1) Safety & legal note (read first)
Make sure you are authorized to capture network traffic on the network and the printer. Capturing traffic may expose sensitive documents. Print protocols may be encrypted (IPP over HTTPS / IPPS) so you may not be able to see contents in those cases.
2) Install Wireshark
Windows: Download the installer from wireshark.org and run it. During install accept the WinPcap/Npcap option (Npcap recommended). Reboot if requested.
macOS: Download the macOS installer from wireshark.org or
brew install --cask wireshark
(if you use Homebrew). On macOS you’ll be asked to grant capture permissions.Linux (Debian/Ubuntu):
sudo apt update && sudo apt install wireshark
(you may be prompted whether non-root users can capture — choose appropriately). On RedHat/CentOS/Fedora usednf
/yum
packages.Command-line capture tool: tshark is installed alongside Wireshark on most installs and is useful for scripted captures.
3) Prep: know the printer and network
Gather:
Printer IP (e.g.
192.168.1.50
)Typical printer ports/protocols:
RAW printing (JetDirect) — TCP port 9100
IPP — TCP port 631
LPR/LPD — TCP port 515
SMB-based printing (Windows file/print) — ports 445 / 139
AirPrint/Bonjour may use mDNS (UDP 5353) and IPP
If the printer uses IPPS/HTTPS (IPP over TLS) or SMB with encryption, job contents will be encrypted.
4) Start a capture (GUI)
Open Wireshark (run as admin/root or ensure capture permissions).
Select the correct network interface (the one that can see traffic between host and printer — wired interface or Wi-Fi interface).
Set a capture filter to limit captured traffic (applies at packet capture time and reduces volume). Example capture filters:
Capture only between your PC and the printer:
Capture only common printing ports to/from any host:
Capture only your workstation and the printer on RAW port:
Enter the filter in the capture options
Capture -> Options -> Capture Filter
or in the capture dialog.Click Start.
Send a print job from the client to the printer. Watch packets appear in Wireshark.
5) Useful display filters (after capture)
Display filters are applied after capture for viewing:
Printer IP traffic:
RAW (jetdirect) port 9100:
IPP protocol:
LPD:
SMB / CIFS:
6) How to view the print data in Wireshark GUI
For TCP port 9100 (raw): select one of the TCP packets carrying the job, right-click → Follow → TCP Stream. In the "Follow TCP Stream" dialog:
Change "Show data as" to Raw or Hex Dump (Raw is best when the job is binary).
Save the stream: click Save As... and choose a filename with an appropriate extension (
.ps
,.pcl
,.prn
, or.bin
) depending on printer language (PCL, PostScript, PDF, etc).Note: Wireshark shows the entire bi-directional stream. If multiple jobs were sent in one session you may need to inspect packet boundaries.
For IPP (port 631): IPP is an HTTP-like protocol; if not encrypted you can follow the TCP stream or use File → Export Objects → HTTP to save objects. If IPP is over TLS (IPPS), you will not see clear text.
For LPD: LPD has small control packets; actual data may be seen in the data packets — follow TCP stream similarly.
For SMB: print jobs on SMB can be fragmented and use SMB file operations. You can filter SMB write packets and extract payloads (more advanced).
7) Command-line extraction (tshark + convert to binary) (optional)
Useful if you want to script extraction of a RAW port 9100 print job:
Capture to a pcap:
(Stop it after the job completes with Ctrl-C.)
Extract packet data and convert to raw bytes:
Then try opening job_output.bin
with the appropriate viewer:
.ps
/ PostScript — open in a PS viewer.pcl
— use a PCL viewer or convert withpcl6
PDF —
evince
/acroread
etc
If the output is printable data but contains multiple jobs, you may need to split streams by job boundaries or inspect TCP sequence numbers.
8) Save the capture file
GUI:
File -> Save As
and choose*.pcapng
(default) or*.pcap
. pcapng preserves more metadata.Command-line:
-w filename.pcap
with tshark or tcpdump.
9) Advanced tips
Promiscuous mode / switch port: On switched networks, your NIC may not see printer traffic between other devices. Capture from:
The client that sends the print job (ideal).
A network tap or the switch mirror/span port.
The router/firewall if it passes traffic.
Disable checksum offloading view issues: If packet checksums appear bad in Wireshark, it may be due to NIC checksum offload; this doesn’t mean corrupted capture — you can ignore or disable the NIC offload for accurate checksums.
Large/long captures: use ring buffers:
-b filesize:100000 -b files:10
(tshark/tcpdump) to avoid huge files.Encrypted protocols: If the print path uses TLS (IPPS, SMB3 with encryption), you cannot read contents unless you have server private keys and can configure Wireshark to decrypt (rare for printers) or use client-side SSL keys (not generally available).
10) Quick example (Windows GUI, capture RAW port 9100)
Open Wireshark (Run as Administrator).
Select the Ethernet/Wi-Fi interface.
In capture options, set capture filter:
host 192.168.1.50 and tcp port 9100
.Start capture.
Send the print job from your app.
Stop capture after job finishes.
Apply display filter:
tcp.port == 9100
Right-click a packet → Follow → TCP Stream → Show data as Raw → Save As
job1.pcl
(or.ps
/.pdf
).Save capture file via
File → Save As
.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article