Extract Print Job Commands using Wireshark

Modified on Wed, 15 Oct at 10:38 AM

1) Safety & legal note (read first)

Make sure you are authorized to capture network traffic on the network and the printer. Capturing traffic may expose sensitive documents. Print protocols may be encrypted (IPP over HTTPS / IPPS) so you may not be able to see contents in those cases.

2) Install Wireshark

  • Windows: Download the installer from wireshark.org and run it. During install accept the WinPcap/Npcap option (Npcap recommended). Reboot if requested.

  • macOS: Download the macOS installer from wireshark.org or brew install --cask wireshark (if you use Homebrew). On macOS you’ll be asked to grant capture permissions.

  • Linux (Debian/Ubuntu): sudo apt update && sudo apt install wireshark (you may be prompted whether non-root users can capture — choose appropriately). On RedHat/CentOS/Fedora use dnf/yum packages.

  • Command-line capture tool: tshark is installed alongside Wireshark on most installs and is useful for scripted captures.

3) Prep: know the printer and network

Gather:

  • Printer IP (e.g. 192.168.1.50)

  • Typical printer ports/protocols:

    • RAW printing (JetDirect) — TCP port 9100

    • IPP — TCP port 631

    • LPR/LPD — TCP port 515

    • SMB-based printing (Windows file/print) — ports 445 / 139

    • AirPrint/Bonjour may use mDNS (UDP 5353) and IPP

  • If the printer uses IPPS/HTTPS (IPP over TLS) or SMB with encryption, job contents will be encrypted.

4) Start a capture (GUI)

  1. Open Wireshark (run as admin/root or ensure capture permissions).

  2. Select the correct network interface (the one that can see traffic between host and printer — wired interface or Wi-Fi interface).

  3. Set a capture filter to limit captured traffic (applies at packet capture time and reduces volume). Example capture filters:

    • Capture only between your PC and the printer:

      host 192.168.1.50
    • Capture only common printing ports to/from any host:

      tcp port 9100 or tcp port 631 or tcp port 515 or tcp port 445 or tcp port 139
    • Capture only your workstation and the printer on RAW port:

      host 192.168.1.50 and tcp port 9100
  4. Enter the filter in the capture options Capture -> Options -> Capture Filter or in the capture dialog.

  5. Click Start.

  6. Send a print job from the client to the printer. Watch packets appear in Wireshark.

5) Useful display filters (after capture)

Display filters are applied after capture for viewing:

  • Printer IP traffic:

    ip.addr == 192.168.1.50
  • RAW (jetdirect) port 9100:

    tcp.port == 9100
  • IPP protocol:

    ipp
  • LPD:

    lpd
  • SMB / CIFS:

    smb2 || smb

6) How to view the print data in Wireshark GUI

  • For TCP port 9100 (raw): select one of the TCP packets carrying the job, right-click → FollowTCP Stream. In the "Follow TCP Stream" dialog:

    • Change "Show data as" to Raw or Hex Dump (Raw is best when the job is binary).

    • Save the stream: click Save As... and choose a filename with an appropriate extension (.ps, .pcl, .prn, or .bin) depending on printer language (PCL, PostScript, PDF, etc).

    • Note: Wireshark shows the entire bi-directional stream. If multiple jobs were sent in one session you may need to inspect packet boundaries.

  • For IPP (port 631): IPP is an HTTP-like protocol; if not encrypted you can follow the TCP stream or use File → Export Objects → HTTP to save objects. If IPP is over TLS (IPPS), you will not see clear text.

  • For LPD: LPD has small control packets; actual data may be seen in the data packets — follow TCP stream similarly.

  • For SMB: print jobs on SMB can be fragmented and use SMB file operations. You can filter SMB write packets and extract payloads (more advanced).

7) Command-line extraction (tshark + convert to binary) (optional)

Useful if you want to script extraction of a RAW port 9100 print job:

Capture to a pcap:

sudo tshark -i eth0 -f "host 192.168.1.50 and tcp port 9100" -w printer_capture.pcap

(Stop it after the job completes with Ctrl-C.)

Extract packet data and convert to raw bytes:

# extract TCP payloads on port 9100 as hex, concatenated tshark -r printer_capture.pcap -Y "tcp.port == 9100" -T fields -e data \ | tr -d '\n' > job.hex # convert hex to binary (Linux/Mac: xxd) xxd -r -p job.hex > job_output.bin

Then try opening job_output.bin with the appropriate viewer:

  • .ps / PostScript — open in a PS viewer

  • .pcl — use a PCL viewer or convert with pcl6

  • PDF — evince / acroread etc
    If the output is printable data but contains multiple jobs, you may need to split streams by job boundaries or inspect TCP sequence numbers.

8) Save the capture file

  • GUI: File -> Save As and choose *.pcapng (default) or *.pcap. pcapng preserves more metadata.

  • Command-line: -w filename.pcap with tshark or tcpdump.

9) Advanced tips

  • Promiscuous mode / switch port: On switched networks, your NIC may not see printer traffic between other devices. Capture from:

    • The client that sends the print job (ideal).

    • A network tap or the switch mirror/span port.

    • The router/firewall if it passes traffic.

  • Disable checksum offloading view issues: If packet checksums appear bad in Wireshark, it may be due to NIC checksum offload; this doesn’t mean corrupted capture — you can ignore or disable the NIC offload for accurate checksums.

  • Large/long captures: use ring buffers: -b filesize:100000 -b files:10 (tshark/tcpdump) to avoid huge files.

  • Encrypted protocols: If the print path uses TLS (IPPS, SMB3 with encryption), you cannot read contents unless you have server private keys and can configure Wireshark to decrypt (rare for printers) or use client-side SSL keys (not generally available).

10) Quick example (Windows GUI, capture RAW port 9100)

  1. Open Wireshark (Run as Administrator).

  2. Select the Ethernet/Wi-Fi interface.

  3. In capture options, set capture filter: host 192.168.1.50 and tcp port 9100.

  4. Start capture.

  5. Send the print job from your app.

  6. Stop capture after job finishes.

  7. Apply display filter: tcp.port == 9100

  8. Right-click a packet → Follow → TCP Stream → Show data as Raw → Save As job1.pcl (or .ps/.pdf).

  9. Save capture file via File → Save As.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article