WireMCP

WireMCP

A Model Context Protocol server that provides LLMs with real-time network traffic analysis capabilities, enabling tasks like threat hunting, network diagnostics, and anomaly detection through Wireshark's tshark.

Category
Visit Server

Tools

capture_packets

Capture live traffic and provide raw packet data as JSON for LLM analysis

get_summary_stats

Capture live traffic and provide protocol hierarchy statistics for LLM analysis

get_conversations

Capture live traffic and provide TCP/UDP conversation statistics for LLM analysis

check_threats

Capture live traffic and check IPs against URLhaus blacklist

check_ip_threats

Check a given IP address against URLhaus blacklist for IOCs

analyze_pcap

Analyze a PCAP file and provide general packet data as JSON for LLM analysis

extract_credentials

Extract potential credentials (HTTP Basic Auth, FTP, Telnet) from a PCAP file for LLM analysis

README

Wire-MCP Banner

WireMCP

WireMCP is a Model Context Protocol (MCP) server designed to empower Large Language Models (LLMs) with real-time network traffic analysis capabilities. By leveraging tools built on top of Wireshark's tshark, WireMCP captures and processes live network data, providing LLMs with structured context to assist in tasks like threat hunting, network diagnostics, and anomaly detection.

Features

WireMCP exposes the following tools to MCP clients, enhancing LLM understanding of network activity:

  • capture_packets: Captures live traffic and returns raw packet data as JSON, enabling LLMs to analyze packet-level details (e.g., IP addresses, ports, HTTP methods).
  • get_summary_stats: Provides protocol hierarchy statistics, giving LLMs an overview of traffic composition (e.g., TCP vs. UDP usage).
  • get_conversations: Delivers TCP/UDP conversation statistics, allowing LLMs to track communication flows between endpoints.
  • check_threats: Captures IPs and checks them against the URLhaus blacklist, equipping LLMs with threat intelligence context for identifying malicious activity.
  • check_ip_threats: Performs targeted threat intelligence lookups for specific IP addresses against multiple threat feeds, providing detailed reputation and threat data.
  • analyze_pcap: Analyzes PCAP files to provide comprehensive packet data in JSON format, enabling detailed post-capture analysis of network traffic.
  • extract_credentials: Scans PCAP files for potential credentials from various protocols (HTTP Basic Auth, FTP, Telnet), aiding in security audits and forensic analysis.

How It Helps LLMs

WireMCP bridges the gap between raw network data and LLM comprehension by:

  • Contextualizing Traffic: Converts live packet captures into structured outputs (JSON, stats) that LLMs can parse and reason about.
  • Threat Detection: Integrates IOCs (currently URLhaus) to flag suspicious IPs, enhancing LLM-driven security analysis.
  • Diagnostics: Offers detailed traffic insights, enabling LLMs to assist with troubleshooting or identifying anomalies.
  • Narrative Generation: LLM's can Transform complex packet captures into coherent stories, making network analysis accessible to non-technical users.

Installation

Prerequisites

  • Mac / Windows / Linux
  • Wireshark (with tshark installed and accessible in PATH)
  • Node.js (v16+ recommended)
  • npm (for dependency installation)

Setup

  1. Clone the repository:

    git clone https://github.com/0xkoda/WireMCP.git
cd WireMCP

  2. Install dependencies:

    npm install

  3. Run the MCP server:

    node index.js

Note: Ensure tshark is in your PATH. WireMCP will auto-detect it or fall back to common install locations (e.g., /Applications/Wireshark.app/Contents/MacOS/tshark on macOS).

Usage with MCP Clients

WireMCP works with any MCP-compliant client. Below are examples for popular clients:

Example 1: Cursor

Edit mcp.json in Cursor -> Settings -> MCP :

{
  "mcpServers": {
    "wiremcp": {
      "command": "node",
      "args": [
        "/ABSOLUTE_PATH_TO/WireMCP/index.js"
      ]
    }
  }
}

Location (macOS): /Users/YOUR_USER/Library/Application Support/Claude/claude_desktop_config.json

Other Clients

This MCP will work well with any client. Use the command node /path/to/WireMCP/index.js in their MCP server settings.

Example Output

Running check_threats might yield:

Captured IPs:
174.67.0.227
52.196.136.253

Threat check against URLhaus blacklist:
No threats detected in URLhaus blacklist.

Running analyze_pcap on a capture file:

{
  "content": [{
    "type": "text",
    "text": "Analyzed PCAP: ./capture.pcap\n\nUnique IPs:\n192.168.0.2\n192.168.0.1\n\nProtocols:\neth:ethertype:ip:tcp\neth:ethertype:ip:tcp:telnet\n\nPacket Data:\n[{\"layers\":{\"frame.number\":[\"1\"],\"ip.src\":[\"192.168.0.2\"],\"ip.dst\":[\"192.168.0.1\"],\"tcp.srcport\":[\"1550\"],\"tcp.dstport\":[\"23\"]}}]"
  }]
}

LLMs can use these outputs to:

  • Provide natural language explanations of network activity
  • Identify patterns and potential security concerns
  • Offer context-aware recommendations
  • Generate human-readable reports

Roadmap

  • Expand IOC Providers: Currently uses URLhaus for threat checks. Future updates will integrate additional sources (e.g., IPsum, Emerging Threats) for broader coverage.

Contributing

Contributions are welcome! Please feel free to submit a Pull Request. For major changes, please open an issue first to discuss what you would like to change.

License

MIT

Acknowledgments

  • Wireshark/tshark team for their excellent packet analysis tools
  • Model Context Protocol community for the framework and specifications
  • URLhaus for providing threat intelligence data

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured