Records query field info/descriptions

plundstedt · February 2, 2023, 4:23pm

We are troubleshooting some authentication issues in our environment, and using some simple Records queries to narrow down to the criteria we’re looking for. The Time field in these queries isn’t behaving the way we’d expect so I’m looking for some more info on how this field works.

The query in question is looking at LDAP Bind Requests for specific users. The Time field does not seem to correlate with the actual time that the user is performing this kind of activity (some results have a time when the user was not logged in).

Is the Time field supposed to be the start of a session, the end of a session, the average of the time that the session took place, the time that the session was recorded by ExtraHop, or something else entirely?

shaundavid · February 2, 2023, 9:42pm

Hi, @plundstedt .

The ‘Time’ timestamp on request records is the time the sensor saw the packet for the request, in your case the LDAP Bind Request protocol message. If you have a packetstore (aka Trace appliance) and are capturing the packets for the LDAP traffic, you should be able to download a capture and confirm that.

On a system I use, the packets look like this in Wireshark:

The record for the corresponding LDAP request shows the highlighted timestamp.

Does that insight help?