Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Tracking XWindow Protocol

Tags:

x11

wireshark

Is it possible to track XWindow protocol with a tool? I thought wireshark would be a good framework to host such an idea but there seems no support. What should be done to achieve this goal?

like image 460
udslk Avatar asked Nov 18 '10 09:11

udslk


2 Answers

Wireshark does have the ability to dissect the X-Window protocol.

However: You first have to be able to capture the actual X-Window traffic between an X-client (app) and an X-Server before Wireshark can dissect it.

X-Windows traffic between an app (X-Windows client) and an X-Windows Server both running on your local machine probably uses "Unix Domain sockets" to do direct interprocess communication (IPC) between the client and the server. There's no underlying network protocol used and thus the traffic is (AFAIK) not capturable for dissection by Wireshark).

It's been a while since I've dealt with X but I think basically what is needed is that an X-Server be running on a box such that the server is listening for (and willing to accept) network connections. If an Xclient app on a remote node (or local node ?) then connects to the XServer over the network, you will then be able to capture that traffic for dissection by Wireshark.

X is complicated; If you're not familiar with the details of running X, you'll need to do some reading or ask for additional info. I've long since blanked out details related to X.

like image 190
willyo Avatar answered Sep 26 '22 02:09

willyo


It is possible in principle to capture X-Window protocol that goes through Unix socket using strace. Then it is possible to wrap this packet for Wireshark using text2pcap.

Example:

capture X-window protocol frames that goes to X-server with pid 1998 on unix socket with file descriptor 41:

bash$  sudo strace -e trace=read,write -e read=41  -p 1998 2>&1 | grep '^[ ]|' >/tmp/xdata.log

prepare the captured data for wireshark:

bash$ text2pcap -T 1234,6000 /tmp/xdata.log /tmp/xdata.dump

Now one can use wireshark on /tmp/xdata.dump.

like image 27
begemotv2718 Avatar answered Sep 25 '22 02:09

begemotv2718