Skip to main content
Glama
enesjakozh
0xKoda

WireMCP

by 0xKoda
OverviewSchemaRelated ServersScoreDiscussions
JavaScript
Local

check_threats

Monitor live network traffic and identify malicious IPs by cross-referencing the URLhaus blacklist using a specified network interface and capture duration.

Instructions

Capture live traffic and check IPs against URLhaus blacklist

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
durationNoCapture duration in seconds
interfaceNoNetwork interface to capture from (e.g., eth0, en0)en0

Implementation Reference

  • index.js:189-246 (handler)
    The handler function for the 'check_threats' tool. It captures live network traffic using tshark, extracts unique IP addresses, fetches the URLhaus IP blacklist, checks captured IPs against it, and reports any threats found.
    async (args) => {
  try {
    const tsharkPath = await findTshark();
    const { interface, duration } = args;
    const tempPcap = 'temp_capture.pcap';
    console.error(`Capturing traffic on ${interface} for ${duration}s to check threats`);

    await execAsync(
      `${tsharkPath} -i ${interface} -w ${tempPcap} -a duration:${duration}`,
      { env: { ...process.env, PATH: `${process.env.PATH}:/usr/bin:/usr/local/bin:/opt/homebrew/bin` } }
    );

    const { stdout } = await execAsync(
      `${tsharkPath} -r "${tempPcap}" -T fields -e ip.src -e ip.dst`,
      { env: { ...process.env, PATH: `${process.env.PATH}:/usr/bin:/usr/local/bin:/opt/homebrew/bin` } }
    );
    const ips = [...new Set(stdout.split('\n').flatMap(line => line.split('\t')).filter(ip => ip && ip !== 'unknown'))];
    console.error(`Captured ${ips.length} unique IPs: ${ips.join(', ')}`);

    const urlhausUrl = 'https://urlhaus.abuse.ch/downloads/text/';
    console.error(`Fetching URLhaus blacklist from ${urlhausUrl}`);
    let urlhausData;
    let urlhausThreats = [];
    try {
      const response = await axios.get(urlhausUrl);
      console.error(`URLhaus response status: ${response.status}, length: ${response.data.length} chars`);
      console.error(`URLhaus raw data (first 200 chars): ${response.data.slice(0, 200)}`);
      const ipRegex = /\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/;
      urlhausData = [...new Set(response.data.split('\n')
        .map(line => {
          const match = line.match(ipRegex);
          return match ? match[0] : null;
        })
        .filter(ip => ip))];
      console.error(`URLhaus lookup successful: ${urlhausData.length} blacklist IPs fetched`);
      console.error(`Sample URLhaus IPs: ${urlhausData.slice(0, 5).join(', ') || 'None'}`);
      urlhausThreats = ips.filter(ip => urlhausData.includes(ip));
      console.error(`Checked IPs against URLhaus: ${urlhausThreats.length} threats found - ${urlhausThreats.join(', ') || 'None'}`);
    } catch (e) {
      console.error(`Failed to fetch URLhaus data: ${e.message}`);
      urlhausData = [];
    }

    const outputText = `Captured IPs:\n${ips.join('\n')}\n\n` +
      `Threat check against URLhaus blacklist:\n${
        urlhausThreats.length > 0 ? `Potential threats: ${urlhausThreats.join(', ')}` : 'No threats detected in URLhaus blacklist.'
      }`;

    await fs.unlink(tempPcap).catch(err => console.error(`Failed to delete ${tempPcap}: ${err.message}`));

    return {
      content: [{ type: 'text', text: outputText }],
    };
  } catch (error) {
    console.error(`Error in check_threats: ${error.message}`);
    return { content: [{ type: 'text', text: `Error: ${error.message}` }], isError: true };
  }
}
  • index.js:185-188 (schema)
    Input schema for the 'check_threats' tool using Zod, defining optional parameters for network interface and capture duration.
    {
  interface: z.string().optional().default('en0').describe('Network interface to capture from (e.g., eth0, en0)'),
  duration: z.number().optional().default(5).describe('Capture duration in seconds'),
},
  • index.js:182-247 (registration)
    Registration of the 'check_threats' tool using server.tool(), including name, description, input schema, and handler reference.
    server.tool(
  'check_threats',
  'Capture live traffic and check IPs against URLhaus blacklist',
  {
    interface: z.string().optional().default('en0').describe('Network interface to capture from (e.g., eth0, en0)'),
    duration: z.number().optional().default(5).describe('Capture duration in seconds'),
  },
  async (args) => {
    try {
      const tsharkPath = await findTshark();
      const { interface, duration } = args;
      const tempPcap = 'temp_capture.pcap';
      console.error(`Capturing traffic on ${interface} for ${duration}s to check threats`);

      await execAsync(
        `${tsharkPath} -i ${interface} -w ${tempPcap} -a duration:${duration}`,
        { env: { ...process.env, PATH: `${process.env.PATH}:/usr/bin:/usr/local/bin:/opt/homebrew/bin` } }
      );

      const { stdout } = await execAsync(
        `${tsharkPath} -r "${tempPcap}" -T fields -e ip.src -e ip.dst`,
        { env: { ...process.env, PATH: `${process.env.PATH}:/usr/bin:/usr/local/bin:/opt/homebrew/bin` } }
      );
      const ips = [...new Set(stdout.split('\n').flatMap(line => line.split('\t')).filter(ip => ip && ip !== 'unknown'))];
      console.error(`Captured ${ips.length} unique IPs: ${ips.join(', ')}`);

      const urlhausUrl = 'https://urlhaus.abuse.ch/downloads/text/';
      console.error(`Fetching URLhaus blacklist from ${urlhausUrl}`);
      let urlhausData;
      let urlhausThreats = [];
      try {
        const response = await axios.get(urlhausUrl);
        console.error(`URLhaus response status: ${response.status}, length: ${response.data.length} chars`);
        console.error(`URLhaus raw data (first 200 chars): ${response.data.slice(0, 200)}`);
        const ipRegex = /\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/;
        urlhausData = [...new Set(response.data.split('\n')
          .map(line => {
            const match = line.match(ipRegex);
            return match ? match[0] : null;
          })
          .filter(ip => ip))];
        console.error(`URLhaus lookup successful: ${urlhausData.length} blacklist IPs fetched`);
        console.error(`Sample URLhaus IPs: ${urlhausData.slice(0, 5).join(', ') || 'None'}`);
        urlhausThreats = ips.filter(ip => urlhausData.includes(ip));
        console.error(`Checked IPs against URLhaus: ${urlhausThreats.length} threats found - ${urlhausThreats.join(', ') || 'None'}`);
      } catch (e) {
        console.error(`Failed to fetch URLhaus data: ${e.message}`);
        urlhausData = [];
      }

      const outputText = `Captured IPs:\n${ips.join('\n')}\n\n` +
        `Threat check against URLhaus blacklist:\n${
          urlhausThreats.length > 0 ? `Potential threats: ${urlhausThreats.join(', ')}` : 'No threats detected in URLhaus blacklist.'
        }`;

      await fs.unlink(tempPcap).catch(err => console.error(`Failed to delete ${tempPcap}: ${err.message}`));

      return {
        content: [{ type: 'text', text: outputText }],
      };
    } catch (error) {
      console.error(`Error in check_threats: ${error.message}`);
      return { content: [{ type: 'text', text: `Error: ${error.message}` }], isError: true };
    }
  }
);
  • index.js:17-39 (helper)
    Helper function findTshark() used by check_threats handler to locate the tshark executable.
    async function findTshark() {
  try {
    const tsharkPath = await which('tshark');
    console.error(`Found tshark at: ${tsharkPath}`);
    return tsharkPath;
  } catch (err) {
    console.error('which failed to find tshark:', err.message);
    const fallbacks = process.platform === 'win32'
      ? ['C:\\Program Files\\Wireshark\\tshark.exe', 'C:\\Program Files (x86)\\Wireshark\\tshark.exe']
      : ['/usr/bin/tshark', '/usr/local/bin/tshark', '/opt/homebrew/bin/tshark', '/Applications/Wireshark.app/Contents/MacOS/tshark'];
    
    for (const path of fallbacks) {
      try {
        await execAsync(`${path} -v`);
        console.error(`Found tshark at fallback: ${path}`);
        return path;
      } catch (e) {
        console.error(`Fallback ${path} failed: ${e.message}`);
      }
    }
    throw new Error('tshark not found. Please install Wireshark (https://www.wireshark.org/download.html) and ensure tshark is in your PATH.');
  }
}

Tool Definition Quality

C2.9/5.0
Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries full burden for behavioral disclosure. It mentions capturing traffic and checking against a blacklist but fails to describe critical traits like required permissions, network access needs, potential system impact, rate limits, or what the output looks like. For a tool that interacts with network traffic and external threat databases, this is a significant gap.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is extremely concise with a single sentence that directly states the tool's purpose. Every word earns its place, and there's no unnecessary information or repetition. It's appropriately sized for a simple tool with good schema coverage.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness2/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's complexity (network traffic capture and threat checking) and lack of annotations and output schema, the description is insufficient. It doesn't explain what happens during capture, how results are returned, error conditions, or security implications. The agent would need to guess about important operational details.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, so the schema already fully documents both parameters (duration and interface). The description doesn't add any parameter-specific information beyond what's in the schema, such as explaining why these parameters matter or providing usage examples. Baseline 3 is appropriate when the schema does the heavy lifting.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose with specific verbs ('capture live traffic' and 'check IPs') and resource ('URLhaus blacklist'), making it easy to understand what the tool does. However, it doesn't explicitly differentiate from sibling tools like 'capture_packets' or 'check_ip_threats', which appear to have overlapping functionality.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides no guidance on when to use this tool versus alternatives like 'capture_packets' or 'check_ip_threats'. It lacks context about prerequisites, appropriate scenarios, or exclusions, leaving the agent to infer usage from the purpose alone.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Related Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/0xKoda/WireMCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server