This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Reconstructing unencrypted X11 traffic

0

I have a large amount of packet capture data and a lot of it is unencrypted X11 remote screen/desktop sharing images/traffic.

However I cannot seem to get wireshark to export those streams as anything that can be read by any image viewing software. I know it is not quite that simple, but I would like to be able to reconstruct the images that were passed in the X11 session to demonstrate to leadership that it is possible the way the hosts are currently configured (they should be encrypting the X11 communications). I do have permission to be doing this on our network.

Any less-than-painstaking-and-eye-stabbing methods for reconstructing the screen images from the X11 packets?

Thanks for any thoughts.

asked 26 May '16, 15:57

user5273's gravatar image

user5273
6112
accept rate: 0%


One Answer:

0

Not as far as I know. The X11 dissector hasn't been written to allow saving/export of images. It possibly could be but the functionality is not there now. (Some dissectors have functionality to save/export objects transferred via them--files over SMB come to mind--but X11 does not.)

answered 27 May '16, 10:55

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

...which means nothing more than that the hypothetical eavesdropper would need to spend some more effort than just to download Wireshark. Maybe a replay of the captured X11 stream to an X client would be enough for your purpose of demonstration to the management that the issue is serious?

(27 May '16, 15:26) sindy