blog · git · desktop · images · contact

Dumping X11 traffic


There are some programs to inspect traffic between X11 clients and the server:

For various reasons, I find it more convenient to use Wireshark. Here’s how you dump traffic using it.

We’ll use SSH X11 forwarding. So, first, turn it on in your local SSH daemon in /etc/ssh/sshd_config:

X11Forwarding yes

(You may or may not want to set this permanently. Consider the security implications.)

Then connect to your own machine:

$ ssh -Y localhost
[pinguin]$ echo $DISPLAY

Now you get a TCP socket that you can dump (instead of the default, a UNIX socket, for which this is not possible):

$ sudo ss -tulnp 'sport = 6010'
Netid   State    Recv-Q   Send-Q     Local Address:Port     Peer Address:Port  Process  
tcp     LISTEN   0        128  *      users:(("sshd",pid=29713,fd=10))


$ sudo tcpdump -ni lo port 6010 -w cap



When in doubt, source and destination port will tell you the direction of traffic.