Wireshark-users: [Wireshark-users] SSL LDAP dialog - bad request interpretation?

From: Frantisek Hanzlik <franta@xxxxxxxxxxx>
Date: Tue, 26 Apr 2011 08:22:25 +0200
I use wireshark (Version 1.4.4 Linux Fedora 14 i686) to decode SSL
LDAP communication between System Security Services Daemon (sssd)
and openldap server. All three pieces SW (wireshark, sssd, slapd)
runs on one machine, communication go through IPv4 loopback interface.

It seems as wireshark bad decode (TLS/SSL) LDAP request:
- in Packet List window is packet marked as "Malformed"
- in Packed Detail is line:
  (Error/Undecoded): Filter length exceeds 4096. Giving up
  although packed itself has only 500 Byte (at TCP layer)
- Packet Detail not contains all requests detail.

Openldap server response seems fine and wireshark probably decode and
display it fine too.

Wireshark version details (copied from About window):
=====
Compiled (32-bit) with GTK+ 2.22.0, with GLib 2.26.0, with libpcap 1.1.1,
without libz, without POSIX capabilities, without libpcre, with SMI 0.4.8,
without c-ares, without ADNS, with Lua 5.1, without Python, with GnuTLS 2.8.6,
with Gcrypt 1.4.5, with MIT Kerberos, with GeoIP, with PortAudio V19-devel
(built Jul 28 2009), without AirPcap.

Running on Linux 2.6.35.12-88.fc14.i686.PAE, with libpcap version 1.1.1, GnuTLS
2.8.6, Gcrypt 1.4.5.

Built using gcc 4.5.1 20100924 (Red Hat 4.5.1-4).
=====

Unfortunately I cannot send plain non-ssl dialog, as sssd daemon not
allow that (even on loopback), I think.

I attach printscreen and 5 packets LDAP dialog export to plain text.
Excuse me in case when there is another problem, but I cannot explain
this case in other manner. Can anyone?

Thanks, Franta Hanzlik

Attachment: ssl_ldap_dialog.png
Description: PNG image

No.     Time        Source                Destination           Protocol Info
  10342 10041.386651 127.0.0.1             127.0.0.1             LDAP     searchRequest(3558) "ou=users,dc=nkcr,dc=cz" wholeSubtree [Malformed Packet]

Frame 10342: 569 bytes on wire (4552 bits), 569 bytes captured (4552 bits)
Linux cooked capture
Internet Protocol, Src: 127.0.0.1 (127.0.0.1), Dst: 127.0.0.1 (127.0.0.1)
Transmission Control Protocol, Src Port: 45609 (45609), Dst Port: ldap (389), Seq: 1755190, Ack: 195327, Len: 501
Secure Socket Layer
    TLSv1 Record Layer: Application Data Protocol: ldap
        Content Type: Application Data (23)
        Version: TLS 1.0 (0x0301)
        Length: 496
        Encrypted Application Data: c40d7f654480eb829c3cd29013a3f59f1884e14243043317...
Lightweight Directory Access Protocol
    LDAPMessage searchRequest(3558) "ou=users,dc=nkcr,dc=cz" wholeSubtree
        messageID: 3558
        protocolOp: searchRequest (3)
            searchRequest
                baseObject: ou=users,dc=nkcr,dc=cz
                scope: wholeSubtree (2)
                derefAliases: neverDerefAliases (0)
                sizeLimit: 0
                timeLimit: 0
                typesOnly: False
                [Expert Info (Error/Undecoded): Filter length exceeds 4096. Giving up.]
                    [Message: Filter length exceeds 4096. Giving up.]
                    [Severity level: Error]
                    [Group: Undecoded]
[Malformed Packet: LDAP]
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
        [Message: Malformed Packet (Exception occurred)]
        [Severity level: Error]
        [Group: Malformed]

Frame (569 bytes):

0000  00 00 03 04 00 06 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 02 29 15 da 40 00 40 06 24 f3 7f 00 00 01   E..)..@.@.$.....
0020  7f 00 00 01 b2 29 01 85 e5 04 0a e2 e4 9d c4 c4   .....)..........
0030  80 18 03 02 00 1e 00 00 01 01 08 0a 13 8e f1 f3   ................
0040  13 8d 77 4e 17 03 01 01 f0 c4 0d 7f 65 44 80 eb   ..wN........eD..
0050  82 9c 3c d2 90 13 a3 f5 9f 18 84 e1 42 43 04 33   ..<.........BC.3
0060  17 de 01 65 4d bf 09 cc 84 a3 ed cd 1b d0 39 40   ...eM.........9@
0070  67 44 6a 14 46 31 c1 8a 47 d7 a0 8b 82 27 56 b1   gDj.F1..G....'V.
0080  9f 70 ee 16 61 09 61 18 68 b5 a0 e5 b7 13 c1 da   .p..a.a.h.......
0090  9c 9d 3c c0 9d 45 9e d0 92 4e e8 3f 92 07 0a 6b   ..<..E...N.?...k
00a0  0f 7f b8 18 1e 2e ca 5e 25 a6 13 e5 3e be 37 8a   .......^%...>.7.
00b0  94 5d a6 0b 0c 0c 5f a5 5b 96 5a eb a2 b2 3d 83   .]...._.[.Z...=.
00c0  cd 53 c1 16 ac 71 7e 4a 11 c4 f6 24 0f a4 ec 8a   .S...q~J...$....
00d0  0d 5a bc 6b 6c c1 05 01 df e9 51 3e 28 84 e2 ad   .Z.kl.....Q>(...
00e0  aa 38 b0 21 ab 84 c4 15 02 ca 0d c3 1b bd 0a 77   .8.!...........w
00f0  25 3f ba 28 02 a1 81 36 ba e4 d6 ea 9c f6 83 73   %?.(...6.......s
0100  13 94 c7 32 8f 8e 7a f1 d0 30 2f df 0b df 56 91   ...2..z..0/...V.
0110  da 71 97 6c 5c 47 0b 68 44 75 cd 3e 9a 07 5b b6   .q.l\G.hDu.>..[.
0120  67 1d 06 0e f1 f7 8a d7 59 84 9a 6f 79 d5 72 40   g.......Y..oy.r@
0130  30 0b 6e 50 e2 da b6 fb 35 35 d2 d5 4c b1 58 c8   0.nP....55..L.X.
0140  c2 86 c8 e0 08 b9 a1 b4 1e 00 cf cf 52 5a 46 57   ............RZFW
0150  58 58 ee 5b a8 9c 0c 79 b3 5c 66 03 2e da e8 7c   XX.[...y.\f....|
0160  4b 59 41 8e 77 67 29 33 2d 70 93 08 c2 bb 28 b6   KYA.wg)3-p....(.
0170  cb e0 ec be d4 3f 2c 96 61 b4 4a 13 c9 aa e6 79   .....?,.a.J....y
0180  3c ec 4a 9e 69 da 50 6b 00 2d 3e a1 43 e9 01 fd   <.J.i.Pk.->.C...
0190  3e 21 3c fc 0a 85 f1 74 54 0e d4 cf f6 dd 25 87   >!<....tT.....%.
01a0  4e 89 91 a5 f7 4b 99 8c 6e 24 10 f2 91 d7 1f 9a   N....K..n$......
01b0  f0 fb e1 c6 cc 13 83 1a db 34 c5 aa c3 cb c6 68   .........4.....h
01c0  f2 5d 79 c9 a1 91 c7 cc 75 8d 37 30 4d 9a a1 38   .]y.....u.70M..8
01d0  7c 47 5a f0 b2 34 fc 10 af 84 e7 47 d5 c2 55 45   |GZ..4.....G..UE
01e0  00 b9 cb 81 33 09 a4 07 73 f8 89 af 93 bc 62 74   ....3...s.....bt
01f0  8a 8a bd 52 8d f6 97 b3 95 1c 3c aa bd a7 19 1e   ...R......<.....
0200  8b ef 83 75 25 61 8c b7 1a 3f 16 05 48 23 48 90   ...u%a...?..H#H.
0210  a5 07 b0 d9 75 ac ea 85 cf 81 6d 7b 8e 8e 7f 3f   ....u.....m{...?
0220  13 0e b2 2c 69 e5 8b 9b 73 56 70 f6 6a 10 63 ae   ...,i...sVp.j.c.
0230  5a b4 91 37 17 12 b7 49 50                        Z..7...IP

Decrypted SSL data (474 bytes):

0000  30 82 01 d6 02 02 0d e6 63 82 01 ce 04 16 6f 75   0.......c.....ou
0010  3d 75 73 65 72 73 2c 64 63 3d 6e 6b 63 72 2c 64   =users,dc=nkcr,d
0020  63 3d 63 7a 0a 01 02 0a 01 00 02 01 00 02 01 00   c=cz............
0030  01 01 00 a0 33 a3 14 04 03 75 69 64 04 0d 66 68   ....3....uid..fh
0040  61 6e 7a 6c 69 6b 2e 6c 64 61 70 a3 1b 04 0b 6f   anzlik.ldap....o
0050  62 6a 65 63 74 63 6c 61 73 73 04 0c 70 6f 73 69   bjectclass..posi
0060  78 41 63 63 6f 75 6e 74 30 82 01 6e 04 0b 6f 62   xAccount0..n..ob
0070  6a 65 63 74 43 6c 61 73 73 04 03 75 69 64 04 0c   jectClass..uid..
0080  75 73 65 72 50 61 73 73 77 6f 72 64 04 09 75 69   userPassword..ui
0090  64 4e 75 6d 62 65 72 04 09 67 69 64 4e 75 6d 62   dNumber..gidNumb
00a0  65 72 04 05 67 65 63 6f 73 04 0d 68 6f 6d 65 44   er..gecos..homeD
00b0  69 72 65 63 74 6f 72 79 04 0a 6c 6f 67 69 6e 53   irectory..loginS
00c0  68 65 6c 6c 04 10 6b 72 62 50 72 69 6e 63 69 70   hell..krbPrincip
00d0  61 6c 4e 61 6d 65 04 02 63 6e 04 0f 6d 6f 64 69   alName..cn..modi
00e0  66 79 54 69 6d 65 73 74 61 6d 70 04 0f 6d 6f 64   fyTimestamp..mod
00f0  69 66 79 54 69 6d 65 73 74 61 6d 70 04 10 73 68   ifyTimestamp..sh
0100  61 64 6f 77 4c 61 73 74 43 68 61 6e 67 65 04 09   adowLastChange..
0110  73 68 61 64 6f 77 4d 69 6e 04 09 73 68 61 64 6f   shadowMin..shado
0120  77 4d 61 78 04 0d 73 68 61 64 6f 77 57 61 72 6e   wMax..shadowWarn
0130  69 6e 67 04 0e 73 68 61 64 6f 77 49 6e 61 63 74   ing..shadowInact
0140  69 76 65 04 0c 73 68 61 64 6f 77 45 78 70 69 72   ive..shadowExpir
0150  65 04 0a 73 68 61 64 6f 77 46 6c 61 67 04 10 6b   e..shadowFlag..k
0160  72 62 4c 61 73 74 50 77 64 43 68 61 6e 67 65 04   rbLastPwdChange.
0170  15 6b 72 62 50 61 73 73 77 6f 72 64 45 78 70 69   .krbPasswordExpi
0180  72 61 74 69 6f 6e 04 0c 70 77 64 41 74 74 72 69   ration..pwdAttri
0190  62 75 74 65 04 11 61 75 74 68 6f 72 69 7a 65 64   bute..authorized
01a0  53 65 72 76 69 63 65 04 0e 61 63 63 6f 75 6e 74   Service..account
01b0  45 78 70 69 72 65 73 04 12 75 73 65 72 41 63 63   Expires..userAcc
01c0  6f 75 6e 74 43 6f 6e 74 72 6f 6c 04 0d 6e 73 41   ountControl..nsA
01d0  63 63 6f 75 6e 74 4c 6f 63 6b                     ccountLock

No.     Time        Source                Destination           Protocol Info
  10343 10041.391049 127.0.0.1             127.0.0.1             LDAP     searchResEntry(3558) "uid=fhanzlik.ldap,ou=users,dc=nkcr,dc=cz" 

Frame 10343: 585 bytes on wire (4680 bits), 585 bytes captured (4680 bits)
Linux cooked capture
Internet Protocol, Src: 127.0.0.1 (127.0.0.1), Dst: 127.0.0.1 (127.0.0.1)
Transmission Control Protocol, Src Port: ldap (389), Dst Port: 45609 (45609), Seq: 195327, Ack: 1755691, Len: 517
Secure Socket Layer
    TLSv1 Record Layer: Application Data Protocol: ldap
        Content Type: Application Data (23)
        Version: TLS 1.0 (0x0301)
        Length: 512
        Encrypted Application Data: d525d8909e7cd19ca941a328891bbcfc93bebbb81f273cb1...
Lightweight Directory Access Protocol
    LDAPMessage searchResEntry(3558) "uid=fhanzlik.ldap,ou=users,dc=nkcr,dc=cz" [3 results]
        messageID: 3558
        protocolOp: searchResEntry (4)
            searchResEntry
                objectName: uid=fhanzlik.ldap,ou=users,dc=nkcr,dc=cz
                attributes: 11 items
                    PartialAttributeList item cn
                        type: cn
                        vals: 1 item
                            Hanzlik, Franta, LDAP testovaci user
                    PartialAttributeList item uid
                        type: uid
                        vals: 1 item
                            fhanzlik.ldap
                    PartialAttributeList item uidNumber
                        type: uidNumber
                        vals: 1 item
                            10514
                    PartialAttributeList item loginShell
                        type: loginShell
                        vals: 1 item
                            /bin/sh
                    PartialAttributeList item homeDirectory
                        type: homeDirectory
                        vals: 1 item
                            /home/fhanzlik.ldap
                    PartialAttributeList item gidNumber
                        type: gidNumber
                        vals: 1 item
                            100
                    PartialAttributeList item objectClass
                        type: objectClass
                        vals: 4 items
                            posixAccount
                            shadowAccount
                            mozillaAbPerson
                            inetOrgPerson
                    PartialAttributeList item shadowLastChange
                        type: shadowLastChange
                        vals: 1 item
                            14790
                    PartialAttributeList item gecos
                        type: gecos
                        vals: 1 item
                            Hanzlik, Franta, LDAP testovaci user
                    PartialAttributeList item userPassword
                        type: userPassword
                        vals: 1 item
                            {MD5}NpEwjypML2mD8ogNMuKchA==
                    PartialAttributeList item modifyTimestamp
                        type: modifyTimestamp
                        vals: 1 item
                            20110425155454Z

Frame (585 bytes):

0000  00 00 03 04 00 06 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 02 39 7d fc 40 00 40 06 bc c0 7f 00 00 01   E..9}.@.@.......
0020  7f 00 00 01 01 85 b2 29 e4 9d c4 c4 e5 04 0c d7   .......)........
0030  80 18 2c 16 00 2e 00 00 01 01 08 0a 13 8e f1 f7   ..,.............
0040  13 8e f1 f3 17 03 01 02 00 d5 25 d8 90 9e 7c d1   ..........%...|.
0050  9c a9 41 a3 28 89 1b bc fc 93 be bb b8 1f 27 3c   ..A.(.........'<
0060  b1 d0 9e 13 96 bf 10 22 85 b6 1e d5 1e 03 d1 25   .......".......%
0070  5c 7d e4 1f 46 be e8 a0 4c 3e ba df a1 c7 09 d0   \}..F...L>......
0080  9f c7 d7 87 07 e0 24 18 e0 c1 4f ae 16 a0 b0 34   ......$...O....4
0090  b2 ed b2 28 5b 10 70 db 4a 6b b3 f9 a2 b2 6a 44   ...([.p.Jk....jD
00a0  06 c8 6c 89 4e 7e 94 7c b0 c6 e8 bf 87 f9 9e 21   ..l.N~.|.......!
00b0  30 38 47 ed c6 71 4b fc cd 3e c0 41 20 82 ae 2e   08G..qK..>.A ...
00c0  bc d6 5b bf ff 22 18 68 be a3 6e 15 da 02 2d 40   ..[..".h..n...-@
00d0  31 4f 69 ad 79 41 7c 95 d0 34 32 5f 0e 34 e9 68   1Oi.yA|..42_.4.h
00e0  15 0c 84 55 a7 02 12 7c a2 f0 0e 58 ae 21 4f 38   ...U...|...X.!O8
00f0  0c 49 5f 7b 2f e6 73 fe 67 78 5a ec 3b a4 b2 ea   .I_{/.s.gxZ.;...
0100  1d 19 0b 3d 8b 4b 69 60 46 ae f5 dd f5 7c ca 98   ...=.Ki`F....|..
0110  04 5a 32 ed 22 1d 3d 39 44 62 e4 08 e2 24 a7 1a   .Z2.".=9Db...$..
0120  f4 dc 83 84 57 dc 47 ea 47 68 2e 16 cb dd d4 8d   ....W.G.Gh......
0130  be 64 46 97 83 2b e4 96 42 90 97 b4 d2 3e 07 23   .dF..+..B....>.#
0140  65 72 dc 57 6e f1 fb e9 81 ed ab 69 81 e4 bd fe   er.Wn......i....
0150  b1 e8 d6 b9 9a 4d 94 21 2b 7d 43 7f db 24 e4 29   .....M.!+}C..$.)
0160  53 49 c7 33 31 e8 c2 90 e0 ad 52 e4 57 fc 03 e0   SI.31.....R.W...
0170  73 4d ec 6a 7e 3d 7b 2b fb 51 4b 29 3e c1 d9 77   sM.j~={+.QK)>..w
0180  ff e5 67 e3 87 50 d7 31 8a 62 74 7f bd bc 36 27   ..g..P.1.bt...6'
0190  8e d8 31 53 a6 94 fa 4c 07 e8 9e 2f fd 1a 8d db   ..1S...L.../....
01a0  91 a0 78 bf 70 74 8c 6a e2 2f 0e bf bd b3 c3 9f   ..x.pt.j./......
01b0  c6 a5 ae ea 89 04 ae 52 cb 85 cf c2 c6 80 bb 23   .......R.......#
01c0  18 e2 22 0a 88 1c e9 0b 6c 56 f6 df 6d 1e 75 45   ..".....lV..m.uE
01d0  1a 25 d5 a8 5c 64 77 86 89 cd c4 1f 30 7d c9 50   .%..\dw.....0}.P
01e0  c6 8c b3 f5 d3 20 d2 f5 9e 77 11 b3 e4 64 fc 0a   ..... ...w...d..
01f0  d4 7a ee 36 3f 5f 26 9a d4 2f 99 d4 ad 9c eb d9   .z.6?_&../......
0200  d0 71 6e 34 43 5e 91 5e 61 9c 0c 0f e4 f3 c4 6c   .qn4C^.^a......l
0210  fa 1e e5 c2 b2 52 fc 79 7c 5f 0c e9 16 1a db a6   .....R.y|_......
0220  64 dd b8 d2 94 59 36 b7 aa 4a e7 ee 8e 98 03 c4   d....Y6..J......
0230  0c 66 8d 43 b5 91 44 70 0f 3c ab 7f 6e ba d1 38   .f.C..Dp.<..n..8
0240  94 0e 57 eb e6 22 a3 f5 2b                        ..W.."..+

Decrypted SSL data (478 bytes):

0000  30 82 01 da 02 02 0d e6 64 82 01 d2 04 28 75 69   0.......d....(ui
0010  64 3d 66 68 61 6e 7a 6c 69 6b 2e 6c 64 61 70 2c   d=fhanzlik.ldap,
0020  6f 75 3d 75 73 65 72 73 2c 64 63 3d 6e 6b 63 72   ou=users,dc=nkcr
0030  2c 64 63 3d 63 7a 30 82 01 a4 30 2c 04 02 63 6e   ,dc=cz0...0,..cn
0040  31 26 04 24 48 61 6e 7a 6c 69 6b 2c 20 46 72 61   1&.$Hanzlik, Fra
0050  6e 74 61 2c 20 4c 44 41 50 20 74 65 73 74 6f 76   nta, LDAP testov
0060  61 63 69 20 75 73 65 72 30 16 04 03 75 69 64 31   aci user0...uid1
0070  0f 04 0d 66 68 61 6e 7a 6c 69 6b 2e 6c 64 61 70   ...fhanzlik.ldap
0080  30 14 04 09 75 69 64 4e 75 6d 62 65 72 31 07 04   0...uidNumber1..
0090  05 31 30 35 31 34 30 17 04 0a 6c 6f 67 69 6e 53   .105140...loginS
00a0  68 65 6c 6c 31 09 04 07 2f 62 69 6e 2f 73 68 30   hell1.../bin/sh0
00b0  26 04 0d 68 6f 6d 65 44 69 72 65 63 74 6f 72 79   &..homeDirectory
00c0  31 15 04 13 2f 68 6f 6d 65 2f 66 68 61 6e 7a 6c   1.../home/fhanzl
00d0  69 6b 2e 6c 64 61 70 30 12 04 09 67 69 64 4e 75   ik.ldap0...gidNu
00e0  6d 62 65 72 31 05 04 03 31 30 30 30 4c 04 0b 6f   mber1...1000L..o
00f0  62 6a 65 63 74 43 6c 61 73 73 31 3d 04 0c 70 6f   bjectClass1=..po
0100  73 69 78 41 63 63 6f 75 6e 74 04 0d 73 68 61 64   sixAccount..shad
0110  6f 77 41 63 63 6f 75 6e 74 04 0f 6d 6f 7a 69 6c   owAccount..mozil
0120  6c 61 41 62 50 65 72 73 6f 6e 04 0d 69 6e 65 74   laAbPerson..inet
0130  4f 72 67 50 65 72 73 6f 6e 30 1b 04 10 73 68 61   OrgPerson0...sha
0140  64 6f 77 4c 61 73 74 43 68 61 6e 67 65 31 07 04   dowLastChange1..
0150  05 31 34 37 39 30 30 2f 04 05 67 65 63 6f 73 31   .147900/..gecos1
0160  26 04 24 48 61 6e 7a 6c 69 6b 2c 20 46 72 61 6e   &.$Hanzlik, Fran
0170  74 61 2c 20 4c 44 41 50 20 74 65 73 74 6f 76 61   ta, LDAP testova
0180  63 69 20 75 73 65 72 30 2f 04 0c 75 73 65 72 50   ci user0/..userP
0190  61 73 73 77 6f 72 64 31 1f 04 1d 7b 4d 44 35 7d   assword1...{MD5}
01a0  4e 70 45 77 6a 79 70 4d 4c 32 6d 44 38 6f 67 4e   NpEwjypML2mD8ogN
01b0  4d 75 4b 63 68 41 3d 3d 30 24 04 0f 6d 6f 64 69   MuKchA==0$..modi
01c0  66 79 54 69 6d 65 73 74 61 6d 70 31 11 04 0f 32   fyTimestamp1...2
01d0  30 31 31 30 34 32 35 31 35 35 34 35 34 5a         0110425155454Z

No.     Time        Source                Destination           Protocol Info
  10344 10041.391062 127.0.0.1             127.0.0.1             TCP      45609 > ldap [ACK] Seq=1755691 Ack=195844 Win=49280 Len=0 TSV=328135159 TSER=328135159

Frame 10344: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Linux cooked capture
Internet Protocol, Src: 127.0.0.1 (127.0.0.1), Dst: 127.0.0.1 (127.0.0.1)
Transmission Control Protocol, Src Port: 45609 (45609), Dst Port: ldap (389), Seq: 1755691, Ack: 195844, Len: 0

0000  00 00 03 04 00 06 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 34 15 db 40 00 40 06 26 e7 7f 00 00 01   E..4..@.@.&.....
0020  7f 00 00 01 b2 29 01 85 e5 04 0c d7 e4 9d c6 c9   .....)..........
0030  80 10 03 02 fe 28 00 00 01 01 08 0a 13 8e f1 f7   .....(..........
0040  13 8e f1 f7                                       ....

No.     Time        Source                Destination           Protocol Info
  10345 10041.391493 127.0.0.1             127.0.0.1             LDAP     searchResDone(3558) success  [3 results]

Frame 10345: 121 bytes on wire (968 bits), 121 bytes captured (968 bits)
Linux cooked capture
Internet Protocol, Src: 127.0.0.1 (127.0.0.1), Dst: 127.0.0.1 (127.0.0.1)
Transmission Control Protocol, Src Port: ldap (389), Dst Port: 45609 (45609), Seq: 195844, Ack: 1755691, Len: 53
Secure Socket Layer
    TLSv1 Record Layer: Application Data Protocol: ldap
        Content Type: Application Data (23)
        Version: TLS 1.0 (0x0301)
        Length: 48
        Encrypted Application Data: 00a438bf84057a6c29e1217c723fa061a6d83ad419383e33...
Lightweight Directory Access Protocol
    LDAPMessage searchResDone(3558) success [3 results]
        messageID: 3558
        protocolOp: searchResDone (5)
            searchResDone
                resultCode: success (0)
                matchedDN: 
                errorMessage: 

Frame (121 bytes):

0000  00 00 03 04 00 06 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 69 7d fd 40 00 40 06 be 8f 7f 00 00 01   E..i}.@.@.......
0020  7f 00 00 01 01 85 b2 29 e4 9d c6 c9 e5 04 0c d7   .......)........
0030  80 18 2c 16 fe 5d 00 00 01 01 08 0a 13 8e f1 f8   ..,..]..........
0040  13 8e f1 f7 17 03 01 00 30 00 a4 38 bf 84 05 7a   ........0..8...z
0050  6c 29 e1 21 7c 72 3f a0 61 a6 d8 3a d4 19 38 3e   l).!|r?.a..:..8>
0060  33 fc 08 73 0d d1 08 ec b9 cc 31 75 24 a5 4e 42   3..s......1u$.NB
0070  c9 31 31 66 b8 8d fe cc 89                        .11f.....

Decrypted SSL data (15 bytes):

0000  30 0d 02 02 0d e6 65 07 0a 01 00 04 00 04 00      0.....e........

No.     Time        Source                Destination           Protocol Info
  10346 10041.391502 127.0.0.1             127.0.0.1             TCP      45609 > ldap [ACK] Seq=1755691 Ack=195897 Win=49280 Len=0 TSV=328135160 TSER=328135160

Frame 10346: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Linux cooked capture
Internet Protocol, Src: 127.0.0.1 (127.0.0.1), Dst: 127.0.0.1 (127.0.0.1)
Transmission Control Protocol, Src Port: 45609 (45609), Dst Port: ldap (389), Seq: 1755691, Ack: 195897, Len: 0

0000  00 00 03 04 00 06 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 34 15 dc 40 00 40 06 26 e6 7f 00 00 01   E..4..@.@.&.....
0020  7f 00 00 01 b2 29 01 85 e5 04 0c d7 e4 9d c6 fe   .....)..........
0030  80 10 03 02 fe 28 00 00 01 01 08 0a 13 8e f1 f8   .....(..........
0040  13 8e f1 f8                                       ....