There are some programs to inspect traffic between X11 clients and the server:
For various reasons, I find it more convenient to use Wireshark. Here’s how you dump traffic using it.
We’ll use SSH X11 forwarding. So, first, turn it on in your local SSH
(You may or may not want to set this permanently. Consider the security implications.)
Then connect to your own machine:
$ ssh -Y localhost [pinguin]$ echo $DISPLAY localhost:10.0 [pinguin]$
Now you get a TCP socket that you can dump (instead of the default, a UNIX socket, for which this is not possible):
$ sudo ss -tulnp 'sport = 6010' Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process tcp LISTEN 0 128 127.0.0.1:6010 0.0.0.0:* users:(("sshd",pid=29713,fd=10))
$ sudo tcpdump -ni lo port 6010 -w cap
When in doubt, source and destination port will tell you the direction of traffic.