Skip to main content
Glama
0xKoda

WireMCP

by 0xKoda
OverviewSchemaRelated ServersScoreDiscussions
JavaScript
Local

capture_packets

Capture live network traffic on specified interfaces, convert raw packet data into JSON format, and enable detailed analysis for tasks like threat detection and diagnostics within MCP server environments.

Instructions

Capture live traffic and provide raw packet data as JSON for LLM analysis

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
durationNoCapture duration in seconds
interfaceNoNetwork interface to capture from (e.g., eth0, en0)en0

Implementation Reference

  • index.js:48-97 (registration)
    Registers the capture_packets tool with the MCP server, including name, description, input schema, and handler function.
    server.tool(
  'capture_packets',
  'Capture live traffic and provide raw packet data as JSON for LLM analysis',
  {
    interface: z.string().optional().default('en0').describe('Network interface to capture from (e.g., eth0, en0)'),
    duration: z.number().optional().default(5).describe('Capture duration in seconds'),
  },
  async (args) => {
    try {
      const tsharkPath = await findTshark();
      const { interface, duration } = args;
      const tempPcap = 'temp_capture.pcap';
      console.error(`Capturing packets on ${interface} for ${duration}s`);

      await execAsync(
        `${tsharkPath} -i ${interface} -w ${tempPcap} -a duration:${duration}`,
        { env: { ...process.env, PATH: `${process.env.PATH}:/usr/bin:/usr/local/bin:/opt/homebrew/bin` } }
      );

      const { stdout, stderr } = await execAsync(
        `${tsharkPath} -r "${tempPcap}" -T json -e frame.number -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e tcp.flags -e frame.time -e http.request.method -e http.response.code`,
        { env: { ...process.env, PATH: `${process.env.PATH}:/usr/bin:/usr/local/bin:/opt/homebrew/bin` } }
      );
      if (stderr) console.error(`tshark stderr: ${stderr}`);
      let packets = JSON.parse(stdout);

      const maxChars = 720000;
      let jsonString = JSON.stringify(packets);
      if (jsonString.length > maxChars) {
        const trimFactor = maxChars / jsonString.length;
        const trimCount = Math.floor(packets.length * trimFactor);
        packets = packets.slice(0, trimCount);
        jsonString = JSON.stringify(packets);
        console.error(`Trimmed packets from ${packets.length} to ${trimCount} to fit ${maxChars} chars`);
      }

      await fs.unlink(tempPcap).catch(err => console.error(`Failed to delete ${tempPcap}: ${err.message}`));

      return {
        content: [{
          type: 'text',
          text: `Captured packet data (JSON for LLM analysis):\n${jsonString}`,
        }],
      };
    } catch (error) {
      console.error(`Error in capture_packets: ${error.message}`);
      return { content: [{ type: 'text', text: `Error: ${error.message}` }], isError: true };
    }
  }
);
  • index.js:55-96 (handler)
    The handler function for capture_packets: uses tshark to capture packets on the specified interface for the given duration, parses to JSON, trims if over size limit, deletes temp file, returns packet data as text.
    async (args) => {
  try {
    const tsharkPath = await findTshark();
    const { interface, duration } = args;
    const tempPcap = 'temp_capture.pcap';
    console.error(`Capturing packets on ${interface} for ${duration}s`);

    await execAsync(
      `${tsharkPath} -i ${interface} -w ${tempPcap} -a duration:${duration}`,
      { env: { ...process.env, PATH: `${process.env.PATH}:/usr/bin:/usr/local/bin:/opt/homebrew/bin` } }
    );

    const { stdout, stderr } = await execAsync(
      `${tsharkPath} -r "${tempPcap}" -T json -e frame.number -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e tcp.flags -e frame.time -e http.request.method -e http.response.code`,
      { env: { ...process.env, PATH: `${process.env.PATH}:/usr/bin:/usr/local/bin:/opt/homebrew/bin` } }
    );
    if (stderr) console.error(`tshark stderr: ${stderr}`);
    let packets = JSON.parse(stdout);

    const maxChars = 720000;
    let jsonString = JSON.stringify(packets);
    if (jsonString.length > maxChars) {
      const trimFactor = maxChars / jsonString.length;
      const trimCount = Math.floor(packets.length * trimFactor);
      packets = packets.slice(0, trimCount);
      jsonString = JSON.stringify(packets);
      console.error(`Trimmed packets from ${packets.length} to ${trimCount} to fit ${maxChars} chars`);
    }

    await fs.unlink(tempPcap).catch(err => console.error(`Failed to delete ${tempPcap}: ${err.message}`));

    return {
      content: [{
        type: 'text',
        text: `Captured packet data (JSON for LLM analysis):\n${jsonString}`,
      }],
    };
  } catch (error) {
    console.error(`Error in capture_packets: ${error.message}`);
    return { content: [{ type: 'text', text: `Error: ${error.message}` }], isError: true };
  }
}
  • index.js:51-54 (schema)
    Input schema using Zod: interface (optional string, default 'en0'), duration (optional number, default 5).
    {
  interface: z.string().optional().default('en0').describe('Network interface to capture from (e.g., eth0, en0)'),
  duration: z.number().optional().default(5).describe('Capture duration in seconds'),
},
  • index.js:17-39 (helper)
    Helper function to dynamically locate the tshark executable, used by capture_packets handler.
    async function findTshark() {
  try {
    const tsharkPath = await which('tshark');
    console.error(`Found tshark at: ${tsharkPath}`);
    return tsharkPath;
  } catch (err) {
    console.error('which failed to find tshark:', err.message);
    const fallbacks = process.platform === 'win32'
      ? ['C:\\Program Files\\Wireshark\\tshark.exe', 'C:\\Program Files (x86)\\Wireshark\\tshark.exe']
      : ['/usr/bin/tshark', '/usr/local/bin/tshark', '/opt/homebrew/bin/tshark', '/Applications/Wireshark.app/Contents/MacOS/tshark'];
    
    for (const path of fallbacks) {
      try {
        await execAsync(`${path} -v`);
        console.error(`Found tshark at fallback: ${path}`);
        return path;
      } catch (e) {
        console.error(`Fallback ${path} failed: ${e.message}`);
      }
    }
    throw new Error('tshark not found. Please install Wireshark (https://www.wireshark.org/download.html) and ensure tshark is in your PATH.');
  }
}

Tool Definition Quality

B3.4/5.0
Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries full burden but provides minimal behavioral information. It mentions 'capture live traffic' which implies a potentially privileged operation requiring network access, but doesn't disclose permission requirements, whether it's destructive, rate limits, or what happens during capture. The description adds some context about output format but misses critical behavioral traits.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single, efficient sentence that communicates the core purpose and output format without any wasted words. It's appropriately sized and front-loaded with the main action.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness2/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

For a network capture tool with no annotations and no output schema, the description is insufficient. It doesn't explain what 'raw packet data as JSON' actually contains, how much data might be returned, whether there are size limits, or what permissions are required. The description leaves too many open questions for a tool that performs privileged network operations.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, so the schema already fully documents both parameters. The description doesn't add any parameter-specific information beyond what's in the schema. It mentions 'capture live traffic' which aligns with the parameters but provides no additional syntax, format, or usage details for the parameters.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the specific action ('capture live traffic'), the resource ('raw packet data'), and the output format ('as JSON for LLM analysis'). It distinguishes from siblings like analyze_pcap (which analyzes existing files) or check_ip_threats (which focuses on threat detection rather than raw capture).

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines3/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description implies usage for live traffic capture and LLM analysis, but doesn't explicitly state when to use this tool versus alternatives like analyze_pcap (for existing files) or get_summary_stats (for aggregated data). It provides some context but lacks explicit guidance on tool selection.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Related Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/0xKoda/WireMCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server