Wireshark-MCP
Enables LLMs to perform automated network forensics, threat hunting, and traffic analysis using Wireshark/TShark.
README
Wireshark-MCP
一个基于 Model Context Protocol (MCP) 的网络流量分析服务器,让大语言模型 (LLM) 能够使用 Wireshark/TShark 的强大功能进行自动化的网络取证、威胁狩猎和流量分析。
✨ 核心功能
离线分析 (PCAP)
- PCAP 分析: 加载并解析 .pcap/.cap 文件
- CTF 工具集: Flag 搜索、熵值分析、自动解码
- Webshell 检测: 冰蝎/哥斯拉/蚁剑指纹识别和流量解密
- 威胁检测: 自动识别 SQL 注入、XSS、Webshell、C2 通信等
- IOC 提取: 自动提取 IP、域名、URL、User-Agent 等情报
- 流重组: 自动追踪 TCP 流并提取文件/文本
实时抓包
- Live Capture: 从网络接口实时捕获流量
- 协议统计: 协议层次分析和会话统计
- 威胁情报: IP 黑名单查询 (URLhaus)
- 凭据提取: HTTP Basic/FTP/Telnet/Kerberos 凭据提取
AI 辅助
- 结构化输出: 统一的 JSON 格式
{summary, findings, next_steps} - 标准调查流程: CTF/取证专用调查 Prompt
- 智能工具调用: 详细的工具描述,自动引导 AI 使用
🚀 快速开始
详细安装、配置、使用请参阅:INSTALL_AND_CONFIG.md
MCP 客户端配置(Windows 本地 / Stdio)
将以下配置添加到你的 MCP 客户端配置文件中(如 mcp.json / Trae / Claude Desktop 配置)。该配置适配本仓库的 Windows 目录结构与 run_mcp.py 启动方式:
{
"mcpServers": {
"Local-win-wireshark": {
"command": "E:\\mcp-wireshark\\venv\\Scripts\\python.exe",
"args": [
"-u",
"E:\\mcp-wireshark\\run_mcp.py",
"--workdir",
"E:\\mcp-wireshark",
"--tshark-path",
"E:\\Wireshark\\tshark.exe",
"--allow-outside-workdir",
"--allow-all-tshark-args"
]
}
}
}
可用工具列表
| 类别 | 工具名 | 功能 |
|---|---|---|
| 基础 | list_pcaps |
列出目录中的 PCAP 文件 |
load_pcap |
加载 PCAP 并创建分析会话 | |
summary_stats |
获取协议统计和 Top Talkers | |
| 一键 | quick_triage |
快速态势感知:协议/Top Talkers/IOC/推荐下一步(支持 pcap_path) |
analyze_lateral_movement |
一键横向线索:NTLM/SMB/WinRM/RDP 关联(支持 pcap_path) |
|
auto_webshell |
一键 Webshell:检测→提钥→尝试解密→提取战利品到 loot(支持 pcap_path) |
|
solve_solar_challenge |
题型一键:从 PCAP 自动抽取关键字段并计算最终 flag(支持 pcap_path) |
|
| 过滤 | run_display_filter |
应用显示过滤器 |
run_tshark |
执行任意 tshark 命令 | |
| 追踪 | follow_tcp_stream |
追踪 TCP 流并提取内容 |
| 检测 | detect_suspicious |
基于规则检测可疑活动 |
detect_port_scan |
检测端口扫描行为 | |
detect_webshell |
检测加密 Webshell 流量 | |
| CTF | search_patterns |
搜索 CTF Flag 模式 |
analyze_entropy |
香农熵分析(检测加密/压缩) | |
decode_stream |
自动 Base64/hex/URL 解码 | |
| Webshell | extract_webshell_key |
提取解密密钥 |
decrypt_webshell |
解密冰蝎/哥斯拉/蚁剑流量 | |
brute_force_webshell |
字典爆破解密密钥 | |
| 取证 | extract_iocs |
提取 IOC(IP、域名、URL) |
generate_timeline |
生成网络事件时间线 | |
export_objects |
导出 HTTP 对象和文件 | |
extract_credentials |
提取明文凭据和 Kerberos Hash | |
| 时序 | analyze_timing |
检测 C2 心跳和周期性通信 |
| 实时 | capture_packets |
实时抓包并返回 JSON |
capture_summary |
实时抓包并获取协议统计 | |
capture_conversations |
实时抓包并获取会话统计 | |
check_ip_threat |
查询 IP 威胁情报 |
说明:
- 多数工具支持
session_id或pcap_path二选一(更方便 AI 直接对任意目录的 PCAP 做一次调用得到结果)。decrypt_rdp/analyze_rdp_attack_chain输出以“取证线索/关联分析”为主,并不承诺一定能完成 TLS/NLA/CredSSP 全量解密。
CTF 使用示例
# 1. 加载 PCAP
load_pcap(pcap_path="./pcaps/attack.pcap")
# 2. 搜索 Flag
search_patterns(session_id="xxx", search_flag=True)
# 3. 检测加密
analyze_entropy(session_id="xxx", stream_index=5)
# 4. 自动解码
decode_stream(session_id="xxx", stream_index=5, encoding="auto")
# 5. 检测 Webshell
detect_webshell(session_id="xxx")
# 6. 暴力破解密钥
brute_force_webshell(session_id="xxx", tool_type="behinder", stream_index=5)
📜 许可证
MIT License
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.