Wireshark MCP Server

Wireshark MCP Server

A Model Context Protocol server that enables AI assistants to perform network packet analysis, capture, and security operations on a remote machine via Wireshark/tshark.

Category
Visit Server

README

Wireshark MCP Server

A Model Context Protocol (MCP) server that provides network packet analysis capabilities via Wireshark/tshark on a remote machine (e.g., Kali Linux).

This server enables AI assistants to perform sophisticated network traffic analysis, packet capture, protocol inspection, and security-focused operations through a standardized MCP interface.

Features

  • Live Packet Capture - Capture network traffic on remote interfaces with BPF filters
  • PCAP Analysis - Read and analyze existing pcap files
  • Protocol Statistics - Generate protocol hierarchy, conversations, endpoints, and I/O statistics
  • Stream Reconstruction - Follow TCP, UDP, HTTP, and TLS streams
  • File Extraction - Extract files from HTTP, SMB, DICOM, IMF, and TFTP traffic
  • Deep Packet Inspection - Decode packets with full protocol details
  • Credential Extraction - Search for credentials in HTTP Basic Auth, FTP, Telnet, and form submissions
  • HTTP Object Export - List and export HTTP objects from captures

Prerequisites

  • Node.js 18+
  • SSH access to a remote machine with tshark installed (e.g., Kali Linux)
  • SSH key-based authentication configured (password-less)
  • sudo access on the remote machine for packet capture

Installation

git clone https://github.com/schwarztim/sec-wireshark-mcp.git
cd sec-wireshark-mcp
npm install
npm run build

Configuration

Set the following environment variables:

Variable Description Default
WIRESHARK_SSH_HOST SSH hostname or IP of the remote machine kali
WIRESHARK_SSH_USER SSH username (optional if using SSH config) (empty)
WIRESHARK_PCAP_DIR Directory on remote host for pcap files /tmp/mcp-pcaps

Example Configuration

export WIRESHARK_SSH_HOST="192.168.1.100"
export WIRESHARK_SSH_USER="kali"

Or use an SSH config entry:

# ~/.ssh/config
Host kali
    HostName 192.168.1.100
    User kali
    IdentityFile ~/.ssh/id_rsa

Usage with Claude Desktop

Add to your Claude Desktop configuration (~/.claude/user-mcps.json or Claude Desktop settings):

{
  "mcpServers": {
    "wireshark": {
      "command": "node",
      "args": ["/path/to/sec-wireshark-mcp/dist/index.js"],
      "env": {
        "WIRESHARK_SSH_HOST": "kali",
        "WIRESHARK_SSH_USER": "kali"
      }
    }
  }
}

Available Tools

tshark_list_interfaces

List available network interfaces on the remote machine for packet capture.

tshark_capture

Start packet capture on a specified interface.

Parameters:

  • interface (required): Network interface (e.g., eth0, wlan0)
  • count: Number of packets to capture (default: 10, max: 1000)
  • filter: BPF capture filter (e.g., port 80, host 192.168.1.1)
  • timeout: Capture timeout in seconds (default: 10, max: 60)
  • outputFile: Save capture to pcap file on remote host

tshark_read_pcap

Read and analyze a pcap file.

Parameters:

  • file (required): Path to the pcap file on remote host
  • filter: Wireshark display filter
  • count: Maximum packets to return (default: 100, max: 1000)
  • fields: Specific fields to extract (e.g., ['ip.src', 'ip.dst', 'tcp.port'])

tshark_filter

Apply a display filter to a pcap file.

Parameters:

  • file (required): Path to the pcap file
  • filter (required): Display filter (e.g., http.request, dns, tcp.flags.syn == 1)
  • outputFormat: json, text, or fields (default: json)
  • fields: Fields to extract when using fields format

tshark_stats

Generate protocol statistics from a pcap file.

Parameters:

  • file (required): Path to the pcap file
  • type (required): hierarchy, conversations, endpoints, io, http, or dns
  • protocol: Protocol for conversations/endpoints (e.g., tcp, udp, ip)

tshark_follow_stream

Reconstruct a TCP, UDP, HTTP, or TLS stream.

Parameters:

  • file (required): Path to the pcap file
  • protocol (required): tcp, udp, http, or tls
  • streamIndex: Stream index number (default: 0)
  • format: ascii, hex, or raw (default: ascii)

tshark_extract_files

Extract files from protocol traffic.

Parameters:

  • file (required): Path to the pcap file
  • protocol: http, dicom, imf, smb, or tftp (default: http)
  • outputDir: Directory for extracted files (default: /tmp/mcp-extracted)

tshark_decode

Deep packet inspection with full protocol details.

Parameters:

  • file (required): Path to the pcap file
  • packetNumber: Specific packet number to decode
  • filter: Display filter to select packets
  • protocols: Specific protocols to show (e.g., ['http', 'tcp', 'ip'])
  • verbose: Show all protocol details (default: false)

tshark_extract_credentials

Search for potential credentials in network traffic.

Parameters:

  • file (required): Path to the pcap file

Searches for HTTP Basic Auth, FTP credentials, HTTP POST form data, and Telnet data.

tshark_export_objects

List and export HTTP objects from a capture.

Parameters:

  • file (required): Path to the pcap file
  • listOnly: Only list objects without extracting (default: true)
  • outputDir: Directory for extracted objects

Security Considerations

  • This server executes commands on a remote machine via SSH
  • Input sanitization is implemented to prevent command injection
  • Use SSH key authentication with appropriate permissions
  • Consider network segmentation for the capture machine
  • The remote machine requires sudo access for live capture
  • Credential extraction features should be used only for authorized security testing

Development

# Run in development mode
npm run dev

# Build for production
npm run build

# Start production server
npm start

License

MIT License - see LICENSE for details.

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

Related Projects

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured