 | 1 | initial version |
As said by others, you might as well capture all traffic to one or more printers to not only find out who (IP) is responsible, but also why, as you capture the full TCP streams.
If you do want to only capture the sources of systems that connect to the printer, then you could use a capture filter to capture the SYN, FIN and RST packets (that way you get to see who is connecting and how much data was exchanged). The corresponding capture filter would be:
tcp[13] & 7 > 0 for non-vlan tagged trafficvlan and tcp[13] & 7 > 0 for vlan tagged traffictcp[13] & 7 > 0 or (vlan and tcp[13] & 7 > 0) if you want to capture both tagged and untagged SYN/FIN/RST packets