SharkMCP
A Model Context Protocol server that provides network packet capture and analysis capabilities through Wireshark/tshark integration, enabling AI assistants to perform network security analysis and troubleshooting.
Tools
start_capture_session
Start a background packet capture session. LLMs control all capture parameters including filters, interfaces, and packet limits. Can use saved configurations.
stop_capture_session
Stop a running capture session and analyze packets. LLMs control all analysis parameters including display filters and output formats. Can use saved configurations.
analyze_pcap_file
Analyze a local pcap/pcapng file. LLMs control all analysis parameters including filters, output formats, and custom fields. Can use saved configurations.
manage_config
Save, load, list, or delete reusable filter configurations. Allows LLMs to store commonly used capture and analysis parameters for easy reuse.
README
SharkMCP - Network Packet Analysis MCP Server
A Model Context Protocol (MCP) server that provides network packet capture and analysis capabilities through Wireshark/tshark integration. Designed for AI assistants to perform network security analysis, troubleshooting, and packet inspection.
This server was thought for situations where you want your agent to debug a program that sends requests and verify the packet traffic, allowing the following workflow:
- Start recording packets
- Run tool or perform request
- Stop recording and analyze results
Architecture
SharkMCP provides a simple, local development-focused architecture:
┌─────────────────────────────────────────────────────────┐
│ SharkMCP Server │
├─────────────────────────────────────────────────────────┤
│ MCP Protocol Layer │
│ ├─ start_capture_session │
│ ├─ stop_capture_session │
│ ├─ analyze_pcap_file │
│ └─ manage_config │
├─────────────────────────────────────────────────────────┤
│ tshark Integration Layer │
│ ├─ Cross-platform executable detection │
│ ├─ Process management │
│ └─ Output parsing (JSON/fields/text) │
├─────────────────────────────────────────────────────────┤
│ Host System Integration │
│ ├─ Local tshark installation │
│ ├─ Direct network interface access │
│ └─ Native file system operations │
└─────────────────────────────────────────────────────────┘
Features
- Async Packet Capture: Start background capture sessions with configurable filters and timeouts.
- PCAP File Analysis: Analyze existing packet capture files
- Flexible Output Formats: JSON, custom fields, or traditional text output
- SSL/TLS Decryption: Support for SSL keylog files to decrypt HTTPS traffic
- Reusable Configurations: Save and reuse capture/analysis configurations
/!\ Packet information can be very extensive. Make sure to use a scoped display filter not to overload the context of your conversation.
Prerequisites
System Requirements
- Wireshark/tshark: Must be installed and accessible
- Node.js: Version 18+
- pnpm: Package manager (recommended)
Installing Wireshark/tshark
macOS (using Homebrew):
brew install wireshark
Ubuntu/Debian:
sudo apt update
sudo apt install tshark wireshark-common
Windows: Download from wireshark.org
Installation
- Clone the repository:
git clone https://github.com/kriztalz/SharkMCP.git
cd SharkMCP
- Install dependencies:
pnpm install
- Build the project:
pnpm run build
- Run the server:
pnpm start
Testing
SharkMCP includes comprehensive integration tests that verify packet capture functionality.
Running Tests
# Run all tests
pnpm test
Configuration
MCP Client Setup
{
"mcpServers": {
"sharkmcp": {
"command": "node",
"args": ["/path/to/SharkMCP/dist/index.js"],
}
}
}
SSL/TLS Decryption (Optional)
To decrypt HTTPS traffic, export the SSLKEYLOGFILE environment variable:
export SSLKEYLOGFILE=/path/to/sslkeylog.log
Then configure your applications to log SSL keys to this file. Many applications support this automatically when the environment variable is set.
Then pass the log file pathname to the MCP server in the stop_capture_session tool.
Usage
Available Tools
- start_capture_session: Start background packet capture
- stop_capture_session: Stop capture and analyze results
- analyze_pcap_file: Analyze existing PCAP files
- manage_config: Save/load reusable configurations
Basic Examples
Start a capture session:
Interface: en0
Capture Filter: port 443
Timeout: 30 seconds
Analyze captured traffic:
Display Filter: tls.handshake.type == 1
Output Format: json
Save a configuration:
{
"name": "https-monitoring",
"description": "Monitor HTTPS traffic",
"captureFilter": "port 443",
"displayFilter": "tls.handshake.type == 1",
"outputFormat": "json",
"timeout": 60,
"interface": "en0"
}
Development
Project Structure
SharkMCP/
├── src/
│ ├── index.ts # Main server setup
│ ├── types.ts # TypeScript interfaces
│ ├── utils.ts # Utility functions
│ └── tools/ # Individual tool implementations
│ ├── start-capture-session.ts
│ ├── stop-capture-session.ts
│ ├── analyze-pcap-file.ts
│ └── manage-config.ts
├── test/ # Test files
│ └── integration.test.js # Integration tests
├── package.json
└── README.md
Development Commands
# Development mode with auto-reload
pnpm run dev
# Build for production
pnpm run build
# Run tests
pnpm run test
# Type checking
pnpm run build
Security Considerations
- Network Permissions: Packet capture requires elevated privileges
- File Access: Temporary files are created in
/tmp/ - Docker Security: Container runs as non-root user
- SSL Keylog: Sensitive SSL keys should be handled securely
Troubleshooting
Common Issues
"tshark not found":
- Ensure Wireshark is installed and tshark is in PATH
- Check installation with:
tshark -v
Permission denied for packet capture:
- On Linux: Add user to
wiresharkgroup or run withsudo - On macOS: Grant Terminal network access in System Preferences
- On Windows: Run as Administrator
No packets captured:
- Verify network interface name (
ip linkon Linux,ifconfigon macOS) - Check capture filter syntax
- Ensure traffic is present on the interface
Contributing (Very welcome!)
- Fork the repository
- Create a feature branch
- Make your changes following the existing code style
- Add tests for new functionality
- Submit a pull request
License
MIT License
Issues / Suggestions
Feel free to open an issue with any question or suggestion you may have.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.