If you're going between IPO Servers, you can capture from the command line.
Basically, with Wireshark, you've got capture filters and display filters. The former sets up Wireshark to only log packets that match your filter, while the latter takes the complete capture and only displays packets that match the capture.
So, if you just mirrored a port that your IPO was on, fired up Wireshark with no filters, and let it go, you might get a huge file to filter through after. But, if you knew how to set up capture filters, you might wind up with a much smaller file to begin looking at.
Anyway, from a Linux box with tshark on it, here's a couple of commands to get you started:
tshark -i eth0 host 1.2.3.4 -w /tmp/mycapture.pcap
That'll log packets from interface eth0, only to IP 1.2.3.4, and log them to the file /tmp/mycapture.pcap
tshark -i eth0 port 389 -w /tmp/mycapture.pcap
That'll do the same as above, but log any LDAP traffic on port 389.
If you don't put the -w switch to write the capture, you'll see it right in your terminal which can be handy just to see if anything's coming in on the wire and you don't care enough to look too closely at the packets.
Have fun.
