Skip to main content
Glama
enesjakozh
0xKoda

WireMCP

by 0xKoda
OverviewSchemaRelated ServersScoreDiscussions
JavaScript
Local

analyze_pcap

Extract and convert packet data from a PCAP file into JSON format using WireMCP for LLM-driven network analysis, enabling threat detection and diagnostics.

Instructions

Analyze a PCAP file and provide general packet data as JSON for LLM analysis

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
pcapPathYesPath to the PCAP file to analyze (e.g., ./demo.pcap)

Implementation Reference

  • index.js:307-361 (handler)
    The handler function executes the analyze_pcap tool: parses PCAP with tshark, extracts IPs, URLs, protocols, packet JSON (trimmed if needed), and returns formatted text output.
    async (args) => { try { const tsharkPath = await findTshark(); const { pcapPath } = args; console.error(`Analyzing PCAP file: ${pcapPath}`); // Check if file exists await fs.access(pcapPath); // Extract broad packet data const { stdout, stderr } = await execAsync( `${tsharkPath} -r "${pcapPath}" -T json -e frame.number -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e udp.srcport -e udp.dstport -e http.host -e http.request.uri -e frame.protocols`, { env: { ...process.env, PATH: `${process.env.PATH}:/usr/bin:/usr/local/bin:/opt/homebrew/bin` } } ); if (stderr) console.error(`tshark stderr: ${stderr}`); const packets = JSON.parse(stdout); const ips = [...new Set(packets.flatMap(p => [ p._source?.layers['ip.src']?.[0], p._source?.layers['ip.dst']?.[0] ]).filter(ip => ip))]; console.error(`Found ${ips.length} unique IPs: ${ips.join(', ')}`); const urls = packets .filter(p => p._source?.layers['http.host'] && p._source?.layers['http.request.uri']) .map(p => `http://${p._source.layers['http.host'][0]}${p._source.layers['http.request.uri'][0]}`); console.error(`Found ${urls.length} URLs: ${urls.join(', ') || 'None'}`); const protocols = [...new Set(packets.map(p => p._source?.layers['frame.protocols']?.[0]))].filter(p => p); console.error(`Found protocols: ${protocols.join(', ') || 'None'}`); const maxChars = 720000; let jsonString = JSON.stringify(packets); if (jsonString.length > maxChars) { const trimFactor = maxChars / jsonString.length; const trimCount = Math.floor(packets.length * trimFactor); packets.splice(trimCount); jsonString = JSON.stringify(packets); console.error(`Trimmed packets from ${packets.length} to ${trimCount} to fit ${maxChars} chars`); } const outputText = `Analyzed PCAP: ${pcapPath}\n\n` + `Unique IPs:\n${ips.join('\n')}\n\n` + `URLs:\n${urls.length > 0 ? urls.join('\n') : 'None'}\n\n` + `Protocols:\n${protocols.join('\n') || 'None'}\n\n` + `Packet Data (JSON for LLM):\n${jsonString}`; return { content: [{ type: 'text', text: outputText }], }; } catch (error) { console.error(`Error in analyze_pcap: ${error.message}`); return { content: [{ type: 'text', text: `Error: ${error.message}` }], isError: true }; } }
  • index.js:304-306 (schema)
    Input schema using Zod: requires pcapPath string parameter.
    { pcapPath: z.string().describe('Path to the PCAP file to analyze (e.g., ./demo.pcap)'), },
  • index.js:301-362 (registration)
    Registers the analyze_pcap tool on the MCP server with name, description, schema, and handler.
    server.tool( 'analyze_pcap', 'Analyze a PCAP file and provide general packet data as JSON for LLM analysis', { pcapPath: z.string().describe('Path to the PCAP file to analyze (e.g., ./demo.pcap)'), }, async (args) => { try { const tsharkPath = await findTshark(); const { pcapPath } = args; console.error(`Analyzing PCAP file: ${pcapPath}`); // Check if file exists await fs.access(pcapPath); // Extract broad packet data const { stdout, stderr } = await execAsync( `${tsharkPath} -r "${pcapPath}" -T json -e frame.number -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e udp.srcport -e udp.dstport -e http.host -e http.request.uri -e frame.protocols`, { env: { ...process.env, PATH: `${process.env.PATH}:/usr/bin:/usr/local/bin:/opt/homebrew/bin` } } ); if (stderr) console.error(`tshark stderr: ${stderr}`); const packets = JSON.parse(stdout); const ips = [...new Set(packets.flatMap(p => [ p._source?.layers['ip.src']?.[0], p._source?.layers['ip.dst']?.[0] ]).filter(ip => ip))]; console.error(`Found ${ips.length} unique IPs: ${ips.join(', ')}`); const urls = packets .filter(p => p._source?.layers['http.host'] && p._source?.layers['http.request.uri']) .map(p => `http://${p._source.layers['http.host'][0]}${p._source.layers['http.request.uri'][0]}`); console.error(`Found ${urls.length} URLs: ${urls.join(', ') || 'None'}`); const protocols = [...new Set(packets.map(p => p._source?.layers['frame.protocols']?.[0]))].filter(p => p); console.error(`Found protocols: ${protocols.join(', ') || 'None'}`); const maxChars = 720000; let jsonString = JSON.stringify(packets); if (jsonString.length > maxChars) { const trimFactor = maxChars / jsonString.length; const trimCount = Math.floor(packets.length * trimFactor); packets.splice(trimCount); jsonString = JSON.stringify(packets); console.error(`Trimmed packets from ${packets.length} to ${trimCount} to fit ${maxChars} chars`); } const outputText = `Analyzed PCAP: ${pcapPath}\n\n` + `Unique IPs:\n${ips.join('\n')}\n\n` + `URLs:\n${urls.length > 0 ? urls.join('\n') : 'None'}\n\n` + `Protocols:\n${protocols.join('\n') || 'None'}\n\n` + `Packet Data (JSON for LLM):\n${jsonString}`; return { content: [{ type: 'text', text: outputText }], }; } catch (error) { console.error(`Error in analyze_pcap: ${error.message}`); return { content: [{ type: 'text', text: `Error: ${error.message}` }], isError: true }; } } );
  • index.js:616-635 (helper)
    Associated prompt template for guiding LLM analysis after running analyze_pcap tool.
    server.prompt( 'analyze_pcap_prompt', { pcapPath: z.string().describe('Path to the PCAP file'), }, ({ pcapPath }) => ({ messages: [{ role: 'user', content: { type: 'text', text: `Please analyze the PCAP file at ${pcapPath} and provide insights about: 1. Overall traffic patterns 2. Unique IPs and their interactions 3. Protocols and services used 4. Notable events or anomalies 5. Potential security concerns` } }] }) );
  • index.js:17-39 (helper)
    Helper function to locate tshark binary, used by analyze_pcap handler.
    async function findTshark() { try { const tsharkPath = await which('tshark'); console.error(`Found tshark at: ${tsharkPath}`); return tsharkPath; } catch (err) { console.error('which failed to find tshark:', err.message); const fallbacks = process.platform === 'win32' ? ['C:\\Program Files\\Wireshark\\tshark.exe', 'C:\\Program Files (x86)\\Wireshark\\tshark.exe'] : ['/usr/bin/tshark', '/usr/local/bin/tshark', '/opt/homebrew/bin/tshark', '/Applications/Wireshark.app/Contents/MacOS/tshark']; for (const path of fallbacks) { try { await execAsync(`${path} -v`); console.error(`Found tshark at fallback: ${path}`); return path; } catch (e) { console.error(`Fallback ${path} failed: ${e.message}`); } } throw new Error('tshark not found. Please install Wireshark (https://www.wireshark.org/download.html) and ensure tshark is in your PATH.'); } }
Install Server

Other Tools

Related Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/0xKoda/WireMCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server