Tracking XWindow Protocol

Is it possible to track XWindow protocol with a tool? I thought wireshark would be a good framework to host such an idea but there seems no support. What should be done to achieve th开发者_开发百科is goal?

Wireshark does have the ability to dissect the X-Window protocol.

However: You first have to be able to capture the actual X-Window traffic between an X-client (app) and an X-Server before Wireshark can dissect it.

X-Windows traffic between an app (X-Windows client) and an X-Windows Server both running on your local machine probably uses "Unix Domain sockets" to do direct interprocess communication (IPC) between the client and the server. There's no underlying network protocol used and thus the traffic is (AFAIK) not capturable for dissection by Wireshark).

It's been a while since I've dealt with X but I think basically what is needed is that an X-Server be running on a box such that the server is listening for (and willing to accept) network connections. If an Xclient app on a remote node (or local node ?) then connects to the XServer over the network, you will then be able to capture that traffic for dissection by Wireshark.

X is complicated; If you're not familiar with the details of running X, you'll need to do some reading or ask for additional info. I've long since blanked out details related to X.

It is possible in principle to capture X-Window protocol that goes through Unix socket using strace. Then it is possible to wrap this packet for Wireshark using text2pcap.

Example:

capture X-window protocol frames that goes to X-server with pid 1998 on unix socket with file descriptor 41:

bash$  sudo strace -e trace=read,write -e read=41  -p 1998 2>&1 | grep '^[ ]|' >/tmp/xdata.log

prepare the captured data for wireshark:

bash$ text2pcap -T 1234,6000 /tmp/xdata.log /tmp/xdata.dump

Now one can use wireshark on /tmp/xdata.dump.

Back in the '80s, there was an open source Xwindow proxy program that would be placed between the Server and the client. It was written in 'C' and easily modifiable to count types of messages, or volume of data passing in each direction. It also recognized malformed Xprotocol that would result when folks used the wrong functions in interrupt handlers. I can't remember the name, but maybe searching on "Xwindow proxy" might help...

I'm not sure what the XWindow protocol is, but you could make a Lua Dissector for Wireshark:

http://wiki.wireshark.org/Lua