Event Tracing for LDAP in Windows Vista/2008


Windows Vista and newer support ETW tracing for LDAP Client. This allows for LDAP application traffic analysis when the network traffic by the application is encrypted using SSL, TLS or SASL encryption based on NTLM and Kerberos session keys.

This is especially useful when ADInsight does not work (which hooks wldap32.dll to capture client side LDAP calls). This tool only works on the x86 platform and is not maintained anymore.


To turn on LDAP client tracing, follow these steps:

1. Create the following registry key:
"ProcessName" is the full name of the process that you want to trace, including its extension, for example "ldp.exe". Inside this key, you can place an optional value of type DWORD that is named "PID". If this optional value is set to a process ID, only the instance of the application with this process ID will be traced.

2. To start a tracing session, execute the following command:
logman create trace "ds_ds" -ow -o c:\ds_ds.etl -p "Microsoft-Windows-LDAP-Client" 0x1a59afa3 0xff -nb 16 16 -bs 1024 -mode Circular -f bincirc -max 4096 -ets 

See the "traceFlags" reference below.

3. Now reproduce the behavior you wish to investigate.

4. To stop a tracing session, execute the following command:
logman stop "ds_ds" -ets 

To view the trace, you have several options:

1. Open the ETL file in Network Monitor 3.4 or newer. The log lines will show as payload data in the "frames". Using the Simple Text Search Expert you can search for object names to locate the LDAP transaction referencing key objects.

2. You can also use the XPREF Viewer "XPERFVIEW" to show these log entries. When the ETL is loaded, select the time-interval to cover all events shown as squares. Right-click the selection and select "Summary Table". In the new window, expand the Task Name "0". The LDAP client activity will look like log lines already. The viewer does not allow to search or filter the events.

You can select Log lines and copy them to the clipboard and from there to a text editor to search and filter the log lines.

3. Another option to create text-based logs is to decode the ETL file as TXT:
netsh trace convert input=c:\ds_ds.etl output=LDAP_CLIENT-formatted.txt

See the 'NETSH trace convert' help for more output options.

The "traceflags" could be one of the following value or a combination of the bits
Windows Vista/Server 2008:
DEBUG_TRACE1 0x00000001 
DEBUG_TRACE2 0x00000002

Windows 7/Server 2008 R2 and most likely newer OS:
DEBUG_SEARCH 0x00000001 - Detailed tracking of read-style requests
DEBUG_WRITE 0x00000002  - Detailed tracking of write-style requests

The other flags are the same for both OS versions:
DEBUG_REFCNT 0x00000004
DEBUG_HEAP 0x00000008
DEBUG_CACHE 0x00000010
DEBUG_SSL 0x00000020
DEBUG_CONNECT 0x00000100
DEBUG_EOM 0x00001000
DEBUG_BER 0x00002000
DEBUG_CLDAP 0x00020000
DEBUG_FILTER 0x00040000
DEBUG_BIND 0x00080000
DEBUG_SCRATCH 0x00200000
DEBUG_PARSE 0x00400000
DEBUG_REQUEST 0x01000000
DEBUG_INIT_TERM 0x04000000
DEBUG_ERRORS 0x10000000

A description of the flag meaning can be found on: http://msdn.microsoft.com/en-us/library/windows/desktop/aa366152(v=vs.85).aspx

Suggestions for flag combinations:

  • Log settings that should get the information you need most of the time: 0x1A59AFA3.
  • Get information on connection establishment problems: 0x18180380
  • Verbose session information: 0x1bddbf73.

More information

Download location for the Windows Platform SDK which includes the Windows Performance Toolkit (XPERF):
For version 7.1 of the SDK, you can install the toolkit from: c:\Program Files\Microsoft SDKs\Windows\v7.1\Redist\Windows Performance Toolkit\wpt_<platform>.msi

Network Monitor 3.4 download location is: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=4865

Download location for AD Insight (x86 Tool): http://technet.microsoft.com/en-us/sysinternals/bb897539


Makale No: 2221529 - Son İnceleme: 14 Şub 2017 - Düzeltme: 1

Windows Vista Business, Windows Vista Enterprise, Windows Vista Ultimate, Windows 7 Professional, Windows 7 Enterprise, Windows 7 Ultimate, Windows Server 2008 Standard, Windows Server 2008 Enterprise, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise

Geri bildirim