Translation(s): English - Français - Italiano


Sharing a USB or network scanner over a network with SANE.

Introduction

       SCANNER                         SERVER                                       CLIENT
 +-------------------+       +------------------------+                +-----------------------------+
 |   Non-networked   |       | libsane + sane-utils   |                | libsane                     |
 |   stand-alone or  |  USB  |                        | cable/wireless |                             |
 |   multifunctional |<----->| saned.conf: permitted  |<-------------->| dll.conf: uncomment net     |
 |       device      |       |            connections |                | net.conf: server IP address |
 +-------------------+       +------------------------+                +-----------------------------+

This page is written principally in the context of a user with Debian 8 (jessie), Debian 9 (stretch) or Debian 10 (buster) installed. These distributions have an init system (the first process started during booting of the computer and which governs its subsequent behaviour) based on systemd. On a machine with a scanner connected to a USB port (the server), SANE with systemd can be socket activated (check that the service is enabled). The saned daemon is started when a request is received on the server from a client and is stopped when the request is fulfilled. This forms the basis for a scanner shared by the server to serve up an image of a document to an application on a client.

Essentially, saned on the server and the net backend on the client are used to convert a non-networked or network-incapable scanner into a networked one.

      SCANNER                                 CLIENT
+-----------------+                +--------------------------+
| Network-capable |                |                          |
| stand-alone or  | cable/wireless | libsane                  |
| multifunctional |<-------------->| Vendor-specific packages |
|     device      |                |                          |       
+-----------------+                +--------------------------+

A scanner which is network enabled with a cabled or wireless connection (a network scanner) is accessed with the help of libsane and one of its collection of backends. Consult a backend's manual for information on whether the backend supports scanning over the network. For example, theepson2 and pixma backends do. libsane interworks with the non-SANE, HP-provided hpaio backend. Other vendors also provide a means to access a network-capable scanner but there is generally a non-free aspect to what they offer, so configuration of their devices is not treated on this page.

Sharing a USB Connected Scanner

Server Configuration

$ groups saned
saned : saned scanner

192.168.0.1/24

$ sudo systemctl enable saned.socket
Created symlink from /etc/systemd/system/sockets.target.wants/saned.socket to /lib/systemd/system/saned.socket.
$ sudo systemctl start saned.socket
$ sudo systemctl status saned.socket

A first installation of libsane has the socket service disabled, so it would be necessary to enable and start it as described above.

Client Configuration

% scanimage -L
device `net:192.168.0.100:plustek:libusb:002:006' is a Canon N670U/N676U/LiDE20 USB flatbed scanner

Note that the net backend is not for accessing arbitrary scanners over a network. It's intended use is for the server (which has a SANE-supported scanner) to be able to export that scanner to clients on the network via a single SANE-specific, manufacturer-agnostic protocol.

Troubleshooting

Make sure the saned user can access the scanner locally on the server. scanimage -L should detect the scanner if there is a backend on the system for it and the saned user has permission to access the USB bus; sane-find-scanner will indicate whether the saned user does have permission.

To run as the saned user either become root with su and do

su -s /bin/bash saned
sane-find-scanner
scanimage -L

or use sudo:

sudo -u saned sane-find-scanner
sudo -u saned scanimage -L

Also see how a USB scanner is set up for more information on the local configuration.

Having an ordinary user with or without permissions on the USB bus (libpam-systemd might not be installed) is of no consequence. It is the saned user which needs the permissions.

Bear in mind that sane-find-scanner does a generic USB scan; success indicates a user has sufficient privileges to access the USB devices. On the other hand, a negative response to scanimage -L means that none of the SANE or vendor-supplied backends have knowledge of this model of scanner, so will not talk to it.

If the scanner works on the server but not remotely, make sure the saned.socket service is running correctly on the server; systemctl should tell you this:

$ systemctl status saned.socket
● saned.socket - saned incoming socket
   Loaded: loaded (/lib/systemd/system/saned.socket; enabled)
   Active: active (listening) since Wed 2017-11-15 22:28:05 UTC; 1s ago
   Listen: [::]:6566 (Stream)
 Accepted: 0; Connected: 0

Nov 15 22:28:05 mafalda systemd[1]: Listening on saned incoming socket.

You should also be able to ping the host configured:

$ ping -c1 mafalda
PING mafalda.anarc.at (192.168.0.6) 56(84) bytes of data.
64 bytes from mafalda.anarc.at (192.168.0.6): icmp_seq=1 ttl=64 time=0.400 ms

--- mafalda.anarc.at ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.400/0.400/0.400/0.000 ms

You can also try to connect directly to the scanner with:

xsane net:192.168.0.6

If you have trouble connecting multiple computers to the server, systemctl status saned.socket might show:

saned.socket: Too many incoming connections (1), dropping connection.

This is a known bug in the systemd unit. For a workaround on jessie or stretch:

On stretch it is probably more convenient to do:

Scanning with the eSCL Protocol

Many modern MFDs and scanners support the eSCL protocol. The protocol is a vendor-neutral network protocol that allows driverless scanning with suitable SANE backends via ethernet, wireless and USB connected devices. In other words.the protocol works not only with network-connected devices that advertise themselves via DNS-SD but also with USB devices using IPP-over-USB.

Two suitable SANE backends are sane-escl, which is provided by the SANE Project (but not yet in the unstable archive), and the independent sane-airscan, which is developed by Alexander Pevzner and which also works with the WSD protocol. Although based on using the same eSCL protocol, sane-escl and sane-airscan do not at present provide the same set of scanning facilities.

eSCL is also known as Apple AirScan or AirPrint scanning. It was introduced by Apple as a way of scanning from a mobile device and any device that supports AirPrint version 1.4 should support eSCL. Official documentation of the protocol is non-existent but it has turned out to be relatively easy to reverse-engineer because it is a simple XML and HTTP based protocol. SCL stands for Scanner Control Language; what e stands for is unknown.

A device that understands the eSCL protocol will provide an output from the following command giving the capabilities of the scanner device. The meaning of uscan is not obvious but it is possibly universal scan.

avahi-browse -rt _uscan._tcp

Very many modern scanner devices now become amenable to working with SANE and its frontends. A case in point is the situation regarding Canon devices. SANE frontends can now access such devices.

Scanning with the WSD Protocol

Another vendor-neutral network protocol that allows driverless scanning with a suitable SANE backend is based on Microsoft's Web Services for Devices framework. WSD is a set of specifications aimed at handling network communication between devices that offer some kind of functionality, such as scanners. There's a discovery protocol, a way to retrieve a list of service attributes from a scanner and a set of rules to signal commands or events. WSD is a technology similar to eSCL in that it is based on connecting by http and XML.

Scanner devices may offer

Of the two previously mentioned backends only sane-airscan will deal with the WSD protocol. Its backend implements escl as well as WSD, choosing automatically between them. The use of this backend obviously brings more scanner devices into use with SANE. To use eSCL mode or WSD mode a user usually has nothing to do. However, some WSD-capable devices require the protocol to be explicitly activated on them from an EWS. See the sane-airscan website for details. But do note:

The WSD protocol is not yet available over an IPP-over-USB connection with sane-airscan.

With sane-airscan on the system, either of these two commands should indicate which protocols (eSCL and/or WSD) are supported by the device:

scanimage -L
airscan-discover

Network Scanner Configurations

Scanning with a Network HP all-in-one (aio)-1

To scan over the network from a scanner on an HP aio (one which is not connected by USB to a computer) you need only to install libsane-hpaio (without its recommended packages) and pass the URI of the scanner to the frontend. A non-free plugin might be required for the scanning function.

The format of the URI is:

hpaio:/net/<aio_model_name>?ip=<IP_address_of_the_aio>

This URI can be given directly to the frontend. It can also be provided automatically to the frontend if either a print queue with the hp:/... backend is set up or mDNS broadcasts for the scanner are done by the aio. Automatic discovery will happen via the print queue if both it and mDNS are available as discovery methods.

The IP address could be known from the way the aio's networking was set up; or it could be got from the aio's front panel or deduced from the output of

/usr/bin/lpinfo -v

Each printer model supported by the installed verion of libsane-hpaio is listed in /usr/share/hplip/data/models/models.dat. Model names are enclosed in square brackets; like so, [envy_4500_series].

A frontend can be started with (for example):

simple-scan <URI>

Typing the URI each time can be avoided by exploring what your DE (Desktop Environment) or WM (Window Manager) offers for customising a command. For typing from a terminal you might find a simple alias sufficient.

An hplip installation pulls in libsane-hpaio as a dependency and hplip provides the utility hp-makeuri. It can be used instead of the previous technique for finding a URI. A needed plugin can also be installed with hp-plugin.

Scanning with a Network HP all-in-one (aio)-2

Many users will configure an HP aio machine by installing hplip or hplip-gui and setting up the printing side of the device with hp-setup. Scanning should now be automatically available, as explained by a user on sane-devel and by an hplipopensource troubleshooting page. Simply typing the name of a favourite frontend or clicking on a menu entry should be sufficient to run the application:

simple-scan
xsane
xscanimage

The URI to pass to the frontend is obtained from the printer URI by replacing hp:/... with hpaio:/....

Setting up a printer with other device URIs, socket://..., ipp://... etc, will not give this automatic discovery of a scanner URI.

Scanning with a Network HP all-in-one (aio)-3

      SCANNER                            ClIENT 
+------------------+                +---------------+
| Stand-alone or   |                | libsane       |
| multifunctional  | cable/wireless |               |
| AirPrint-enabled |<-------------->| libsane-hpaio |
|     device       | mDNS packets-->|    package    |
+---------------- -+                +---------------+

Recent HP aios (since 2010) will probably come with AirPrint. When activated on the aio the URI of the scanner is formed from the mDNS broadcasts of the aio in co-operation with /usr/share/hplip/data/models/models.dat. Without setting up the printing function of the aio the scanner should be detected by

scanimage -L

and the frontend should automatically run after doing

xsane
simple-scan
xscanimage

sharing a network HP aio scanner is not possible due to bugs 807427 and 838212. Network scanners from other vendors might work in sharing mode though.

Canon Multi-Function Printers and CanonScan Scanners via the Network

If, according to the SANE project, your scanner is using sane-pixma as a backend, you need to make sure that:

Opening Ports

By default, Debian 10 (buster) uses nftables as the default firewall implementation; it is configured to allow all traffic. But if you have problems with discovering the scanner you should probably check UDP ports 8610 and 8612 are open.

If you are using another popular firewall implementation – firewalld, you should:

Check what zone you are using:

sudo firewall-cmd --get-active-zones

You should get output like this:

public
  interfaces: eth0 eth1

In my case I’m using zone public, so I can open ports 8610 and 8612 this way:

sudo firewall-cmd --permanent --zone=public --add-port=8610/udp
sudo firewall-cmd --permanent --zone=public --add-port=8612/udp

Then you should restart the firewall to have the changes come into effect:

sudo systemctl restart firewalld

If the Scanner and Your Computer Are in Different Subnets

In this case you should add the scanner with corresponding IP to /etc/sane.d/pixma.conf. Normally only scanners that cannot be auto-detected because they are on a different subnet should be listed here.

Scanners are listed in the configuration file as follows:

<method>://<host>[:port][/timeout=<value>]

For example:

The port number is optional and is normally implied by the method. Port 8610 is the standard port for mfnp, 8612 for bjnp.

A scanner specific timeout value for the network protocol can be set using the bjnp-timeout parameter. The value is in milliseconds. Define scanners each on a new line.

Inetd Configuration

An alternative to systemd socket activation is to use openbsd-inetd. Install it, take a look at /etc/default/saned and run

update-inetd --enable sane-port

See Also