mcp-wireshark

mcp-wireshark

Enables AI assistants to analyze, filter, and capture network traffic using Wireshark/tshark, allowing natural language interaction with packet captures.

Category
Visit Server

README

mcp-wireshark

Community-maintained MCP server for Wireshark / tshark. Not affiliated with Wireshark or Anthropic. Give your AI assistant direct access to packet captures. Ask Claude to summarize a .pcap, follow a TCP stream, filter for a specific protocol, or capture live traffic — all without leaving the chat.

Claude using mcp-wireshark to analyze a capture

PyPI version CI License: MIT Python 3.10+

Quick start with Claude Code

pip install mcp-wireshark
claude mcp add --transport stdio --scope user mcp-wireshark -- mcp-wireshark

That's it. Open Claude Code and try:

"Summarize ./capture.pcap and tell me which IPs talked the most."

--scope user makes the server available across every Claude Code project. Drop the flag to install it for the current project only. See claude mcp docs for more.

Verify the install

claude mcp list

You should see mcp-wireshark listed. Inside Claude Code, ask:

"Run check_installation."

If tshark is on your PATH, it returns the version. If not, see troubleshooting.

Tools

The server exposes 13 tools, split cleanly between read tools (safe, no side effects) and write tools (capture traffic or write files). Both groups are annotated with the standard MCP readOnlyHint so any compliant client can surface the distinction.

Read tools

Safe to call freely — they only inspect state.

Tool What it does
check_installation Verify tshark is installed and show version
list_interfaces List network interfaces available to capture from
read_pcap Read packets from a .pcap / .pcapng file (preview + total count)
display_filter Apply a Wireshark display filter to a pcap
summarize_pcap High-level summary: I/O stats, protocol hierarchy, top talkers
stats_by_proto Protocol hierarchy statistics
follow_tcp Reassemble a TCP stream and return its payload
follow_udp Reassemble a UDP stream and return its payload
expert_info tshark expert analysis: warnings, errors, and notes grouped by severity
decode_protocol Extract protocol fields as a TSV table. Curated defaults for HTTP, DNS, TLS, GOOSE, MMS, SV, SIP, ICMP; arbitrary fields for any other protocol
protocol_stats Aggregate -z reports (protocol hierarchy, conversations, endpoints, HTTP/DNS/SMB stats)

Write tools

These create files or capture live traffic. Compliant clients may prompt before invoking.

Tool What it does
live_capture Capture live traffic from an interface (capped at 5 minutes / 10k packets)
export_json Export packets from a pcap to a JSON file at a path you choose

See it in action

These clips run the real tools against demo/demo.pcapng — a short home-network capture. Regenerate them with python demo/render_gif.py <scene>.

summarize_pcap — characterize an unknown capture at a glance

summarize_pcap demo

decode_protocol — filter to a protocol and get a compact table (here: TLS SNI and DNS-over-HTTPS lookups)

decode_protocol demo

expert_info — let tshark surface the warnings and anomalies for you

expert_info demo

Example prompts

Drop these into Claude Code as-is:

List my network interfaces.
Summarize ./traffic.pcap.
From ./traffic.pcap, show me only HTTP requests.
Follow TCP stream 0 in ./traffic.pcap and tell me what protocol is in it.
Capture 30 seconds of traffic on Wi-Fi filtered to tcp.port == 443.
Export every DNS packet from ./traffic.pcap to ./dns.json.
Decode the GOOSE messages in ./substation.pcapng — only stNum >= 1.
Run expert analysis on ./traffic.pcap and group findings by severity.
Show me the IP conversations in ./traffic.pcap.

Useful display filters

Filter Matches
tcp.port == 80 HTTP
tcp.port == 443 HTTPS
dns All DNS
http.request HTTP requests only
ip.addr == 10.0.0.1 Traffic to/from a specific host
tcp.flags.syn == 1 && tcp.flags.ack == 0 TCP SYN packets only

For substation engineers analyzing IEC 61850 traffic:

Filter Matches
goose All GOOSE messages
goose.stNum > 0 GOOSE messages with state changes
mms All MMS traffic
sv Sampled Values

Other clients

Anything that speaks MCP works. The package installs an mcp-wireshark binary on PATH.

<details> <summary><b>Claude Desktop</b></summary>

Edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
    "mcpServers": {
        "wireshark": {
            "command": "mcp-wireshark"
        }
    }
}

</details>

<details> <summary><b>VS Code (Copilot / GitHub Copilot Chat)</b></summary>

Create .vscode/mcp.json in your workspace:

{
    "servers": {
        "wireshark": {
            "command": "mcp-wireshark"
        }
    }
}

</details>

<details> <summary><b>Cursor / Windsurf / others</b></summary>

Use the same stdio invocation: command: mcp-wireshark. No transport flags.

</details>

Prerequisites

  • Python 3.10+
  • Wireshark installed; tshark reachable on PATH

Install with pip or uv:

pip install mcp-wireshark
# or
uvx mcp-wireshark

Troubleshooting

<details> <summary><b>tshark not found on Windows</b></summary>

Add Wireshark to your system PATH:

  1. Press Win+R → run sysdm.cplAdvancedEnvironment Variables
  2. Edit Path → add C:\Program Files\Wireshark
  3. Restart your terminal and Claude Code, then re-run check_installation

(Avoid passing PATH through claude mcp add --env — values are taken literally, no %PATH% expansion.)

</details>

<details> <summary><b>Permission denied capturing on Linux</b></summary>

Add yourself to the wireshark group, then log out and back in:

sudo usermod -aG wireshark $USER

</details>

<details> <summary><b>"No packets captured" from live_capture</b></summary>

  • Confirm the interface name from list_interfaces (Wireshark uses different names than ifconfig/ip)
  • On macOS, you may need to install ChmodBPF (ships with the Wireshark .dmg)
  • Check that no display filter is excluding everything </details>

Development

git clone https://github.com/khuynh22/mcp-wireshark.git
cd mcp-wireshark
python -m venv venv && source venv/bin/activate  # Windows: venv\Scripts\activate
pip install -e ".[dev]"

pytest                   # tests
black src tests          # format
ruff check src tests     # lint
mypy src                 # type check

The codebase is organized so new tools land in one of two clearly-scoped files:

  • src/mcp_wireshark/read_tools.py — anything that just inspects state
  • src/mcp_wireshark/write_tools.py — anything that captures traffic or writes files

server.py only contains routing. See CLAUDE.md and CONTRIBUTING.md.

Security

Every file path is validated (.. rejected, extension allow-listed). Every display filter is checked for shell metacharacters. tshark is always invoked via asyncio.create_subprocess_exec, never shell=True. Hard caps: 10k packets per call, 5 min per live capture. See SECURITY.md.

License

MIT — see LICENSE.

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured