---
## What is this?
An [MCP server](https://modelcontextprotocol.io/introduction) that wraps `tshark` (and optional Wireshark suite tools) into a structured analysis interface. Works with Claude Desktop, Claude Code, Cursor, VS Code, and [18+ other MCP clients](docs-site/src/content/docs/getting-started/mcp-clients.md).
```
You: "Find all DNS queries going to suspicious domains in this capture."
Claude: [calls wireshark_extract_dns_queries → wireshark_check_threats]
"Found 3 queries to domains flagged by URLhaus: ..."
```
---
## Install
**Prerequisites:** Python 3.10+ and [Wireshark](https://www.wireshark.org/) with `tshark` on PATH.
```sh
pip install wireshark-mcp
wireshark-mcp install # auto-configures all detected MCP clients
```
Restart your AI client — done.
Run `wireshark-mcp doctor` if anything looks off. See [docs-site/src/content/docs/reference/manual-configuration.md](docs-site/src/content/docs/reference/manual-configuration.md) for manual setup or platform-specific notes.
---
## Quick Start
Point your AI client at a `.pcap` file and try:
```
Analyze capture.pcap using the Wireshark MCP tools.
Start with wireshark_open_file, then run wireshark_security_audit.
Write findings to report.md.
```
---
## Tools
40+ tools organized into categories:
| Category | Highlights | Count |
|----------|-----------|:-----:|
| **Agentic Workflows** | `wireshark_security_audit`, `wireshark_quick_analysis`, `wireshark_open_file` | 4 |
| **Packet Analysis** | Packet list, details, bytes, context, stream follow, search | 7 |
| **Data Extraction** | HTTP requests, DNS queries, TLS handshakes, field extraction | 6 |
| **Statistics** | Protocol hierarchy, endpoints, conversations, I/O graph, expert info | 6 |
| **Security** | Threat intel, credential scan, port scan, DNS tunnel, DoS detection | 6 |
| **Protocol Deep Dive** | TCP health, ARP spoofing, SMTP, DHCP | 5 |
| **File Ops & Capture** | Live capture, merge, filter-save, file info | 5 |
| **Suite Utilities** | editcap trim/split/dedup, text2pcap import | 5 |
| **Decode & Visualize** | Payload decode, traffic plot, protocol tree | 3 |
The server starts with only `tshark` required. Optional tools (`capinfos`, `mergecap`, `editcap`, `dumpcap`, `text2pcap`) are auto-detected and enable extra features when present.
---
## Documentation
| Topic | Link |
|-------|------|
| Platform setup (macOS/Linux/Windows) | [docs-site/src/content/docs/reference/toolchain.md](docs-site/src/content/docs/reference/toolchain.md) |
| Manual client configuration | [docs-site/src/content/docs/reference/manual-configuration.md](docs-site/src/content/docs/reference/manual-configuration.md) |
| Prompt templates | [docs-site/src/content/docs/reference/playbooks.mdx](docs-site/src/content/docs/reference/playbooks.mdx) |
| Release checklist | [docs-site/src/content/docs/reference/changelog.md](docs-site/src/content/docs/reference/changelog.md) |
| Contributing | [CONTRIBUTING.md](CONTRIBUTING.md) |
| Changelog | [GitHub Releases](https://github.com/bx33661/Wireshark-MCP/releases) |
| Security policy | [SECURITY.md](SECURITY.md) |
---
## Development
```sh
pip install -e ".[dev]"
pytest tests/ -v
ruff check src/ tests/
```
See [CONTRIBUTING.md](CONTRIBUTING.md) for the full guide.
---