Ask Your Question

Decode IPP over HTTPS(TLS)

asked 2021-03-29 19:25:43 +0000

I am having trouble getting wireshark to recognise IPP packets when sent using TLS.

I am able to see the TLS handshake, and can then see the packet I believe to be IPP, as I am using the SSLKEYFILE containing the premaster secret, however I cannot get wirehark to recognise the packets as IPP requests.

I have tried the "decode as" option, but IPP is not available as a option.

It could be possible the issue is with port not being 631 (IPP port), however I cannot seem to find anywhere to change this.

Does any body have any ideas?

Thankyou :)

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2021-03-29 22:09:17 +0000

Chuckc gravatar image


void proto_reg_handoff_ipp(void) {
    dissector_handle_t ipp_handle;

     * Register ourselves as running atop HTTP and using port 631.
    ipp_handle = create_dissector_handle(dissect_ipp, proto_ipp);
    http_tcp_dissector_add(631, ipp_handle);
    dissector_add_string("media_type", "application/ipp", ipp_handle);

There is no preference to change the port. The dissector expects IPP to be on top of HTTP.
Have you tried Decode As... and setting the type to HTTP?

There is a sample capture (happens to be IPv6) attached to issue 12970 that is using ports other than 631.

Also a sample capture on the Wireshark wiki: ipp.pcap (libpcap) CUPS printing via IPP (test page)

Once the HTTP is available, the dissector then looks for Content-Type: application/ipp

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2021-03-29 19:25:43 +0000

Seen: 463 times

Last updated: Mar 29 '21