:
DEBUG_SEARCH 0x00000001 - Detailed tracking of read-style requests
DEBUG_WRITE 0x00000002 - Detailed tracking of write-style requests
The other flags are the same for both OS versions:
A description of the flag meaning can be found on: http://msdn.microsoft.com/en-us/library/windows/desktop/aa366152(v=vs.85).aspx
Suggestions for flag combinations:
- Log settings that should get the information you need most of the time: 0x1A59AFA3.
- Get information on connection establishment problems: 0x18180380
- Verbose session information: 0x1bddbf73.