Wireshark MCP

Wireshark MCP

**Give your AI assistant a packet analyzer.** *Drop a `.pcap` file, ask questions in plain English — get answers backed by real `tshark` data.*

CI GitHub Release PyPI Python MIT License

English中文ChangelogContributing

--- ## What is this? An [MCP server](https://modelcontextprotocol.io/introduction) that wraps `tshark` (and optional Wireshark suite tools) into a structured analysis interface. Works with Claude Desktop, Claude Code, Cursor, VS Code, and [18+ other MCP clients](docs-site/src/content/docs/getting-started/mcp-clients.md). ``` You: "Find all DNS queries going to suspicious domains in this capture." Claude: [calls wireshark_extract_dns_queries → wireshark_check_threats] "Found 3 queries to domains flagged by URLhaus: ..." ``` --- ## Install **Prerequisites:** Python 3.10+ and [Wireshark](https://www.wireshark.org/) with `tshark` on PATH. ```sh pip install wireshark-mcp wireshark-mcp install # auto-configures all detected MCP clients ``` Restart your AI client — done. Run `wireshark-mcp doctor` if anything looks off. See [docs-site/src/content/docs/reference/manual-configuration.md](docs-site/src/content/docs/reference/manual-configuration.md) for manual setup or platform-specific notes. --- ## Quick Start Point your AI client at a `.pcap` file and try: ``` Analyze capture.pcap using the Wireshark MCP tools. Start with wireshark_open_file, then run wireshark_security_audit. Write findings to report.md. ``` --- ## Tools 40+ tools organized into categories: | Category | Highlights | Count | |----------|-----------|:-----:| | **Agentic Workflows** | `wireshark_security_audit`, `wireshark_quick_analysis`, `wireshark_open_file` | 4 | | **Packet Analysis** | Packet list, details, bytes, context, stream follow, search | 7 | | **Data Extraction** | HTTP requests, DNS queries, TLS handshakes, field extraction | 6 | | **Statistics** | Protocol hierarchy, endpoints, conversations, I/O graph, expert info | 6 | | **Security** | Threat intel, credential scan, port scan, DNS tunnel, DoS detection | 6 | | **Protocol Deep Dive** | TCP health, ARP spoofing, SMTP, DHCP | 5 | | **File Ops & Capture** | Live capture, merge, filter-save, file info | 5 | | **Suite Utilities** | editcap trim/split/dedup, text2pcap import | 5 | | **Decode & Visualize** | Payload decode, traffic plot, protocol tree | 3 | The server starts with only `tshark` required. Optional tools (`capinfos`, `mergecap`, `editcap`, `dumpcap`, `text2pcap`) are auto-detected and enable extra features when present. --- ## Documentation | Topic | Link | |-------|------| | Platform setup (macOS/Linux/Windows) | [docs-site/src/content/docs/reference/toolchain.md](docs-site/src/content/docs/reference/toolchain.md) | | Manual client configuration | [docs-site/src/content/docs/reference/manual-configuration.md](docs-site/src/content/docs/reference/manual-configuration.md) | | Prompt templates | [docs-site/src/content/docs/reference/playbooks.mdx](docs-site/src/content/docs/reference/playbooks.mdx) | | Release checklist | [docs-site/src/content/docs/reference/changelog.md](docs-site/src/content/docs/reference/changelog.md) | | Contributing | [CONTRIBUTING.md](CONTRIBUTING.md) | | Changelog | [GitHub Releases](https://github.com/bx33661/Wireshark-MCP/releases) | | Security policy | [SECURITY.md](SECURITY.md) | --- ## Development ```sh pip install -e ".[dev]" pytest tests/ -v ruff check src/ tests/ ``` See [CONTRIBUTING.md](CONTRIBUTING.md) for the full guide. ---
MIT License · Report a Bug