X11

X11 is version 11 of the X Window System protocol.

History

X11 has been the protocol version since September 1987.

Protocol dependencies

• TCP: X11 uses TCP as its transport protocol. The well known TCP ports for X11 are 6000-6063: typically the port number used is 6000 plus the server/display number. Wireshark will only automatically dissect traffic as X11 on ports 6000-6002. Beyond that you'll need to use Decode-As.

Example traffic

No.     Time           Source                Destination           Protocol Length Info
      8 0.001470       192.168.1.2           192.168.1.24          X11      558    Initial connection reply

Frame 8: 558 bytes on wire (4464 bits), 558 bytes captured (4464 bits)
Ethernet II, Src: HewlettP_27:85:92 (00:22:64:27:85:92), Dst: Raspberr_65:2d:99 (b8:27:eb:65:2d:99)
Internet Protocol Version 4, Src: 192.168.1.2, Dst: 192.168.1.24
Transmission Control Protocol, Src Port: 6003 (6003), Dst Port: 57369 (57369), Seq: 9, Ack: 49, Len: 492
[2 Reassembled TCP Segments (500 bytes): #6(8), #8(492)]
X11, Reply, Initial connection reply
    success: 1
    unused
    protocol-major-version: 11
    protocol-minor-version: 0
    replylength: 123
    release-number: 11501000
    resource-id-base: 0x00200000
    resource-id-mask: 0x001fffff
    motion-buffer-size: 256
    length-of-vendor: 20
    maximum-request-length: 65535
    number-of-screens-in-roots: 1
    number-of-formats-in-pixmap-formats: 7
    image-byte-order: 0x00 (LSBFirst)
    bitmap-format-bit-order: 0x00 (LSBFirst)
    bitmap-format-scanline-unit: 32
    bitmap-format-scanline-pad: 32
    min-keycode: 8
    max-keycode: 255
    unused
    vendor: The X.Org Foundation
    pixmap-format
    screen

Wireshark

The X11 dissector is quite functional. A lot of the dissector is automatically generated from the mesa and xcbproto sources which means that protocol extensions are automatically supported as they are added to the protocol.

Preference Settings

The X11 dissector's sole preference is whether to reassemble TCP segments.

Example capture file

There are a number of X11 sample captures on the SampleCaptures page.

Display Filter

A complete list of X11 display filter fields can be found in the display filter reference

• Show only the X11 based traffic:

   x11

Capture Filter

You cannot directly filter X11 protocols while capturing. However, if you know the TCP port used (see above), you can filter on that one.

External links

• Wikipedia has a number of in-depth pages about the X windowing system and the X protocol.

Discussion