Wireshark MCP Server

A Model Context Protocol (MCP) server that provides AI assistants with direct access to Wireshark network analysis capabilities. This tool enables AI-powered network troubleshooting, packet analysis, and network monitoring through a secure, standardized interface.

Features

• Live Packet Capture: Capture network traffic in real-time from any network interface
• PCAP File Analysis: Analyze existing packet capture files with advanced filtering
• Protocol Statistics: Generate comprehensive protocol hierarchy and conversation statistics
• Network Interface Management: List and interact with available network interfaces
• Security Controls: Comprehensive input validation and privilege management
• Async Operations: Non-blocking operations for high-performance analysis

Requirements

System Requirements

• Python 3.9+ with pip package manager
• Wireshark/TShark installed and accessible from command line
• Network capture permissions (see setup instructions below)
• Windows/Linux/macOS compatibility

Network Permissions Setup

Windows

1. Install Wireshark with WinPcap/Npcap during installation
2. Run as Administrator or ensure user has network capture permissions

Linux

# Add user to wireshark group
sudo usermod -aG wireshark $USER

# Or set capabilities on dumpcap (preferred)
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

# Logout and login again for group changes to take effect

macOS

# Ensure user has admin privileges or use sudo for captures
# Wireshark installer typically handles permissions

Installation

1. Clone or download the project files
2. Install Python dependencies:

   pip install -r requirements.txt
   

3. Verify Wireshark installation:

   tshark --version
   

Configuration

Claude Desktop Integration

1. Locate your Claude Desktop config file:

   • Windows: %APPDATA%\Claude\claude_desktop_config.json
   • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
   • Linux: ~/.config/Claude/claude_desktop_config.json

2. Add the Wireshark MCP server configuration:

   {
     "mcpServers": {
       "wireshark": {
         "command": "python",
         "args": ["/absolute/path/to/wireshark-mcp-server.py"],
         "env": {
           "PYTHONPATH": "/absolute/path/to/project/directory",
           "MCP_LOG_LEVEL": "INFO"
         }
       }
     }
   }
   

3. Restart Claude Desktop to load the new server

VS Code/Cursor Integration

For VS Code or Cursor, configure the MCP server in your IDE's MCP settings, pointing to the wireshark-mcp-server.py file.

Available Tools

get_network_interfaces()

Lists all available network interfaces for packet capture.

Usage:

Please list the available network interfaces

capture_live_packets(interface, count, capture_filter, timeout)

Captures live network packets from a specified interface.

Parameters:

• interface: Network interface name (e.g., "eth0", "Wi-Fi") or number (e.g., "1")
• count: Number of packets to capture (default: 50, max: 1000)
• capture_filter: BPF capture filter expression (optional)
• timeout: Capture timeout in seconds (default: 30, max: 60)

Usage:

Capture 100 packets from interface eth0 with filter "tcp port 80"

analyze_pcap_file(filepath, display_filter, max_packets)

Analyzes existing PCAP/PCAPNG files with optional filtering.

Parameters:

• filepath: Path to the PCAP/PCAPNG file
• display_filter: Wireshark display filter expression (optional)
• max_packets: Maximum number of packets to analyze (default: 100, max: 1000)

Usage:

Analyze the file /path/to/capture.pcap and show only HTTP requests

get_protocol_statistics(filepath)

Generates protocol hierarchy and IP conversation statistics from a capture file.

Parameters:

• filepath: Path to the PCAP/PCAPNG file

Usage:

Generate protocol statistics for /path/to/capture.pcap

get_capture_file_info(filepath)

Retrieves detailed information about a capture file (size, duration, packet count, etc.).

Parameters:

• filepath: Path to the PCAP/PCAPNG file

Usage:

Get information about the capture file /path/to/capture.pcap

Filter Examples

Capture Filters (BPF Syntax)

• "tcp port 80" - HTTP traffic
• "host 192.168.1.1" - Traffic to/from specific host
• "net 10.0.0.0/8" - Traffic on specific network
• "tcp and port 443" - HTTPS traffic
• "icmp" - ICMP/ping traffic

Display Filters (Wireshark Syntax)

• "http.request" - HTTP requests only
• "tcp.flags.syn == 1" - TCP SYN packets
• "dns.flags.response == 1" - DNS responses
• "ip.addr == 192.168.1.1" - Traffic to/from specific IP
• "tcp.analysis.retransmission" - TCP retransmissions

Security Features

• Input Validation: All user inputs are validated against security patterns
• File Path Sanitization: File paths are resolved and validated for safety
• Resource Limits: Capture duration, packet counts, and file sizes are limited
• Interface Validation: Only valid network interface names are accepted
• Filter Validation: Capture and display filters are checked for dangerous patterns

Usage Examples

Basic Network Troubleshooting

AI Assistant: "I need to troubleshoot network connectivity issues"
User: "Capture 200 packets from the main network interface and look for any issues"

HTTP Traffic Analysis

AI Assistant: "Let me analyze your web traffic"
User: "Capture traffic on port 80 and 443 for 60 seconds and show me the top websites accessed"

Security Investigation

AI Assistant: "Analyzing suspicious network activity"
User: "Examine this PCAP file for any unusual connections or potential security threats"

Performance Analysis

AI Assistant: "Investigating network performance issues"
User: "Generate protocol statistics from this capture file to identify bandwidth usage"

Troubleshooting

Common Issues

1. "TShark not found" error

   • Ensure Wireshark is installed and tshark is in your PATH
   • On Windows, check C:\Program Files\Wireshark\tshark.exe

2. Permission denied for packet capture

   • Follow the network permissions setup instructions above
   • On Linux/macOS, you may need to use sudo for live captures

3. "FastMCP not installed" error

   • Install required dependencies: pip install -r requirements.txt

4. Interface not found

   • Use get_network_interfaces() to see available interfaces
   • Interface names vary by operating system

Debug Mode

Enable debug logging by setting the environment variable:

export MCP_LOG_LEVEL=DEBUG
python wireshark-mcp-server.py

Development

Testing the Server

# Install development dependencies
pip install -r requirements.txt

# Test the server directly
python wireshark-mcp-server.py

# Run with debug logging
MCP_LOG_LEVEL=DEBUG python wireshark-mcp-server.py

Contributing

1. Fork the repository
2. Create a feature branch
3. Add tests for new functionality
4. Submit a pull request

License

This project is provided as-is for educational and professional use. Please ensure compliance with your organization's security and network monitoring policies.

Support

For issues and questions:

1. Check the troubleshooting section above
2. Verify Wireshark installation and permissions
3. Check the project logs for detailed error messages
4. Ensure all requirements are properly installed

Acknowledgments

• Built on the Model Context Protocol (MCP) by Anthropic
• Utilizes the Wireshark network analysis toolkit
• Designed for secure, AI-powered network analysis