blog · git · desktop · images · contact & privacy · gopher

---

Dumping X11 traffic

2020-10-06

There are some programs to inspect traffic between X11 clients and the server:

• http://cgit.freedesktop.org/xorg/app/xscope/
• https://x11vis.org/

For various reasons, I find it more convenient to use Wireshark. Here’s how you dump traffic using it.

We’ll use SSH X11 forwarding. So, first, turn it on in your local SSH daemon in /etc/ssh/sshd_config:

X11Forwarding yes

(You may or may not want to set this permanently. Consider the security implications.)

Then connect to your own machine:

$ ssh -Y localhost
[pinguin]$ echo $DISPLAY
localhost:10.0
[pinguin]$

Now you get a TCP socket that you can dump (instead of the default, a UNIX socket, for which this is not possible):

$ sudo ss -tulnp 'sport = 6010'
Netid   State    Recv-Q   Send-Q     Local Address:Port     Peer Address:Port  Process  
tcp     LISTEN   0        128            127.0.0.1:6010          0.0.0.0:*      users:(("sshd",pid=29713,fd=10))

Dumping:

$ sudo tcpdump -ni lo port 6010 -w cap

Wireshark:

When in doubt, source and destination port will tell you the direction of traffic.

Comments?