Well a simple capture filter I used to find what machines used the LDAP service on a Domain Controller I was demoting. But before running this I needed to remove a couple of DNS references to the server so clients wouldnt get here.

TCP.Flags.Syn == 1
AND
IPv4.DestinationAddress == Global.IpConfig.LocalIpv4Address
AND
(
TCP.Port == 389 or UDP.Port == 389
or
TCP.Port == 3268 or UDP.Port == 3268
or
TCP.Port == 636 or UDP.Port == 636 // SSL
or
TCP.Port == 3269 or UDP.Port == 3269 // SSL 
)

Well this includes lots of traffic We dont really want so lets ignore all traffic with other domain controllers.

Import-Module ActiveDirectory
$DomainControllerIPs =  Get-ADDomainController -Filter * |? {$_.name -ne $Env:computername}| Select-Object -ExpandProperty Hostname |ForEach-Object {[System.Net.Dns]::GetHostAddresses($_)| Select-Object -ExpandProperty IPAddressToString}
[string]::Join("`nAND`n", ($DomainControllerIPs |% {'IPv4.SourceAddress != '+$_}))

Add the output with an AND OUTPUT GOES HERE to the end. So it will look like this:

TCP.Flags.Syn == 1
AND
IPv4.DestinationAddress == Global.IpConfig.LocalIpv4Address
AND
(
TCP.Port == 389 or UDP.Port == 389
or
TCP.Port == 3268 or UDP.Port == 3268
or
TCP.Port == 636 or UDP.Port == 636 // SSL
or
TCP.Port == 3269 or UDP.Port == 3269 // SSL 
)
AND
IPv4.SourceAddress != 192.168.1.11 AND IPv4.SourceAddress != ::1 AND IPv4.SourceAddress != 192.168.2.22

But wait, what is ::1 doing in there? Well if you have IPv6 the resolver will return that IP, so don’t worry. Now just lets see who talks with the server. And migrate make sure they don’t have any static entries pointing at this Domain Controller.

Update 30/1, added requirement of synflag to reduce packets to only initial.