Decode IPP over HTTPS(TLS)

retag add tags

I am having trouble getting wireshark to recognise IPP packets when sent using TLS.

I am able to see the TLS handshake, and can then see the packet I believe to be IPP, as I am using the SSLKEYFILE containing the premaster secret, however I cannot get wirehark to recognise the packets as IPP requests.

I have tried the "decode as" option, but IPP is not available as a option.

It could be possible the issue is with port not being 631 (IPP port), however I cannot seem to find anywhere to change this.

Does any body have any ideas?

Thankyou :)

packet-ipp.c:

void proto_reg_handoff_ipp(void) {
    dissector_handle_t ipp_handle;

    /*
     * Register ourselves as running atop HTTP and using port 631.
     */
    ipp_handle = create_dissector_handle(dissect_ipp, proto_ipp);
    http_tcp_dissector_add(631, ipp_handle);
    dissector_add_string("media_type", "application/ipp", ipp_handle);
}

There is no preference to change the port. The dissector expects IPP to be on top of HTTP.
Have you tried Decode As... and setting the type to HTTP?

There is a sample capture (happens to be IPv6) attached to issue 12970 that is using ports other than 631.

Also a sample capture on the Wireshark wiki: ipp.pcap (libpcap) CUPS printing via IPP (test page)

Once the HTTP is available, the dissector then looks for Content-Type: application/ipp

Chuckc

answered 2021-03-29 22:09:17 +0000

edit flag offensive 0 remove flag delete link

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Decode IPP over HTTPS(TLS) edit

Comments

1 Answer

Comments