Skip to main content
Glama
Sign In
enesjakozh

WireMCP

by 0xKoda
Verified
GitHub
JavaScript
MIT License
60
  • Apple
  • Linux
RedditDiscord
OverviewInspectNewSchemaRelated ServersReviewsScore
Need Help?View Source CodeReport Issue
![Wire-MCP Banner](Wire-MCP.png) # WireMCP WireMCP is a Model Context Protocol (MCP) server designed to empower Large Language Models (LLMs) with real-time network traffic analysis capabilities. By leveraging tools built on top of Wireshark's `tshark`, WireMCP captures and processes live network data, providing LLMs with structured context to assist in tasks like threat hunting, network diagnostics, and anomaly detection. # Features WireMCP exposes the following tools to MCP clients, enhancing LLM understanding of network activity: - **`capture_packets`**: Captures live traffic and returns raw packet data as JSON, enabling LLMs to analyze packet-level details (e.g., IP addresses, ports, HTTP methods). - **`get_summary_stats`**: Provides protocol hierarchy statistics, giving LLMs an overview of traffic composition (e.g., TCP vs. UDP usage). - **`get_conversations`**: Delivers TCP/UDP conversation statistics, allowing LLMs to track communication flows between endpoints. - **`check_threats`**: Captures IPs and checks them against the URLhaus blacklist, equipping LLMs with threat intelligence context for identifying malicious activity. - **`check_ip_threats`**: Performs targeted threat intelligence lookups for specific IP addresses against multiple threat feeds, providing detailed reputation and threat data. - **`analyze_pcap`**: Analyzes PCAP files to provide comprehensive packet data in JSON format, enabling detailed post-capture analysis of network traffic. - **`extract_credentials`**: Scans PCAP files for potential credentials from various protocols (HTTP Basic Auth, FTP, Telnet), aiding in security audits and forensic analysis. ## How It Helps LLMs WireMCP bridges the gap between raw network data and LLM comprehension by: - **Contextualizing Traffic**: Converts live packet captures into structured outputs (JSON, stats) that LLMs can parse and reason about. - **Threat Detection**: Integrates IOCs (currently URLhaus) to flag suspicious IPs, enhancing LLM-driven security analysis. - **Diagnostics**: Offers detailed traffic insights, enabling LLMs to assist with troubleshooting or identifying anomalies. - **Narrative Generation**: LLM's can Transform complex packet captures into coherent stories, making network analysis accessible to non-technical users. # Installation ## Prerequisites - Mac / Windows / Linux - [Wireshark](https://www.wireshark.org/download.html) (with `tshark` installed and accessible in PATH) - Node.js (v16+ recommended) - npm (for dependency installation) ## Setup 1. Clone the repository: ```bash git clone https://github.com/0xkoda/WireMCP.git cd WireMCP ``` 2. Install dependencies: ```bash npm install ``` 3. Run the MCP server: ```bash node index.js ``` > **Note**: Ensure `tshark` is in your PATH. WireMCP will auto-detect it or fall back to common install locations (e.g., `/Applications/Wireshark.app/Contents/MacOS/tshark` on macOS). # Usage with MCP Clients WireMCP works with any MCP-compliant client. Below are examples for popular clients: ## Example 1: Cursor Edit `mcp.json` in Cursor -> Settings -> MCP : ```json { "mcpServers": { "wiremcp": { "command": "node", "args": [ "/ABSOLUTE_PATH_TO/WireMCP/index.js" ] } } } ``` **Location (macOS)**: `/Users/YOUR_USER/Library/Application Support/Claude/claude_desktop_config.json` ## Other Clients This MCP will work well with any client. Use the command `node /path/to/WireMCP/index.js` in their MCP server settings. # Example Output Running `check_threats` might yield: ``` Captured IPs: 174.67.0.227 52.196.136.253 Threat check against URLhaus blacklist: No threats detected in URLhaus blacklist. ``` Running `analyze_pcap` on a capture file: ```json { "content": [{ "type": "text", "text": "Analyzed PCAP: ./capture.pcap\n\nUnique IPs:\n192.168.0.2\n192.168.0.1\n\nProtocols:\neth:ethertype:ip:tcp\neth:ethertype:ip:tcp:telnet\n\nPacket Data:\n[{\"layers\":{\"frame.number\":[\"1\"],\"ip.src\":[\"192.168.0.2\"],\"ip.dst\":[\"192.168.0.1\"],\"tcp.srcport\":[\"1550\"],\"tcp.dstport\":[\"23\"]}}]" }] } ``` LLMs can use these outputs to: - Provide natural language explanations of network activity - Identify patterns and potential security concerns - Offer context-aware recommendations - Generate human-readable reports # Roadmap - **Expand IOC Providers**: Currently uses URLhaus for threat checks. Future updates will integrate additional sources (e.g., IPsum, Emerging Threats) for broader coverage. # Contributing Contributions are welcome! Please feel free to submit a Pull Request. For major changes, please open an issue first to discuss what you would like to change. # License [MIT](LICENSE) # Acknowledgments - Wireshark/tshark team for their excellent packet analysis tools - Model Context Protocol community for the framework and specifications - URLhaus for providing threat intelligence data
ID: d63qil4l1s