Comment 30 for bug 883585

Till: Wireshark will only be of use in the network printer case (IPP/HTTP, LPR or SMB). Its value is in being able to see exactly what is being transmitted and received from the print server. You can then use that to get a better understanding of what is going on.

The way to use it is to start Wireshark, then click the "Show capture options" button (second from left, with the spanner icon). In that window, enter the right network interface (usually eth0 for wired ethernet, but this will obviously vary), and untick "Capture packets in promiscuous mode" (to avoid logging traffic from other systems). The capture filter could be left blank, but to eliminate non-IPP traffic, enter "port 631" here. (You can use "port 515" for LPR and "port 80" for HTTP traffic.) Once that's done, click Start to start your capture.

When you're done, click the "Stop the current capture" button (fourth from the left, with red cross). You will now have a window full of captured packets, which should be saved before continuing.

Assuming we're interested in just the IPP part of the conversation, enter "ipp" in the filter box and click Apply. This will filter out all the packets from lower layers (e.g. TCP). Just below the list of packets, you will see a pane showing the interpretation of the currently selected packet at multiple stack layers (so Ethernet, IP, TCP, HTTP, then IPP). Expanding each of these will give you detailed information about each. For example, for IPP responses, you will see the protocol version, status codes, request ID (currently always 1, but this has changed in the upstream trunk).

You can also right-click your packet entry in the list and select "Follow TCP stream". For IPP, this will show the HTTP conversation in plain text. While this is rarely useful for working out what IPP is doing, it does show the HTTP requests and responses pretty well.