Differences between revisions 50 and 51
Revision 50 as of 2021-03-05 11:39:43
Size: 22566
Editor: Brian Potkin
Comment: Linked to a buster issue regarding permissions.
Revision 51 as of 2021-03-06 03:00:45
Size: 22565
Editor: PaulWise
Comment: typo
Deletions are marked like this. Additions are marked like this.
Line 107: Line 107:
Also see how a [[Scanner|USB scanner is set up]] for more information on the local configuration. Take note of the issue mentioned towards the end of [[Scanner#perms|this section]] if the [[#server|server]] is using Debian 10 (buster),. Also see how a [[Scanner|USB scanner is set up]] for more information on the local configuration. Take note of the issue mentioned towards the end of [[Scanner#perms|this section]] if the [[#server|server]] is using Debian 10 (buster).

Translation(s): English - Français - Italiano

Sharing and using a USB connected or network connected scanner over a network with SANE and an introduction to driverless scanning with the sane-airscan and sane-escl backends.


      SCANNER                                 CLIENT
+-----------------+                +--------------------------+
| Network-capable |                |                          |
| stand-alone or  | cable/wireless | libsane                  |
| multifunctional |<-------------->| Vendor-specific packages |
|     device      |                | eSCL/WSD                 |       
+-----------------+                +--------------------------+

A scanner that is network enabled with a cabled or wireless connection (a network scanner) is accessed with the help of libsane and one of the collection of backends on the system. Two backends new to to Debian 11 (bullseye), sane-airscan and sane-escl, provide driverless scanning on the network. Consult a backend's manual for information on whether the backend supports scanning over the network. For example, theepson2, pixma, escl and airscan backends do. libsane interworks with the non-SANE, HP-provided hpaio backend. Other vendors also provide a means to access a network capable scanner but there is generally a non-free aspect to what they offer, so configuration of their devices is not treated on this page.

A USB connected device that understands and uses the IPP-over-USB protocol may be exported and seen as a network device. Otherwise, on USB, the device will have to be exported to a client via saned.

Sharing a USB Connected Scanner: the Basics

       SCANNER                         SERVER                                       CLIENT
 +-------------------+       +------------------------+                +-----------------------------+
 |   Non-networked   |       | libsane + sane-utils   |                | libsane                     |
 |   stand-alone or  |  USB  |                        | cable/wireless |                             |
 |   multifunctional |<----->| saned.conf: permitted  |<-------------->| dll.conf: uncomment net     |
 |       device      |       |            connections |                | net.conf: server IP address |
 +-------------------+       +------------------------+                +-----------------------------+

This section is written principally in the context of a user with Debian 8 (jessie), Debian 9 (stretch), Debian 10 (buster) or Debian 11 (bullseye) installed. These distributions have an init system (the first process started during booting of the computer and that governs its subsequent behaviour) based on systemd. On a machine with a scanner connected to a USB port (the server), SANE with systemd can be socket activated (check that the service is enabled). The saned daemon is started when a request is received on the server from a client and is stopped when the request is fulfilled. This forms the basis for a scanner shared by the server to serve up an image of a document to an application on a client.

Essentially, saned on the server and the net backend on the client are used to convert a non-networked or network-incapable scanner into a networked one.

Server Configuration

  • Install sane-utils to get saned.

  • Check that the contents of /etc/default/saned fit the system and that saned is in the scanner group. No changes need be made to this file for the vast majority of users. You should see this:

$ groups saned
saned : saned scanner
  • Add the hostnames, IP addresses or IP subnets that are permitted to use local SANE devices on the server in /etc/sane.d/saned.conf. For example, you could allow the local network using the following configuration, which will vary according to your network configuration:
  • If necessary (look at systemctl status saned.socket) and enable the systemd socket service:

$ sudo systemctl enable saned.socket
Created symlink from /etc/systemd/system/sockets.target.wants/saned.socket to /lib/systemd/system/saned.socket.
$ sudo systemctl start saned.socket
$ sudo systemctl status saned.socket
  • The server will now be sharing the USB connected scanner with other designated machines on the network.

A first installation of libsane has the socket service disabled, so it would be necessary to enable and start it as described above.

Client Configuration

  • It is essential to install libsane and, for testing the client's ability to see the networked scanner, it is recommended to install sane-utils. Success in detecting the shared scanner with scanimage indicates probable success with other frontends.

  • Uncomment the net backend entry in /etc/sane.d/dll.conf.

  • Add the IP address/hostname of the sane server to /etc/sane.d/net.conf.

  • If everything is working correctly you should get something like this:

% scanimage -L
device `net:' is a Canon N670U/N676U/LiDE20 USB flatbed scanner

Note that the net backend is not for accessing arbitrary scanners over a network. It's intended use is for the server (which has a SANE-supported scanner) to be able to export that scanner to clients on the network via a single SANE-specific, manufacturer-agnostic protocol.


Make sure the saned user can access the scanner locally on the server. scanimage -L should detect the scanner if there is a backend on the system for it and the saned user has permission to access the USB bus; sane-find-scanner will indicate whether the saned user does have permission.

To run as the saned user either become root with su and do

su -s /bin/bash saned
scanimage -L

or use sudo:

sudo -u saned sane-find-scanner
sudo -u saned scanimage -L

Also see how a USB scanner is set up for more information on the local configuration. Take note of the issue mentioned towards the end of this section if the server is using Debian 10 (buster).

Having an ordinary user with or without permissions on the USB bus (libpam-systemd might not be installed) is of no consequence. It is the saned user that needs the permissions.

Bear in mind that sane-find-scanner does a generic USB scan; success indicates a user has sufficient privileges to access the USB devices. On the other hand, a negative response to scanimage -L means that none of the SANE or vendor-supplied backends have knowledge of this model of scanner, so will not talk to it.

If the scanner works on the server but not remotely, make sure the saned.socket service is running correctly on the server; systemctl should tell you this:

$ systemctl status saned.socket
● saned.socket - saned incoming socket
   Loaded: loaded (/lib/systemd/system/saned.socket; enabled)
   Active: active (listening) since Wed 2017-11-15 22:28:05 UTC; 1s ago
   Listen: [::]:6566 (Stream)
 Accepted: 0; Connected: 0

Nov 15 22:28:05 mafalda systemd[1]: Listening on saned incoming socket.

You should also be able to ping the host configured:

$ ping -c1 mafalda
PING mafalda.anarc.at ( 56(84) bytes of data.
64 bytes from mafalda.anarc.at ( icmp_seq=1 ttl=64 time=0.400 ms

--- mafalda.anarc.at ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.400/0.400/0.400/0.000 ms

You can also try to connect directly to the scanner with:

xsane net:

If you have trouble connecting multiple computers to the server, systemctl status saned.socket might show:

saned.socket: Too many incoming connections (1), dropping connection.

This is a known bug in the systemd unit. For a workaround on jessie or stretch:

  • cp /lib/systemd/system/saned.socket /etc/systemd/system/saned.socket.

  • Edit and replace MaxConnections=1 with MaxConnections=64.

  • systemctl daemon-reload.

On stretch it is probably more convenient to do:

  • systemctl edit --full saned.socket.

Sharing on Debian 11 (bullseye)

Debian 11 introduces ipp-usb as a default installed package. When ipp-usb is in service, which it is when a USB connection is made to a device, it prevents the setup of a server and client relationship as previously described. One solution is to remove ipp-usb from the system, losing any of its benefits.

However, an alternative way to gain access to the scanner on the server is to have ipp-usb on the server expose the device on all interfaces, not just on loopback. Edit /etc/ipp-usb/ipp-usb.conf to have

interface = all

The client will have to provide one of the sane-escl or sane-airscane backends to enable a chosen frontend to scan.

Scanning with the eSCL Protocol

Many modern MFDs and scanners support the eSCL protocol. The protocol is a vendor-neutral network protocol that allows driverless scanning with suitable SANE backends via ethernet, wireless and USB connected devices. In other words.the protocol works not only with network-connected devices that advertise themselves via DNS-SD but also with USB devices using IPP-over-USB. The scanning is driverless because, from the point of view of the client, a vendor-specific driver is not required to use what is built into the device's firmware.

Two suitable SANE backends included in Debian 11 (bullseye) are sane-escl, which is a product of the SANE Project and included in libsane1, and the independent sane-airscan, which is developed and maintained by Alexander Pevzner and that also works with the WSD protocol.

A Debian 11 (bullseye) user is advised to have both backends on the system for a successful modern scanning experience.

eSCL is also known as Apple AirScan or AirPrint scanning. It was promoted by Apple as a way of scanning from a mobile device and any device that supports AirPrint version 1.4 should support eSCL. Official documentation of the protocol is not publicly available but it has turned out to be relatively easy to reverse-engineer because it is a simple XML and HTTP based protocol. SCL stands for Scanner Control Language; what e stands for is unknown.

A device that understands the eSCL protocol will provide an output from one of the two following commands giving the capabilities of the scanner device. The meaning of uscan is not obvious but it is possibly universal scan.

avahi-browse -rt _uscan._tcp
avahi-browse -rt _uscans._tcp

Very many modern scanner devices now become amenable to working with SANE and its frontends. A case in point is the situation regarding Canon devices. SANE frontends can now access such devices.

Scanning with the WSD Protocol

Another vendor-neutral network protocol that allows driverless scanning with a suitable SANE backend is based on Microsoft's Web Services for Devices framework. WSD is a set of specifications aimed at handling network communication between devices that offer some kind of functionality, such as scanners. As with eSCL, there's a discovery protocol, a way to retrieve a list of service attributes from a scanner and a set of rules to signal commands or events.

WSD is a technology similar to eSCL in that it is based on connecting by http and XML. However, unlike eSCL, which uses the industry-standard DNS-SD for device discovery, WSD uses its own protocol based on sending XML multcasts over UDP. The discovery part of WSD is known as WS-Discovery and the scanning part as WS-Scan.

Scanner devices may offer

  • eSCL only.

  • WSD only.
  • eSCL and WSD.

Of the two previously mentioned backends, only sane-airscan will deal with the WSD protocol. Its backend implements escl as well as WSD, choosing automatically between them; see /etc/sane.d/airscan.conf and the sane-airscan manual.

  • sane-airscan is designed so that a physical device appears just once when listed by scanimage -L or xsane and simple-scan, even if it supports both the eSCL and WSD protocols. It is believed that, for most users, most of the time, the need to choose between eSCL and WSD only adds complexity without any gain.

  • When automatic protocol display, which is the default in /etc/sane.d/airscan.conf, is selected, WSD will be seen only when eSCL is not supported.

  • A user who wants eSCL and WSD destinations listed in applications may edit /etc/sane.d/airscan.conf. The scanner should appear twice in the device selection dialog: one entry for eSCL and a second for WSD.

protocol = manual

The use of sane-airscan obviously brings more scanner devices into use with SANE. To use eSCL mode or WSD mode a user usually has nothing to do on the device. However, some WSD- and eSCL-capable devices require a protocol to be explicitly activated on them from an EWS. See the sane-airscan website for details.

After intensive technical effort, the present belief is that the WSD protocol is not supported over an IPP-over-USB connection.

It can be difficult to discover from a printer's manual whether a device supports eSCL and/or WSD. With sane-airscan on the system, either of these two commands should indicate which protocols are supported:

scanimage -L

Network Scanner Configurations

Scanning with a Network HP all-in-one (aio)-1

To scan over the network from a scanner on an HP aio (one which is not connected by USB to a computer) you need only to install libsane-hpaio (without its recommended packages) and pass the URI of the scanner to the frontend. A non-free plugin might be required for the scanning function.

The format of the URI is:


This URI can be given directly to the frontend. It can also be provided automatically to the frontend if either a print queue with the hp:/... backend is set up or mDNS broadcasts for the scanner are done by the aio. Automatic discovery will happen via the print queue if both it and mDNS are available as discovery methods.

The IP address could be known from the way the aio's networking was set up; or it could be got from the aio's front panel or deduced from the output of

/usr/bin/lpinfo -v

Each printer model supported by the installed verion of libsane-hpaio is listed in /usr/share/hplip/data/models/models.dat. Model names are enclosed in square brackets; like so, [envy_4500_series].

A frontend can be started with (for example):

simple-scan <URI>

Typing the URI each time can be avoided by exploring what your DE (Desktop Environment) or WM (Window Manager) offers for customising a command. For typing from a terminal you might find a simple alias sufficient.

An hplip installation pulls in libsane-hpaio as a dependency and hplip provides the utility hp-makeuri. It can be used instead of the previous technique for finding a URI. A needed plugin can also be installed with hp-plugin.

Scanning with a Network HP all-in-one (aio)-2

Many users will configure an HP aio machine by installing hplip or hplip-gui and setting up the printing side of the device with hp-setup. Scanning should now be automatically available, as explained by a user on sane-devel and by an hplipopensource troubleshooting page. Simply typing the name of a favourite frontend or clicking on a menu entry should be sufficient to run the application:


The URI to pass to the frontend is obtained from the printer URI by replacing hp:/... with hpaio:/....

Setting up a printer with other device URIs, socket://..., ipp://... etc, will not give this automatic discovery of a scanner URI.

Scanning with a Network HP all-in-one (aio)-3

      SCANNER                            ClIENT 
+------------------+                +---------------+
| Stand-alone or   |                | libsane       |
| multifunctional  | cable/wireless |               |
| AirPrint-enabled |<-------------->| libsane-hpaio |
|     device       | mDNS packets-->|    package    |
+---------------- -+                +---------------+

Recent HP aios (since 2010) will probably come with AirPrint. When activated on the aio the URI of the scanner is formed from the mDNS broadcasts of the aio in co-operation with /usr/share/hplip/data/models/models.dat. Without setting up the printing function of the aio the scanner should be detected by

scanimage -L

and the frontend should automatically run after doing


sharing a network HP aio scanner is not possible due to bugs 807427 and 838212. Network scanners from other vendors might work in sharing mode though.

Canon Multi-Function Printers and CanonScan Scanners via the Network

If, according to the SANE project, your scanner is using sane-pixma as a backend, you need to make sure that:

  • The scanner and your computer are located in the same subnet. (If not, see below).
  • UDP Ports 8610 and 8612 are open in your firewall.

Opening Ports

By default, Debian 10 (buster) uses nftables as the default firewall implementation; it is configured to allow all traffic. But if you have problems with discovering the scanner you should probably check UDP ports 8610 and 8612 are open.

If you are using another popular firewall implementation – firewalld, you should:

Check what zone you are using:

sudo firewall-cmd --get-active-zones

You should get output like this:

  interfaces: eth0 eth1

In my case I’m using zone public, so I can open ports 8610 and 8612 this way:

sudo firewall-cmd --permanent --zone=public --add-port=8610/udp
sudo firewall-cmd --permanent --zone=public --add-port=8612/udp

Then you should restart the firewall to have the changes come into effect:

sudo systemctl restart firewalld

If the Scanner and Your Computer Are in Different Subnets

In this case you should add the scanner with corresponding IP to /etc/sane.d/pixma.conf. Normally only scanners that cannot be auto-detected because they are on a different subnet should be listed here.

Scanners are listed in the configuration file as follows:

  • Method indicates the protocol used (bjnp is used for inkjet multi-functionals and mfnp is used for laser multi-functionals).

  • Host is the hostname or IP address of the scanner.

For example:

  • bjnp:// for IPv4.
  • bjnp://[2001:888:118e:18e2:21e:8fff:fe36:b64a] for a literal IPv6 address.
  • bjnp://myscanner.mydomain.org for a hostname.

The port number is optional and is normally implied by the method. Port 8610 is the standard port for mfnp, 8612 for bjnp.

A scanner specific timeout value for the network protocol can be set using the bjnp-timeout parameter. The value is in milliseconds. Define scanners each on a new line.

Inetd Configuration

An alternative to systemd socket activation is to use openbsd-inetd. Install it, take a look at /etc/default/saned and run

update-inetd --enable sane-port

See Also