X11 is version 11 of the X Window System protocol.
X11 has been the protocol version since September 1987.
TCP: X11 uses TCP as its transport protocol. The well known TCP ports for X11 are 6000-6063: typically the port number used is 6000 plus the server/display number. Wireshark will only automatically dissect traffic as X11 on ports 6000-6002. Beyond that you'll need to use Decode-As.
No. Time Source Destination Protocol Length Info 8 0.001470 192.168.1.2 192.168.1.24 X11 558 Initial connection reply Frame 8: 558 bytes on wire (4464 bits), 558 bytes captured (4464 bits) Ethernet II, Src: HewlettP_27:85:92 (00:22:64:27:85:92), Dst: Raspberr_65:2d:99 (b8:27:eb:65:2d:99) Internet Protocol Version 4, Src: 192.168.1.2, Dst: 192.168.1.24 Transmission Control Protocol, Src Port: 6003 (6003), Dst Port: 57369 (57369), Seq: 9, Ack: 49, Len: 492 [2 Reassembled TCP Segments (500 bytes): #6(8), #8(492)] X11, Reply, Initial connection reply success: 1 unused protocol-major-version: 11 protocol-minor-version: 0 replylength: 123 release-number: 11501000 resource-id-base: 0x00200000 resource-id-mask: 0x001fffff motion-buffer-size: 256 length-of-vendor: 20 maximum-request-length: 65535 number-of-screens-in-roots: 1 number-of-formats-in-pixmap-formats: 7 image-byte-order: 0x00 (LSBFirst) bitmap-format-bit-order: 0x00 (LSBFirst) bitmap-format-scanline-unit: 32 bitmap-format-scanline-pad: 32 min-keycode: 8 max-keycode: 255 unused vendor: The X.Org Foundation pixmap-format screen
The X11 dissector is quite functional. A lot of the dissector is automatically generated from the mesa and xcbproto sources which means that protocol extensions are automatically supported as they are added to the protocol.
The X11 dissector's sole preference is whether to reassemble TCP segments.
Example capture file
There are a number of X11 sample captures on the SampleCaptures page.
A complete list of X11 display filter fields can be found in the display filter reference
- Show only the X11 based traffic:
You cannot directly filter X11 protocols while capturing. However, if you know the TCP port used (see above), you can filter on that one.