Ghost Debugging 5: Capturing Network Packets

Previously in Ghost Debugging 4: SMTP Email Bug we found GhostMailer.js was not setting the FROM field correctly when generating a Magic Email link for subscriber signup.

Behavior of self hosted Ghost 5.47.1

In this post we want to confirm this by capturing network data seen by the SMTP mail server which is currently responding.

Remote Host Preparation:

  • Install Wireshark on the remote host to get access to dumpcap.
  • Create a script to launch dumpcap with the necessary parameters for capturing from both eth0 and lo.

Local Host Preparation:

  • Create a FIFO file using the command mkfifo /tmp/remote.
  • Ensure that tshark and wireshark are installed on your local machine for later analysis.

Capturing Packets:

  • Use SSH to execute dumpcap on the remote host and redirect the output to the local FIFO file. For example:
  • In the command above, -i specifies the interfaces to capture from, and -w - tells dumpcap to write the packet data to standard output, which is then redirected to your local FIFO file /tmp/remote via the SSH connection.
ssh user@remote_host "dumpcap -i eth0 -i lo -w -" > /tmp/remote
Running dumpcap on remote, redirect to FIFO

Local Analysis:

  • On your local machine, use tshark or wireshark to read from the FIFO file and filter for the protocols of interest in the terminal on the server:
  • Alternatively, you can open the FIFO file in Wireshark and apply a display filter for the protocols of interest:
tshark -r /tmp/remote -Y "http || smtp || dns || mysql"
Packet sniffing in termial, no GUI
wireshark -k -i /tmp/remote"
Start Wireshark GUI, listen to FIFO filled by remote dumpcap process

This setup captures all packets on the specified interfaces of the remote host and allows you to filter and analyze the packets of interest locally using tshark or wireshark.

Example: capture sign up email

We suspect Ghost.js is sending the wrong credentials. The console output of debug server shows noreply@localhost is being set as the SMTP from field. This should be info@nodeholder.com:

Ghost development server console output showing subscribe email failure
Network of system under test

We want to capture HTTP, SMTP and MySQL:

(http or smtp or tls.handshake or mysql) and not (ssh or quic or  tcp.port==7005 or icmp)
Wireshark filter, paste in GUI or use with tshark CLI
Capturing with tcpdump on remote, wireshark local

In summary

  • Create a FIFO on local machine:
    mkfifo /tmp/remote
  • Capture all packets on remote, direct to local fifo:
    ssh root@$ghost tcpdump -i eth0 -i lo -w -" > /tmp/remote
  • Start wireshark locally:
    wireshark -k -i /tmp/remote
  • Use this filter in wireshark (7005 is for NodeJS debugger):
    (http or smtp or tls.handshake or mysql) and not (ssh or quic or  tcp.port==7005 or icmp)

Note that SMTP is negotiating to encrypted mode before it sends any data. This means we won't be able to see what it is sending the the SMTP server. We'll cover that in Ghost Debugging 6: Dealing with SMTP.