Wireshark MCP Server

#!/usr/bin/env python3 """ Enhanced Wireshark MCP Server - Core Features Implementation =========================================================== Implements: 1. Real-time JSON Packet Capture 2. Protocol Statistics & Conversations 3. Enhanced PCAP File Analysis No external API dependencies - pure Wireshark/TShark functionality. """ import asyncio import json import logging import os import re import subprocess import tempfile import time from pathlib import Path from typing import Any, Dict, List, Optional, AsyncGenerator from datetime import datetime from mcp.server import Server from mcp.server.stdio import stdio_server from mcp.types import ( Resource, Tool, TextContent, ) # Configure logging logging.basicConfig( level=logging.INFO, format='%(asctime)s - %(name)s - %(levelname)s - %(message)s' ) logger = logging.getLogger(__name__) # Initialize the MCP server server = Server("wireshark-mcp-enhanced") # Global state for active captures ACTIVE_CAPTURES = {} # ===== ALL 10 ADVANCED TOOLS ===== # Advanced Tool 1: PCAPTimeSlicer class WiresharkPCAPTimeSlicer: """Extract specific time windows from PCAP files using editcap""" def __init__(self): self.tool = "editcap" self.supported_formats = ["pcap", "pcapng"] async def slice_by_time_range( self, input_file: str, start_time: Union[str, int, float], end_time: Union[str, int, float], output_file: str = None, preserve_comments: bool = True ) -> Dict[str, Any]: """ Extract packets within specific time range Args: input_file: Input PCAP file path start_time: Start time (ISO format, Unix epoch, or relative seconds) end_time: End time (same formats as start_time) output_file: Output file path (auto-generated if None) preserve_comments: Keep packet comments Returns: Dict with status, output file, and statistics """ try: # Validate input file if not Path(input_file).exists(): return {"status": "❌ Error", "error": "Input file not found"} # Generate output filename if not provided if not output_file: timestamp = datetime.now().strftime("%Y%m%d_%H%M%S") output_file = f"/tmp/time_slice_{Path(input_file).stem}_{timestamp}.pcap" # Convert time formats start_str = self._format_time(start_time) end_str = self._format_time(end_time) # Build command cmd = [self.tool] if start_str: cmd.extend(["-A", start_str]) if end_str: cmd.extend(["-B", end_str]) if not preserve_comments: cmd.append("--discard-packet-comments") cmd.extend([input_file, output_file]) # Execute result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await result.communicate() if result.returncode == 0: # Get statistics about the output stats = await self._get_file_stats(output_file) return { "status": "✅ Success", "input_file": input_file, "output_file": output_file, "time_range": { "start": start_str, "end": end_str }, "statistics": stats, "message": stdout.decode().strip() } else: return { "status": "❌ Error", "error": stderr.decode().strip() } except Exception as e: return { "status": "❌ Exception", "error": str(e) } async def slice_by_duration( self, input_file: str, start_time: Union[str, int, float], duration_seconds: int, output_file: str = None ) -> Dict[str, Any]: """Extract packets for a specific duration from start time""" # Convert start time to datetime if isinstance(start_time, str): start_dt = datetime.fromisoformat(start_time.replace('Z', '+00:00')) else: start_dt = datetime.fromtimestamp(float(start_time)) # Calculate end time end_dt = start_dt + timedelta(seconds=duration_seconds) end_time = end_dt.isoformat() return await self.slice_by_time_range( input_file, start_time, end_time, output_file ) async def slice_relative_time( self, input_file: str, start_offset: float, end_offset: float, output_file: str = None ) -> Dict[str, Any]: """Extract using relative time offsets from first packet""" # First, get the timestamp of the first packet first_timestamp = await self._get_first_packet_time(input_file) if not first_timestamp: return {"status": "❌ Error", "error": "Could not get first packet time"} # Calculate absolute times start_time = first_timestamp + start_offset end_time = first_timestamp + end_offset return await self.slice_by_time_range( input_file, start_time, end_time, output_file ) def _format_time(self, time_value: Union[str, int, float]) -> str: """Convert various time formats to editcap format""" if isinstance(time_value, str): # Already in ISO format return time_value elif isinstance(time_value, (int, float)): # Unix epoch timestamp return str(time_value) else: raise ValueError(f"Unsupported time format: {type(time_value)}") async def _get_first_packet_time(self, input_file: str) -> Optional[float]: """Get timestamp of first packet in file""" cmd = ["capinfos", "-a", "-m", input_file] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, _ = await result.communicate() if result.returncode == 0: # Parse output for first packet time output = stdout.decode() # Extract epoch time match = re.search(r'(\d+\.\d+)', output) if match: return float(match.group(1)) return None async def _get_file_stats(self, file_path: str) -> Dict[str, Any]: """Get statistics about a PCAP file""" cmd = ["capinfos", "-c", "-s", file_path] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, _ = await result.communicate() stats = {} if result.returncode == 0: output = stdout.decode() # Parse packet count match = re.search(r'Number of packets:\s*(\d+)', output) if match: stats["packet_count"] = int(match.group(1)) # Parse file size match = re.search(r'File size:\s*([\d,]+)', output) if match: stats["file_size"] = match.group(1) return stats # ============================================================================ # 2. PCAP SPLITTER # ============================================================================ # Advanced Tool 2: PCAPSplitter class WiresharkPCAPSplitter: """Split PCAP files by various criteria using editcap""" def __init__(self): self.tool = "editcap" async def split_by_packets( self, input_file: str, packets_per_file: int, output_prefix: str = None ) -> Dict[str, Any]: """Split PCAP by packet count""" try: if not Path(input_file).exists(): return {"status": "❌ Error", "error": "Input file not found"} if not output_prefix: output_prefix = f"/tmp/split_{Path(input_file).stem}" cmd = [ self.tool, "-c", str(packets_per_file), input_file, f"{output_prefix}.pcap" ] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await result.communicate() if result.returncode == 0: # Find created files import glob created_files = sorted(glob.glob(f"{output_prefix}*.pcap")) # Get stats for each file file_stats = [] for f in created_files: stats = await self._get_file_info(f) file_stats.append({ "file": f, "packets": stats.get("packets", 0), "size": stats.get("size", "0") }) return { "status": "✅ Success", "input_file": input_file, "split_by": "packets", "packets_per_file": packets_per_file, "created_files": created_files, "file_count": len(created_files), "file_details": file_stats } else: return { "status": "❌ Error", "error": stderr.decode().strip() } except Exception as e: return { "status": "❌ Exception", "error": str(e) } async def split_by_time( self, input_file: str, seconds_per_file: int, output_prefix: str = None ) -> Dict[str, Any]: """Split PCAP by time intervals""" try: if not Path(input_file).exists(): return {"status": "❌ Error", "error": "Input file not found"} if not output_prefix: output_prefix = f"/tmp/split_time_{Path(input_file).stem}" cmd = [ self.tool, "-i", str(seconds_per_file), input_file, f"{output_prefix}.pcap" ] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await result.communicate() if result.returncode == 0: import glob created_files = sorted(glob.glob(f"{output_prefix}*.pcap")) return { "status": "✅ Success", "input_file": input_file, "split_by": "time", "seconds_per_file": seconds_per_file, "created_files": created_files, "file_count": len(created_files) } else: return { "status": "❌ Error", "error": stderr.decode().strip() } except Exception as e: return { "status": "❌ Exception", "error": str(e) } async def split_by_size( self, input_file: str, mb_per_file: int, output_prefix: str = None ) -> Dict[str, Any]: """Split PCAP by file size (using packet count approximation)""" # Note: editcap doesn't have direct size splitting, # so we calculate approximate packet count # Get average packet size file_info = await self._get_file_info(input_file) if not file_info.get("packets") or not file_info.get("size_bytes"): return {"status": "❌ Error", "error": "Could not get file info"} avg_packet_size = file_info["size_bytes"] / file_info["packets"] target_bytes = mb_per_file * 1024 * 1024 packets_per_file = int(target_bytes / avg_packet_size) # Use packet splitter result = await self.split_by_packets(input_file, packets_per_file, output_prefix) result["split_by"] = "size_approximation" result["target_mb_per_file"] = mb_per_file return result async def _get_file_info(self, file_path: str) -> Dict[str, Any]: """Get basic file information""" cmd = ["capinfos", "-c", "-s", "-m", file_path] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, _ = await result.communicate() info = {} if result.returncode == 0: output = stdout.decode() # Parse packet count match = re.search(r'(\d+)', output) if match: info["packets"] = int(match.group(1)) # Parse file size match = re.search(r'File size:\s*(\d+)', output) if match: info["size_bytes"] = int(match.group(1)) # Human readable size match = re.search(r'File size:\s*([\d,]+\s*\w+)', output) if match: info["size"] = match.group(1) return info # ============================================================================ # 3. PCAP MERGER # ============================================================================ # Advanced Tool 3: PCAPMerger class WiresharkPCAPMerger: """Intelligently merge multiple PCAP files using mergecap""" def __init__(self): self.tool = "mergecap" async def merge_chronological( self, input_files: List[str], output_file: str = None, remove_duplicates: bool = False ) -> Dict[str, Any]: """Merge files in chronological timestamp order""" try: # Validate input files for f in input_files: if not Path(f).exists(): return {"status": "❌ Error", "error": f"File not found: {f}"} if not output_file: timestamp = datetime.now().strftime("%Y%m%d_%H%M%S") output_file = f"/tmp/merged_chronological_{timestamp}.pcap" cmd = [self.tool, "-w", output_file] cmd.extend(input_files) result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await result.communicate() if result.returncode == 0: # Get merged file statistics stats = await self._get_merged_stats(output_file, input_files) return { "status": "✅ Success", "input_files": input_files, "output_file": output_file, "merge_mode": "chronological", "statistics": stats } else: return { "status": "❌ Error", "error": stderr.decode().strip() } except Exception as e: return { "status": "❌ Exception", "error": str(e) } async def merge_append( self, input_files: List[str], output_file: str = None ) -> Dict[str, Any]: """Concatenate files sequentially (ignore timestamps)""" try: # Validate input files for f in input_files: if not Path(f).exists(): return {"status": "❌ Error", "error": f"File not found: {f}"} if not output_file: timestamp = datetime.now().strftime("%Y%m%d_%H%M%S") output_file = f"/tmp/merged_append_{timestamp}.pcap" cmd = [self.tool, "-a", "-w", output_file] cmd.extend(input_files) result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await result.communicate() if result.returncode == 0: stats = await self._get_merged_stats(output_file, input_files) return { "status": "✅ Success", "input_files": input_files, "output_file": output_file, "merge_mode": "append", "statistics": stats } else: return { "status": "❌ Error", "error": stderr.decode().strip() } except Exception as e: return { "status": "❌ Exception", "error": str(e) } async def _get_merged_stats(self, output_file: str, input_files: List[str]) -> Dict[str, Any]: """Get statistics about merged file""" cmd = ["capinfos", "-c", "-s", "-u", output_file] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, _ = await result.communicate() stats = { "input_file_count": len(input_files) } if result.returncode == 0: output = stdout.decode() # Parse packet count match = re.search(r'Number of packets:\s*(\d+)', output) if match: stats["total_packets"] = int(match.group(1)) # Parse file size match = re.search(r'File size:\s*([\d,]+\s*\w+)', output) if match: stats["file_size"] = match.group(1) # Parse duration match = re.search(r'Capture duration:\s*([^\n]+)', output) if match: stats["duration"] = match.group(1).strip() return stats # ============================================================================ # 4. HEX TO PCAP CONVERTER # ============================================================================ # Advanced Tool 4: HexToPCAP class WiresharkHexToPCAP: """Convert hex dumps to analyzable PCAP format using text2pcap""" def __init__(self): self.tool = "text2pcap" async def convert_hex_dump( self, hex_input: str, output_file: str = None, encapsulation: str = "ethernet", add_fake_headers: bool = True ) -> Dict[str, Any]: """Convert hex dump to PCAP with appropriate headers""" try: # Determine if hex_input is file path or raw hex if Path(hex_input).exists(): input_source = hex_input input_type = "file" else: # Write hex to temporary file timestamp = datetime.now().strftime("%Y%m%d_%H%M%S") temp_hex = f"/tmp/hex_input_{timestamp}.txt" # Format hex dump properly formatted_hex = self._format_hex_dump(hex_input) with open(temp_hex, 'w') as f: f.write(formatted_hex) input_source = temp_hex input_type = "hex_string" if not output_file: timestamp = datetime.now().strftime("%Y%m%d_%H%M%S") output_file = f"/tmp/hex_converted_{timestamp}.pcap" # Build command cmd = [self.tool] # Add encapsulation headers if add_fake_headers: if encapsulation == "ethernet": cmd.extend(["-e", "0x0800"]) # Ethernet II with IPv4 elif encapsulation == "ip": cmd.extend(["-i", "4"]) # IPv4 elif encapsulation == "udp": cmd.extend(["-u", "1234,5678"]) # UDP with src:1234, dst:5678 elif encapsulation == "tcp": cmd.extend(["-T", "1234,5678"]) # TCP with src:1234, dst:5678 cmd.extend([input_source, output_file]) result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await result.communicate() # Clean up temp file if created if input_type == "hex_string" and Path(input_source).exists(): os.unlink(input_source) if result.returncode == 0: # Get info about created file file_info = await self._get_pcap_info(output_file) return { "status": "✅ Success", "input_type": input_type, "output_file": output_file, "encapsulation": encapsulation, "file_info": file_info, "message": stdout.decode().strip() } else: return { "status": "❌ Error", "error": stderr.decode().strip() } except Exception as e: return { "status": "❌ Exception", "error": str(e) } def _format_hex_dump(self, hex_string: str) -> str: """Format hex string into text2pcap compatible format""" # Remove common hex dump artifacts hex_string = re.sub(r'0x', '', hex_string) hex_string = re.sub(r'[,\s]+', ' ', hex_string) # Split into bytes bytes_list = hex_string.strip().split() # Format with offset formatted = [] offset = 0 while offset < len(bytes_list): # Take 16 bytes per line line_bytes = bytes_list[offset:offset + 16] # Format: offset (6 hex digits) followed by hex bytes hex_offset = f"{offset:06x}" hex_line = ' '.join(line_bytes) formatted.append(f"{hex_offset} {hex_line}") offset += 16 return '\n'.join(formatted) async def _get_pcap_info(self, file_path: str) -> Dict[str, Any]: """Get information about created PCAP file""" cmd = ["capinfos", "-c", "-t", file_path] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, _ = await result.communicate() info = {} if result.returncode == 0: output = stdout.decode() # Parse packet count match = re.search(r'Number of packets:\s*(\d+)', output) if match: info["packets"] = int(match.group(1)) # Parse file type match = re.search(r'File type:\s*([^\n]+)', output) if match: info["file_type"] = match.group(1).strip() return info # ============================================================================ # 5. HTTP DEEP ANALYZER # ============================================================================ # Advanced Tool 5: HTTPAnalyzer class WiresharkHTTPAnalyzer: """Deep HTTP/HTTPS transaction analysis using tshark""" def __init__(self): self.tool = "tshark" async def extract_http_flows( self, input_file: str, include_bodies: bool = True, decode_gzip: bool = True ) -> Dict[str, Any]: """Extract complete HTTP transactions with requests and responses""" try: if not Path(input_file).exists(): return {"status": "❌ Error", "error": "Input file not found"} # Build command for HTTP flow extraction cmd = [ self.tool, "-r", input_file, "-Y", "http", "-T", "json", "-e", "frame.number", "-e", "frame.time", "-e", "ip.src", "-e", "ip.dst", "-e", "tcp.srcport", "-e", "tcp.dstport", "-e", "http.request", "-e", "http.request.method", "-e", "http.request.uri", "-e", "http.request.version", "-e", "http.host", "-e", "http.user_agent", "-e", "http.response", "-e", "http.response.code", "-e", "http.response.phrase", "-e", "http.content_type", "-e", "http.content_length" ] if include_bodies: cmd.extend(["-e", "http.file_data"]) if decode_gzip: cmd.extend(["-o", "http.decompress_body:TRUE"]) result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await result.communicate() if result.returncode == 0: # Parse JSON output flows = [] try: data = json.loads(stdout.decode()) # Process flows for packet in data: layers = packet.get("_source", {}).get("layers", {}) flow = { "frame": layers.get("frame.number", [""])[0], "time": layers.get("frame.time", [""])[0], "src_ip": layers.get("ip.src", [""])[0], "dst_ip": layers.get("ip.dst", [""])[0], "src_port": layers.get("tcp.srcport", [""])[0], "dst_port": layers.get("tcp.dstport", [""])[0] } # Check if request or response if layers.get("http.request", ["0"])[0] == "1": flow["type"] = "request" flow["method"] = layers.get("http.request.method", [""])[0] flow["uri"] = layers.get("http.request.uri", [""])[0] flow["version"] = layers.get("http.request.version", [""])[0] flow["host"] = layers.get("http.host", [""])[0] flow["user_agent"] = layers.get("http.user_agent", [""])[0] elif layers.get("http.response", ["0"])[0] == "1": flow["type"] = "response" flow["status_code"] = layers.get("http.response.code", [""])[0] flow["status_phrase"] = layers.get("http.response.phrase", [""])[0] flow["content_type"] = layers.get("http.content_type", [""])[0] flow["content_length"] = layers.get("http.content_length", [""])[0] if include_bodies and layers.get("http.file_data"): flow["body"] = layers.get("http.file_data", [""])[0] flows.append(flow) except json.JSONDecodeError: return {"status": "❌ Error", "error": "Failed to parse JSON output"} # Group requests with responses transactions = self._match_http_transactions(flows) return { "status": "✅ Success", "input_file": input_file, "total_flows": len(flows), "transactions": transactions, "statistics": { "requests": sum(1 for f in flows if f.get("type") == "request"), "responses": sum(1 for f in flows if f.get("type") == "response"), "methods": self._count_methods(flows), "status_codes": self._count_status_codes(flows) } } else: return { "status": "❌ Error", "error": stderr.decode().strip() } except Exception as e: return { "status": "❌ Exception", "error": str(e) } async def analyze_http_performance( self, input_file: str ) -> Dict[str, Any]: """Analyze HTTP timing and performance metrics""" try: # Use tshark to calculate HTTP service time cmd = [ self.tool, "-r", input_file, "-Y", "http", "-z", "http,stat" ] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await result.communicate() if result.returncode == 0: stats_output = stdout.decode() # Parse performance statistics performance_data = self._parse_http_stats(stats_output) # Get response time analysis timing_cmd = [ self.tool, "-r", input_file, "-Y", "http.response", "-T", "fields", "-e", "http.time" ] timing_result = await asyncio.create_subprocess_exec( *timing_cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) timing_stdout, _ = await timing_result.communicate() response_times = [] if timing_result.returncode == 0: for line in timing_stdout.decode().strip().split('\n'): if line: try: response_times.append(float(line)) except ValueError: pass # Calculate percentiles response_times.sort() percentiles = {} if response_times: percentiles = { "min": response_times[0], "p50": response_times[len(response_times)//2], "p90": response_times[int(len(response_times)*0.9)], "p95": response_times[int(len(response_times)*0.95)], "p99": response_times[int(len(response_times)*0.99)], "max": response_times[-1], "avg": sum(response_times) / len(response_times) } return { "status": "✅ Success", "input_file": input_file, "performance_stats": performance_data, "response_times": { "count": len(response_times), "percentiles": percentiles, "unit": "seconds" } } else: return { "status": "❌ Error", "error": stderr.decode().strip() } except Exception as e: return { "status": "❌ Exception", "error": str(e) } async def extract_http_objects( self, input_file: str, output_dir: str = None ) -> Dict[str, Any]: """Extract files transferred over HTTP""" try: if not output_dir: timestamp = datetime.now().strftime("%Y%m%d_%H%M%S") output_dir = f"/tmp/http_objects_{timestamp}" Path(output_dir).mkdir(exist_ok=True) # Export HTTP objects cmd = [ self.tool, "-r", input_file, "--export-objects", f"http,{output_dir}" ] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await result.communicate() if result.returncode == 0: # List extracted files extracted_files = [] for file_path in Path(output_dir).iterdir(): if file_path.is_file(): extracted_files.append({ "filename": file_path.name, "size": file_path.stat().st_size, "path": str(file_path) }) return { "status": "✅ Success", "input_file": input_file, "output_directory": output_dir, "extracted_count": len(extracted_files), "extracted_files": extracted_files, "total_size": sum(f["size"] for f in extracted_files) } else: return { "status": "❌ Error", "error": stderr.decode().strip() } except Exception as e: return { "status": "❌ Exception", "error": str(e) } def _match_http_transactions(self, flows: List[Dict]) -> List[Dict]: """Match HTTP requests with their responses""" transactions = [] requests = [f for f in flows if f.get("type") == "request"] responses = [f for f in flows if f.get("type") == "response"] for req in requests: transaction = {"request": req} # Find matching response for resp in responses: if (resp.get("src_ip") == req.get("dst_ip") and resp.get("dst_ip") == req.get("src_ip") and resp.get("src_port") == req.get("dst_port") and resp.get("dst_port") == req.get("src_port") and int(resp.get("frame", 0)) > int(req.get("frame", 0))): transaction["response"] = resp break transactions.append(transaction) return transactions def _count_methods(self, flows: List[Dict]) -> Dict[str, int]: """Count HTTP methods""" methods = {} for flow in flows: if flow.get("type") == "request" and flow.get("method"): method = flow["method"] methods[method] = methods.get(method, 0) + 1 return methods def _count_status_codes(self, flows: List[Dict]) -> Dict[str, int]: """Count HTTP status codes""" codes = {} for flow in flows: if flow.get("type") == "response" and flow.get("status_code"): code = flow["status_code"] codes[code] = codes.get(code, 0) + 1 return codes def _parse_http_stats(self, stats_output: str) -> Dict[str, Any]: """Parse HTTP statistics from tshark output""" stats = { "total_requests": 0, "total_responses": 0, "methods": {}, "response_codes": {} } lines = stats_output.split('\n') in_stats = False for line in lines: if "HTTP Statistics" in line: in_stats = True elif in_stats: if "HTTP Requests" in line: match = re.search(r'(\d+)', line) if match: stats["total_requests"] = int(match.group(1)) elif "HTTP Responses" in line: match = re.search(r'(\d+)', line) if match: stats["total_responses"] = int(match.group(1)) return stats # ============================================================================ # 6. DNS QUERY ANALYZER # ============================================================================ # Advanced Tool 6: DNSAnalyzer class WiresharkDNSAnalyzer: """DNS traffic intelligence and analysis""" def __init__(self): self.tool = "tshark" async def analyze_dns_queries( self, input_file: str, group_by_domain: bool = True ) -> Dict[str, Any]: """Analyze DNS query patterns and statistics""" try: if not Path(input_file).exists(): return {"status": "❌ Error", "error": "Input file not found"} # Extract DNS queries cmd = [ self.tool, "-r", input_file, "-Y", "dns.flags.response == 0", # Only queries "-T", "fields", "-e", "frame.time", "-e", "ip.src", "-e", "dns.qry.name", "-e", "dns.qry.type", "-e", "dns.qry.class" ] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await result.communicate() if result.returncode == 0: queries = [] for line in stdout.decode().strip().split('\n'): if line: parts = line.split('\t') if len(parts) >= 5: queries.append({ "time": parts[0], "src_ip": parts[1], "domain": parts[2], "type": parts[3], "class": parts[4] }) # Get DNS statistics stats_cmd = [ self.tool, "-r", input_file, "-z", "dns,tree" ] stats_result = await asyncio.create_subprocess_exec( *stats_cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stats_stdout, _ = await stats_result.communicate() # Parse statistics dns_stats = self._parse_dns_stats(stats_stdout.decode()) # Group by domain if requested grouped_data = {} if group_by_domain: for query in queries: domain = query["domain"] if domain not in grouped_data: grouped_data[domain] = { "count": 0, "types": {}, "sources": set() } grouped_data[domain]["count"] += 1 qtype = query["type"] grouped_data[domain]["types"][qtype] = grouped_data[domain]["types"].get(qtype, 0) + 1 grouped_data[domain]["sources"].add(query["src_ip"]) # Convert sets to lists for JSON serialization for domain in grouped_data: grouped_data[domain]["sources"] = list(grouped_data[domain]["sources"]) return { "status": "✅ Success", "input_file": input_file, "total_queries": len(queries), "unique_domains": len(set(q["domain"] for q in queries)), "query_types": self._count_query_types(queries), "top_domains": self._get_top_domains(queries, 10), "grouped_by_domain": grouped_data if group_by_domain else None, "dns_statistics": dns_stats } else: return { "status": "❌ Error", "error": stderr.decode().strip() } except Exception as e: return { "status": "❌ Exception", "error": str(e) } async def detect_dns_tunneling( self, input_file: str, entropy_threshold: float = 3.5 ) -> Dict[str, Any]: """Detect potential DNS tunneling based on entropy and patterns""" try: # Get all DNS queries cmd = [ self.tool, "-r", input_file, "-Y", "dns.flags.response == 0", "-T", "fields", "-e", "dns.qry.name", "-e", "ip.src", "-e", "frame.len" ] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await result.communicate() if result.returncode == 0: suspicious_domains = [] for line in stdout.decode().strip().split('\n'): if line: parts = line.split('\t') if len(parts) >= 3: domain = parts[0] src_ip = parts[1] frame_len = int(parts[2]) if parts[2] else 0 # Calculate entropy entropy = self._calculate_entropy(domain) # Check for suspicious patterns suspicious = False reasons = [] if entropy > entropy_threshold: suspicious = True reasons.append(f"High entropy: {entropy:.2f}") # Check for long subdomains subdomain = domain.split('.')[0] if '.' in domain else domain if len(subdomain) > 50: suspicious = True reasons.append(f"Long subdomain: {len(subdomain)} chars") # Check for base64-like patterns if self._looks_like_base64(subdomain): suspicious = True reasons.append("Base64-like pattern") # Check for hex patterns if self._looks_like_hex(subdomain): suspicious = True reasons.append("Hex-like pattern") if suspicious: suspicious_domains.append({ "domain": domain, "src_ip": src_ip, "entropy": entropy, "reasons": reasons, "frame_size": frame_len }) return { "status": "✅ Success", "input_file": input_file, "entropy_threshold": entropy_threshold, "suspicious_count": len(suspicious_domains), "suspicious_domains": suspicious_domains[:50], # Limit output "detection_summary": { "high_entropy": sum(1 for d in suspicious_domains if "High entropy" in str(d["reasons"])), "long_subdomains": sum(1 for d in suspicious_domains if "Long subdomain" in str(d["reasons"])), "base64_patterns": sum(1 for d in suspicious_domains if "Base64-like" in str(d["reasons"])), "hex_patterns": sum(1 for d in suspicious_domains if "Hex-like" in str(d["reasons"])) } } else: return { "status": "❌ Error", "error": stderr.decode().strip() } except Exception as e: return { "status": "❌ Exception", "error": str(e) } async def dns_response_analysis( self, input_file: str ) -> Dict[str, Any]: """Analyze DNS response times and failures""" try: # Get DNS query-response pairs cmd = [ self.tool, "-r", input_file, "-Y", "dns", "-T", "fields", "-e", "dns.id", "-e", "dns.flags.response", "-e", "frame.time_epoch", "-e", "dns.flags.rcode", "-e", "dns.qry.name" ] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await result.communicate() if result.returncode == 0: dns_data = {} response_times = [] rcode_stats = {} for line in stdout.decode().strip().split('\n'): if line: parts = line.split('\t') if len(parts) >= 5: dns_id = parts[0] is_response = parts[1] == "1" timestamp = float(parts[2]) if parts[2] else 0 rcode = parts[3] domain = parts[4] if not is_response: # Query dns_data[dns_id] = { "query_time": timestamp, "domain": domain } else: # Response if dns_id in dns_data: response_time = timestamp - dns_data[dns_id]["query_time"] response_times.append(response_time * 1000) # Convert to ms # Track response codes rcode_stats[rcode] = rcode_stats.get(rcode, 0) + 1 # Calculate response time statistics response_times.sort() time_stats = {} if response_times: time_stats = { "count": len(response_times), "min_ms": response_times[0], "max_ms": response_times[-1], "avg_ms": sum(response_times) / len(response_times), "p50_ms": response_times[len(response_times)//2], "p90_ms": response_times[int(len(response_times)*0.9)], "p95_ms": response_times[int(len(response_times)*0.95)], "p99_ms": response_times[int(len(response_times)*0.99)] } # Map rcode numbers to names rcode_names = { "0": "NOERROR", "1": "FORMERR", "2": "SERVFAIL", "3": "NXDOMAIN", "4": "NOTIMP", "5": "REFUSED" } rcode_summary = {} for code, count in rcode_stats.items(): name = rcode_names.get(code, f"RCODE_{code}") rcode_summary[name] = count return { "status": "✅ Success", "input_file": input_file, "total_queries": len(dns_data), "total_responses": len(response_times), "response_time_stats": time_stats, "response_codes": rcode_summary, "failure_rate": (rcode_stats.get("2", 0) + rcode_stats.get("3", 0)) / max(len(response_times), 1) * 100 } else: return { "status": "❌ Error", "error": stderr.decode().strip() } except Exception as e: return { "status": "❌ Exception", "error": str(e) } def _count_query_types(self, queries: List[Dict]) -> Dict[str, int]: """Count DNS query types""" types = {} for query in queries: qtype = query.get("type", "UNKNOWN") types[qtype] = types.get(qtype, 0) + 1 return types def _get_top_domains(self, queries: List[Dict], top_n: int = 10) -> List[Dict]: """Get most queried domains""" domain_counts = {} for query in queries: domain = query.get("domain", "") domain_counts[domain] = domain_counts.get(domain, 0) + 1 sorted_domains = sorted(domain_counts.items(), key=lambda x: x[1], reverse=True) return [{"domain": d[0], "count": d[1]} for d in sorted_domains[:top_n]] def _parse_dns_stats(self, stats_output: str) -> Dict[str, Any]: """Parse DNS statistics from tshark output""" stats = { "total_queries": 0, "total_responses": 0, "query_types": {}, "response_types": {} } # Basic parsing of DNS tree statistics lines = stats_output.split('\n') for line in lines: if "DNS Queries" in line: match = re.search(r'(\d+)', line) if match: stats["total_queries"] = int(match.group(1)) elif "DNS Responses" in line: match = re.search(r'(\d+)', line) if match: stats["total_responses"] = int(match.group(1)) return stats def _calculate_entropy(self, string: str) -> float: """Calculate Shannon entropy of a string""" import math if not string: return 0 # Calculate frequency of each character freq = {} for char in string: freq[char] = freq.get(char, 0) + 1 # Calculate entropy entropy = 0 length = len(string) for count in freq.values(): probability = count / length entropy -= probability * math.log2(probability) return entropy def _looks_like_base64(self, string: str) -> bool: """Check if string looks like base64 encoding""" # Simple heuristic: check for base64 character set and padding base64_chars = set("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=") if len(string) < 4: return False # Check if mostly base64 characters valid_chars = sum(1 for c in string if c in base64_chars) return valid_chars / len(string) > 0.9 and len(string) % 4 == 0 def _looks_like_hex(self, string: str) -> bool: """Check if string looks like hex encoding""" hex_chars = set("0123456789abcdefABCDEF") if len(string) < 8: return False # Check if mostly hex characters valid_chars = sum(1 for c in string if c in hex_chars) return valid_chars / len(string) > 0.9 and len(string) % 2 == 0 # ============================================================================ # 7. SSL/TLS INSPECTOR # ============================================================================ # Advanced Tool 7: SSLInspector class WiresharkSSLInspector: """SSL/TLS traffic inspection and analysis""" def __init__(self): self.tool = "tshark" async def analyze_ssl_handshakes( self, input_file: str ) -> Dict[str, Any]: """Analyze SSL/TLS handshakes and cipher suites""" try: if not Path(input_file).exists(): return {"status": "❌ Error", "error": "Input file not found"} # Extract SSL handshake information cmd = [ self.tool, "-r", input_file, "-Y", "tls.handshake", "-T", "fields", "-e", "frame.time", "-e", "ip.src", "-e", "ip.dst", "-e", "tls.handshake.type", "-e", "tls.handshake.version", "-e", "tls.handshake.ciphersuite", "-e", "tls.handshake.extension.server_name", "-e", "tls.handshake.certificate" ] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await result.communicate() if result.returncode == 0: handshakes = [] for line in stdout.decode().strip().split('\n'): if line: parts = line.split('\t') if len(parts) >= 8: handshake = { "time": parts[0], "src_ip": parts[1], "dst_ip": parts[2], "type": self._get_handshake_type_name(parts[3]), "version": parts[4], "cipher_suite": parts[5], "server_name": parts[6], "has_certificate": bool(parts[7]) } handshakes.append(handshake) # Get cipher suite statistics cipher_stats = self._analyze_cipher_suites(handshakes) # Get SSL/TLS version statistics version_stats = self._analyze_tls_versions(handshakes) return { "status": "✅ Success", "input_file": input_file, "total_handshakes": len(handshakes), "handshake_types": self._count_handshake_types(handshakes), "cipher_suites": cipher_stats, "tls_versions": version_stats, "server_names": self._get_unique_server_names(handshakes), "sample_handshakes": handshakes[:10] # First 10 handshakes } else: return { "status": "❌ Error", "error": stderr.decode().strip() } except Exception as e: return { "status": "❌ Exception", "error": str(e) } async def decrypt_ssl_traffic( self, input_file: str, keylog_file: str = None, rsa_key_file: str = None ) -> Dict[str, Any]: """Decrypt SSL/TLS traffic with provided keys""" try: if not Path(input_file).exists(): return {"status": "❌ Error", "error": "Input file not found"} if not keylog_file and not rsa_key_file: return {"status": "❌ Error", "error": "Either keylog_file or rsa_key_file required"} # Build command with decryption options cmd = [self.tool, "-r", input_file] if keylog_file and Path(keylog_file).exists(): cmd.extend(["-o", f"tls.keylog_file:{keylog_file}"]) elif rsa_key_file and Path(rsa_key_file).exists(): cmd.extend(["-o", f"tls.keys_list:,443,http,{rsa_key_file}"]) # Add filters to show decrypted data cmd.extend([ "-Y", "tls and http", "-T", "fields", "-e", "frame.number", "-e", "tls.app_data", "-e", "http.request.method", "-e", "http.request.uri", "-e", "http.response.code" ]) result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await result.communicate() if result.returncode == 0: decrypted_count = 0 decrypted_flows = [] for line in stdout.decode().strip().split('\n'): if line: parts = line.split('\t') if any(parts[1:]): # Has decrypted data decrypted_count += 1 flow = { "frame": parts[0], "has_app_data": bool(parts[1]), "http_method": parts[2] if len(parts) > 2 else "", "http_uri": parts[3] if len(parts) > 3 else "", "http_response": parts[4] if len(parts) > 4 else "" } decrypted_flows.append(flow) return { "status": "✅ Success", "input_file": input_file, "decryption_method": "keylog" if keylog_file else "rsa_key", "decrypted_frames": decrypted_count, "sample_flows": decrypted_flows[:20], "statistics": { "total_decrypted": decrypted_count, "http_requests": sum(1 for f in decrypted_flows if f["http_method"]), "http_responses": sum(1 for f in decrypted_flows if f["http_response"]) } } else: return { "status": "❌ Error", "error": stderr.decode().strip() } except Exception as e: return { "status": "❌ Exception", "error": str(e) } async def ssl_certificate_analysis( self, input_file: str ) -> Dict[str, Any]: """Extract and analyze SSL/TLS certificates""" try: # Extract certificate information cmd = [ self.tool, "-r", input_file, "-Y", "tls.handshake.certificate", "-T", "fields", "-e", "x509ce.dNSName", "-e", "x509if.DistinguishedName", "-e", "x509ce.notBefore", "-e", "x509ce.notAfter", "-e", "x509sat.printableString", "-e", "tls.handshake.certificate_length" ] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await result.communicate() if result.returncode == 0: certificates = [] for line in stdout.decode().strip().split('\n'): if line: parts = line.split('\t') if any(parts): cert = { "dns_names": parts[0] if len(parts) > 0 and parts[0] else "", "distinguished_name": parts[1] if len(parts) > 1 and parts[1] else "", "valid_from": parts[2] if len(parts) > 2 and parts[2] else "", "valid_to": parts[3] if len(parts) > 3 and parts[3] else "", "issuer": parts[4] if len(parts) > 4 and parts[4] else "", "cert_length": parts[5] if len(parts) > 5 and parts[5] else "" } certificates.append(cert) # Analyze certificates cert_analysis = self._analyze_certificates(certificates) return { "status": "✅ Success", "input_file": input_file, "total_certificates": len(certificates), "unique_domains": cert_analysis["unique_domains"], "issuers": cert_analysis["issuers"], "validity_issues": cert_analysis["validity_issues"], "sample_certificates": certificates[:10] } else: return { "status": "❌ Error", "error": stderr.decode().strip() } except Exception as e: return { "status": "❌ Exception", "error": str(e) } def _get_handshake_type_name(self, type_code: str) -> str: """Convert handshake type code to name""" handshake_types = { "1": "ClientHello", "2": "ServerHello", "11": "Certificate", "12": "ServerKeyExchange", "13": "CertificateRequest", "14": "ServerHelloDone", "15": "CertificateVerify", "16": "ClientKeyExchange", "20": "Finished" } return handshake_types.get(type_code, f"Type_{type_code}") def _count_handshake_types(self, handshakes: List[Dict]) -> Dict[str, int]: """Count handshake types""" types = {} for hs in handshakes: hs_type = hs.get("type", "Unknown") types[hs_type] = types.get(hs_type, 0) + 1 return types def _analyze_cipher_suites(self, handshakes: List[Dict]) -> Dict[str, Any]: """Analyze cipher suite usage""" cipher_counts = {} for hs in handshakes: cipher = hs.get("cipher_suite", "") if cipher: cipher_counts[cipher] = cipher_counts.get(cipher, 0) + 1 # Sort by usage sorted_ciphers = sorted(cipher_counts.items(), key=lambda x: x[1], reverse=True) return { "total_unique": len(cipher_counts), "top_ciphers": sorted_ciphers[:10], "weak_ciphers": self._identify_weak_ciphers(cipher_counts.keys()) } def _analyze_tls_versions(self, handshakes: List[Dict]) -> Dict[str, int]: """Analyze TLS version usage""" versions = {} for hs in handshakes: version = hs.get("version", "") if version: versions[version] = versions.get(version, 0) + 1 return versions def _get_unique_server_names(self, handshakes: List[Dict]) -> List[str]: """Get unique server names from handshakes""" server_names = set() for hs in handshakes: name = hs.get("server_name", "") if name: server_names.add(name) return sorted(list(server_names)) def _identify_weak_ciphers(self, cipher_suites: List[str]) -> List[str]: """Identify weak cipher suites""" weak_patterns = ["RC4", "DES", "MD5", "NULL", "EXPORT", "anon"] weak_ciphers = [] for cipher in cipher_suites: for pattern in weak_patterns: if pattern in cipher: weak_ciphers.append(cipher) break return weak_ciphers def _analyze_certificates(self, certificates: List[Dict]) -> Dict[str, Any]: """Analyze certificate properties""" domains = set() issuers = {} validity_issues = [] for cert in certificates: # Extract domains dns_names = cert.get("dns_names", "") if dns_names: domains.add(dns_names) # Count issuers issuer = cert.get("issuer", "") if issuer: issuers[issuer] = issuers.get(issuer, 0) + 1 # Check validity (simplified - would need proper date parsing) # This is a placeholder for actual validity checking return { "unique_domains": list(domains), "issuers": sorted(issuers.items(), key=lambda x: x[1], reverse=True)[:10], "validity_issues": validity_issues } # ============================================================================ # 8. LATENCY PROFILER # ============================================================================ # Advanced Tool 8: LatencyProfiler class WiresharkLatencyProfiler: """Network latency and performance profiling""" def __init__(self): self.tool = "tshark" async def analyze_tcp_latency( self, input_file: str, percentiles: List[int] = None ) -> Dict[str, Any]: """Analyze TCP round-trip time and latency""" try: if not Path(input_file).exists(): return {"status": "❌ Error", "error": "Input file not found"} if percentiles is None: percentiles = [50, 90, 95, 99] # Extract TCP RTT information cmd = [ self.tool, "-r", input_file, "-Y", "tcp.analysis.ack_rtt", "-T", "fields", "-e", "tcp.stream", "-e", "tcp.analysis.ack_rtt", "-e", "ip.src", "-e", "ip.dst" ] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await result.communicate() if result.returncode == 0: rtt_data = {} all_rtts = [] for line in stdout.decode().strip().split('\n'): if line: parts = line.split('\t') if len(parts) >= 4 and parts[1]: stream_id = parts[0] rtt = float(parts[1]) * 1000 # Convert to ms src_ip = parts[2] dst_ip = parts[3] all_rtts.append(rtt) # Track per-stream statistics if stream_id not in rtt_data: rtt_data[stream_id] = { "rtts": [], "src_ip": src_ip, "dst_ip": dst_ip } rtt_data[stream_id]["rtts"].append(rtt) # Calculate overall statistics all_rtts.sort() overall_stats = self._calculate_percentiles(all_rtts, percentiles) # Calculate per-stream statistics stream_stats = [] for stream_id, data in rtt_data.items(): rtts = sorted(data["rtts"]) stats = self._calculate_percentiles(rtts, percentiles) stats.update({ "stream_id": stream_id, "src_ip": data["src_ip"], "dst_ip": data["dst_ip"], "sample_count": len(rtts) }) stream_stats.append(stats) # Sort by average RTT stream_stats.sort(key=lambda x: x.get("avg", 0), reverse=True) return { "status": "✅ Success", "input_file": input_file, "total_measurements": len(all_rtts), "unique_streams": len(rtt_data), "overall_latency_ms": overall_stats, "worst_streams": stream_stats[:10], # Top 10 worst latency "latency_distribution": self._get_latency_distribution(all_rtts) } else: return { "status": "❌ Error", "error": stderr.decode().strip() } except Exception as e: return { "status": "❌ Exception", "error": str(e) } async def analyze_application_latency( self, input_file: str, protocol: str = "http" ) -> Dict[str, Any]: """Analyze application-level latency metrics""" try: if protocol.lower() == "http": return await self._analyze_http_latency(input_file) elif protocol.lower() == "dns": return await self._analyze_dns_latency(input_file) else: return {"status": "❌ Error", "error": f"Unsupported protocol: {protocol}"} except Exception as e: return { "status": "❌ Exception", "error": str(e) } async def generate_latency_heatmap( self, input_file: str, time_bucket_seconds: int = 60 ) -> Dict[str, Any]: """Generate time-based latency heatmap data""" try: # Extract time and latency data cmd = [ self.tool, "-r", input_file, "-Y", "tcp.analysis.ack_rtt", "-T", "fields", "-e", "frame.time_epoch", "-e", "tcp.analysis.ack_rtt" ] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await result.communicate() if result.returncode == 0: time_buckets = {} for line in stdout.decode().strip().split('\n'): if line: parts = line.split('\t') if len(parts) >= 2 and parts[0] and parts[1]: timestamp = float(parts[0]) rtt = float(parts[1]) * 1000 # Convert to ms # Calculate time bucket bucket = int(timestamp / time_bucket_seconds) * time_bucket_seconds if bucket not in time_buckets: time_buckets[bucket] = [] time_buckets[bucket].append(rtt) # Calculate statistics for each bucket heatmap_data = [] for bucket, rtts in sorted(time_buckets.items()): bucket_stats = self._calculate_percentiles(sorted(rtts), [50, 90, 95]) heatmap_data.append({ "timestamp": bucket, "datetime": datetime.fromtimestamp(bucket).isoformat(), "sample_count": len(rtts), "latency_ms": bucket_stats }) return { "status": "✅ Success", "input_file": input_file, "bucket_size_seconds": time_bucket_seconds, "total_buckets": len(heatmap_data), "heatmap_data": heatmap_data, "visualization_hint": "Use timestamp vs latency percentiles for heatmap" } else: return { "status": "❌ Error", "error": stderr.decode().strip() } except Exception as e: return { "status": "❌ Exception", "error": str(e) } async def _analyze_http_latency(self, input_file: str) -> Dict[str, Any]: """Analyze HTTP request/response latency""" cmd = [ self.tool, "-r", input_file, "-Y", "http.time", "-T", "fields", "-e", "http.time", "-e", "http.request.uri", "-e", "http.response.code" ] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await result.communicate() if result.returncode == 0: latencies = [] uri_latencies = {} for line in stdout.decode().strip().split('\n'): if line: parts = line.split('\t') if len(parts) >= 1 and parts[0]: latency = float(parts[0]) * 1000 # Convert to ms latencies.append(latency) if len(parts) >= 2 and parts[1]: uri = parts[1] if uri not in uri_latencies: uri_latencies[uri] = [] uri_latencies[uri].append(latency) # Calculate statistics latencies.sort() overall_stats = self._calculate_percentiles(latencies, [50, 90, 95, 99]) # Get slowest URIs uri_stats = [] for uri, uri_lats in uri_latencies.items(): uri_lats.sort() stats = self._calculate_percentiles(uri_lats, [50, 90]) uri_stats.append({ "uri": uri, "avg_ms": stats["avg"], "p50_ms": stats["p50"], "p90_ms": stats["p90"], "count": len(uri_lats) }) uri_stats.sort(key=lambda x: x["avg_ms"], reverse=True) return { "protocol": "HTTP", "total_requests": len(latencies), "latency_stats_ms": overall_stats, "slowest_uris": uri_stats[:10] } else: return {"status": "❌ Error", "error": stderr.decode().strip()} async def _analyze_dns_latency(self, input_file: str) -> Dict[str, Any]: """Analyze DNS query/response latency""" # Similar to DNS response analysis but focused on latency return {"protocol": "DNS", "message": "DNS latency analysis"} def _calculate_percentiles(self, sorted_values: List[float], percentiles: List[int]) -> Dict[str, float]: """Calculate percentiles from sorted values""" if not sorted_values: return {} stats = { "min": sorted_values[0], "max": sorted_values[-1], "avg": sum(sorted_values) / len(sorted_values), "count": len(sorted_values) } for p in percentiles: index = int(len(sorted_values) * p / 100) if index >= len(sorted_values): index = len(sorted_values) - 1 stats[f"p{p}"] = sorted_values[index] return stats def _get_latency_distribution(self, latencies: List[float]) -> Dict[str, int]: """Get latency distribution buckets""" buckets = { "0-10ms": 0, "10-50ms": 0, "50-100ms": 0, "100-250ms": 0, "250-500ms": 0, "500-1000ms": 0, "1000ms+": 0 } for latency in latencies: if latency < 10: buckets["0-10ms"] += 1 elif latency < 50: buckets["10-50ms"] += 1 elif latency < 100: buckets["50-100ms"] += 1 elif latency < 250: buckets["100-250ms"] += 1 elif latency < 500: buckets["250-500ms"] += 1 elif latency < 1000: buckets["500-1000ms"] += 1 else: buckets["1000ms+"] += 1 return buckets # ============================================================================ # 9. THREAT DETECTOR # ============================================================================ # Advanced Tool 9: ThreatDetector class WiresharkThreatDetector: """AI-powered network threat detection""" def __init__(self): self.tool = "tshark" async def detect_port_scans( self, input_file: str, threshold_ports: int = 10, time_window: int = 60 ) -> Dict[str, Any]: """Detect port scanning activity""" try: if not Path(input_file).exists(): return {"status": "❌ Error", "error": "Input file not found"} # Extract TCP SYN packets cmd = [ self.tool, "-r", input_file, "-Y", "tcp.flags.syn == 1 and tcp.flags.ack == 0", "-T", "fields", "-e", "frame.time_epoch", "-e", "ip.src", "-e", "ip.dst", "-e", "tcp.dstport" ] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await result.communicate() if result.returncode == 0: scan_data = {} for line in stdout.decode().strip().split('\n'): if line: parts = line.split('\t') if len(parts) >= 4: timestamp = float(parts[0]) src_ip = parts[1] dst_ip = parts[2] dst_port = parts[3] key = f"{src_ip}->{dst_ip}" if key not in scan_data: scan_data[key] = [] scan_data[key].append({ "timestamp": timestamp, "port": dst_port }) # Analyze for port scans port_scans = [] for connection, packets in scan_data.items(): # Sort by timestamp packets.sort(key=lambda x: x["timestamp"]) # Use sliding window to detect scans for i in range(len(packets)): window_start = packets[i]["timestamp"] window_end = window_start + time_window # Count unique ports in window window_ports = set() for j in range(i, len(packets)): if packets[j]["timestamp"] <= window_end: window_ports.add(packets[j]["port"]) else: break if len(window_ports) >= threshold_ports: src_ip, dst_ip = connection.split("->") port_scans.append({ "src_ip": src_ip, "dst_ip": dst_ip, "start_time": datetime.fromtimestamp(window_start).isoformat(), "unique_ports": len(window_ports), "ports": sorted(list(window_ports))[:20], # First 20 ports "scan_type": self._classify_scan_type(window_ports) }) break # Avoid duplicate detection for same source return { "status": "✅ Success", "input_file": input_file, "detection_params": { "threshold_ports": threshold_ports, "time_window_seconds": time_window }, "scans_detected": len(port_scans), "port_scans": port_scans, "scan_summary": self._summarize_scans(port_scans) } else: return { "status": "❌ Error", "error": stderr.decode().strip() } except Exception as e: return { "status": "❌ Exception", "error": str(e) } async def detect_ddos_patterns( self, input_file: str ) -> Dict[str, Any]: """Identify DDoS attack patterns""" try: # Analyze packet rates and patterns cmd = [ self.tool, "-r", input_file, "-z", "io,stat,1" ] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await result.communicate() if result.returncode == 0: # Parse I/O statistics io_stats = self._parse_io_stats(stdout.decode()) # Detect anomalies in packet rates ddos_indicators = [] # Check for SYN floods syn_flood = await self._detect_syn_flood(input_file) if syn_flood["detected"]: ddos_indicators.append(syn_flood) # Check for UDP floods udp_flood = await self._detect_udp_flood(input_file) if udp_flood["detected"]: ddos_indicators.append(udp_flood) # Check for ICMP floods icmp_flood = await self._detect_icmp_flood(input_file) if icmp_flood["detected"]: ddos_indicators.append(icmp_flood) # Analyze packet rate spikes rate_anomalies = self._detect_rate_anomalies(io_stats) return { "status": "✅ Success", "input_file": input_file, "ddos_detected": len(ddos_indicators) > 0, "indicators": ddos_indicators, "packet_rate_analysis": { "average_pps": io_stats.get("avg_pps", 0), "max_pps": io_stats.get("max_pps", 0), "anomalies": rate_anomalies }, "attack_types": [ind["type"] for ind in ddos_indicators] } else: return { "status": "❌ Error", "error": stderr.decode().strip() } except Exception as e: return { "status": "❌ Exception", "error": str(e) } async def ml_anomaly_detection( self, input_file: str, model_path: str = None ) -> Dict[str, Any]: """ML-based anomaly detection (simplified implementation)""" try: # Extract features for ML analysis features = await self._extract_ml_features(input_file) # Simple statistical anomaly detection (placeholder for real ML) anomalies = self._detect_statistical_anomalies(features) # Pattern-based detection pattern_anomalies = await self._detect_pattern_anomalies(input_file) return { "status": "✅ Success", "input_file": input_file, "ml_model": "statistical_baseline" if not model_path else model_path, "features_extracted": len(features), "anomalies_detected": len(anomalies) + len(pattern_anomalies), "statistical_anomalies": anomalies, "pattern_anomalies": pattern_anomalies, "risk_score": self._calculate_risk_score(anomalies, pattern_anomalies) } except Exception as e: return { "status": "❌ Exception", "error": str(e) } async def _detect_syn_flood(self, input_file: str) -> Dict[str, Any]: """Detect SYN flood attacks""" cmd = [ self.tool, "-r", input_file, "-Y", "tcp.flags.syn == 1 and tcp.flags.ack == 0", "-T", "fields", "-e", "ip.dst" ] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, _ = await result.communicate() if result.returncode == 0: dst_counts = {} for line in stdout.decode().strip().split('\n'): if line: dst_counts[line] = dst_counts.get(line, 0) + 1 # Check for flood indicators for dst_ip, count in dst_counts.items(): if count > 1000: # Threshold return { "detected": True, "type": "SYN_FLOOD", "target_ip": dst_ip, "syn_count": count, "severity": "HIGH" } return {"detected": False} async def _detect_udp_flood(self, input_file: str) -> Dict[str, Any]: """Detect UDP flood attacks""" cmd = [ self.tool, "-r", input_file, "-Y", "udp", "-z", "endpoints,udp" ] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, _ = await result.communicate() # Simplified UDP flood detection return {"detected": False} async def _detect_icmp_flood(self, input_file: str) -> Dict[str, Any]: """Detect ICMP flood attacks""" cmd = [ self.tool, "-r", input_file, "-Y", "icmp", "-T", "fields", "-e", "ip.dst" ] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, _ = await result.communicate() if result.returncode == 0: icmp_counts = {} for line in stdout.decode().strip().split('\n'): if line: icmp_counts[line] = icmp_counts.get(line, 0) + 1 for dst_ip, count in icmp_counts.items(): if count > 500: # Threshold return { "detected": True, "type": "ICMP_FLOOD", "target_ip": dst_ip, "icmp_count": count, "severity": "MEDIUM" } return {"detected": False} def _classify_scan_type(self, ports: set) -> str: """Classify the type of port scan""" port_list = sorted(list(ports)) # Check for sequential scan if len(port_list) > 2: differences = [port_list[i+1] - port_list[i] for i in range(len(port_list)-1)] if all(d == 1 for d in differences): return "Sequential" # Check for common ports scan common_ports = {21, 22, 23, 25, 80, 443, 445, 3389, 8080} if len(ports & common_ports) > len(ports) * 0.7: return "Common_Ports" # Check for full scan if len(ports) > 1000: return "Full_Scan" return "Random" def _summarize_scans(self, scans: List[Dict]) -> Dict[str, Any]: """Summarize detected scans""" if not scans: return {} sources = set() targets = set() scan_types = {} for scan in scans: sources.add(scan["src_ip"]) targets.add(scan["dst_ip"]) scan_type = scan["scan_type"] scan_types[scan_type] = scan_types.get(scan_type, 0) + 1 return { "unique_sources": len(sources), "unique_targets": len(targets), "scan_types": scan_types, "most_active_scanner": max(sources, key=lambda x: sum(1 for s in scans if s["src_ip"] == x)) } def _parse_io_stats(self, stats_output: str) -> Dict[str, Any]: """Parse I/O statistics output""" stats = { "intervals": [], "avg_pps": 0, "max_pps": 0 } # Simple parsing - would need proper implementation lines = stats_output.split('\n') for line in lines: if "frames" in line.lower(): # Extract packet counts pass return stats def _detect_rate_anomalies(self, io_stats: Dict) -> List[Dict]: """Detect anomalies in packet rates""" anomalies = [] # Implement statistical anomaly detection return anomalies async def _extract_ml_features(self, input_file: str) -> Dict[str, Any]: """Extract features for ML analysis""" features = { "packet_count": 0, "unique_ips": 0, "protocol_distribution": {}, "port_entropy": 0, "packet_size_stats": {} } # Extract basic statistics cmd = [ self.tool, "-r", input_file, "-q", "-z", "io,phs" ] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, _ = await result.communicate() if result.returncode == 0: # Parse protocol hierarchy statistics # This is a simplified version pass return features def _detect_statistical_anomalies(self, features: Dict) -> List[Dict]: """Simple statistical anomaly detection""" anomalies = [] # Implement basic statistical checks return anomalies async def _detect_pattern_anomalies(self, input_file: str) -> List[Dict]: """Detect known malicious patterns""" anomalies = [] # Check for suspicious DNS queries suspicious_dns = await self._check_suspicious_dns(input_file) if suspicious_dns: anomalies.extend(suspicious_dns) # Check for suspicious HTTP patterns suspicious_http = await self._check_suspicious_http(input_file) if suspicious_http: anomalies.extend(suspicious_http) return anomalies async def _check_suspicious_dns(self, input_file: str) -> List[Dict]: """Check for suspicious DNS patterns""" # Simplified implementation return [] async def _check_suspicious_http(self, input_file: str) -> List[Dict]: """Check for suspicious HTTP patterns""" # Simplified implementation return [] def _calculate_risk_score(self, stat_anomalies: List, pattern_anomalies: List) -> int: """Calculate overall risk score (0-100)""" base_score = 0 # Add scores based on anomaly counts and types base_score += len(stat_anomalies) * 10 base_score += len(pattern_anomalies) * 15 # Cap at 100 return min(base_score, 100) # ============================================================================ # 10. REMOTE CAPTURE # ============================================================================ # Advanced Tool 10: RemoteCapture class WiresharkRemoteCapture: """Distributed remote packet capture""" def __init__(self): self.tool = "ssh" # Will use SSH + tcpdump/tshark async def capture_single_host( self, host: str, username: str, password: str = None, key_file: str = None, interface: str = "any", filter: str = "", duration: int = 60 ) -> Dict[str, Any]: """Capture from single remote host""" try: # Build SSH command ssh_cmd = ["ssh"] if key_file: ssh_cmd.extend(["-i", key_file]) ssh_cmd.extend([ "-o", "StrictHostKeyChecking=no", f"{username}@{host}" ]) # Remote capture command remote_cmd = f"sudo timeout {duration} tcpdump -i {interface} -w - {filter}" # Local output file timestamp = datetime.now().strftime("%Y%m%d_%H%M%S") output_file = f"/tmp/remote_capture_{host}_{timestamp}.pcap" # Full command: ssh user@host "tcpdump" > output.pcap full_cmd = ssh_cmd + [remote_cmd] # Execute with output redirection with open(output_file, 'wb') as f: result = await asyncio.create_subprocess_exec( *full_cmd, stdout=f, stderr=asyncio.subprocess.PIPE ) # Wait for completion or timeout try: _, stderr = await asyncio.wait_for( result.communicate(), timeout=duration + 10 ) except asyncio.TimeoutError: result.terminate() await result.wait() stderr = b"Capture timeout" # Check if capture was successful if Path(output_file).exists() and Path(output_file).stat().st_size > 0: # Get capture statistics stats = await self._get_capture_stats(output_file) return { "status": "✅ Success", "host": host, "output_file": output_file, "capture_params": { "interface": interface, "filter": filter, "duration": duration }, "statistics": stats } else: return { "status": "❌ Error", "error": stderr.decode() if stderr else "No data captured" } except Exception as e: return { "status": "❌ Exception", "error": str(e) } async def capture_multi_host( self, hosts: List[Dict[str, Any]], synchronized: bool = True ) -> Dict[str, Any]: """Synchronized multi-host capture""" try: if synchronized: # Start all captures simultaneously tasks = [] for host_config in hosts: task = asyncio.create_task( self.capture_single_host(**host_config) ) tasks.append(task) # Wait for all captures to complete results = await asyncio.gather(*tasks, return_exceptions=True) # Process results successful = [] failed = [] for i, result in enumerate(results): if isinstance(result, Exception): failed.append({ "host": hosts[i].get("host", "unknown"), "error": str(result) }) elif result.get("status") == "✅ Success": successful.append(result) else: failed.append({ "host": hosts[i].get("host", "unknown"), "error": result.get("error", "Unknown error") }) # Merge captures if all successful merged_file = None if len(successful) == len(hosts) and len(successful) > 1: files = [r["output_file"] for r in successful] merged_file = await self._merge_captures(files) return { "status": "✅ Success" if successful else "❌ Error", "total_hosts": len(hosts), "successful_captures": len(successful), "failed_captures": len(failed), "capture_results": successful, "failures": failed, "merged_file": merged_file } else: # Sequential capture results = [] for host_config in hosts: result = await self.capture_single_host(**host_config) results.append(result) return { "status": "✅ Success", "mode": "sequential", "capture_results": results } except Exception as e: return { "status": "❌ Exception", "error": str(e) } async def _get_capture_stats(self, file_path: str) -> Dict[str, Any]: """Get statistics about captured file""" cmd = ["capinfos", "-c", "-s", "-d", file_path] result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, _ = await result.communicate() stats = {} if result.returncode == 0: output = stdout.decode() # Parse packet count match = re.search(r'Number of packets:\s*(\d+)', output) if match: stats["packet_count"] = int(match.group(1)) # Parse file size match = re.search(r'File size:\s*(\d+)', output) if match: stats["file_size_bytes"] = int(match.group(1)) # Parse duration match = re.search(r'Capture duration:\s*([^\n]+)', output) if match: stats["duration"] = match.group(1).strip() return stats async def _merge_captures(self, files: List[str]) -> str: """Merge multiple capture files""" timestamp = datetime.now().strftime("%Y%m%d_%H%M%S") merged_file = f"/tmp/merged_remote_capture_{timestamp}.pcap" cmd = ["mergecap", "-w", merged_file] + files result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) await result.communicate() if result.returncode == 0: return merged_file return None # ============================================================================ # DEMO AND TESTING # ============================================================================ async def demo_advanced_tools(): """Demonstrate the advanced Wireshark tools""" print("🦈 Wireshark Advanced Tools Demo") print("=" * 60) # 1. Time Slicer Demo print("\n1️⃣ Testing PCAP Time Slicer") print("-" * 40) slicer = WiresharkPCAPTimeSlicer() # Create a test capture first test_file = "/tmp/test_capture.pcap" if Path(test_file).exists(): # Slice last 30 seconds result = await slicer.slice_by_duration( test_file, datetime.now().timestamp() - 60, # 1 minute ago 30 # 30 seconds duration ) print(json.dumps(result, indent=2)) else: print("No test file found - skipping") # 2. Splitter Demo print("\n2️⃣ Testing PCAP Splitter") print("-" * 40) splitter = WiresharkPCAPSplitter() if Path(test_file).exists(): result = await splitter.split_by_packets( test_file, packets_per_file=3 ) print(json.dumps(result, indent=2)) else: result = {"status": "❌ No test file"} # 3. Merger Demo print("\n3️⃣ Testing PCAP Merger") print("-" * 40) merger = WiresharkPCAPMerger() if result.get("status") == "✅ Success" and result.get("created_files"): merge_result = await merger.merge_chronological( result["created_files"][:2] ) print(json.dumps(merge_result, indent=2)) else: print("No files to merge - skipping") # 4. Hex to PCAP Demo print("\n4️⃣ Testing Hex to PCAP Converter") print("-" * 40) converter = WiresharkHexToPCAP() # Sample TCP SYN packet hex hex_data = """ 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00 00 3c 00 00 40 00 40 06 00 00 7f 00 00 01 7f 00 00 01 12 34 56 78 00 00 00 00 00 00 00 00 a0 02 ff ff fe 30 00 00 02 04 ff d7 04 02 08 0a 00 00 00 00 00 00 00 00 """ result = await converter.convert_hex_dump( hex_data, encapsulation="ethernet" ) print(json.dumps(result, indent=2)) # 5. HTTP Analyzer Demo print("\n5️⃣ Testing HTTP Deep Analyzer") print("-" * 40) http_analyzer = WiresharkHTTPAnalyzer() if Path(test_file).exists(): result = await http_analyzer.extract_http_flows(test_file) print(f"HTTP flows extracted: {result.get('total_flows', 0)}") print(f"Status: {result.get('status', 'Unknown')}") # 6. DNS Analyzer Demo print("\n6️⃣ Testing DNS Query Analyzer") print("-" * 40) dns_analyzer = WiresharkDNSAnalyzer() if Path(test_file).exists(): result = await dns_analyzer.analyze_dns_queries(test_file) print(f"DNS queries analyzed: {result.get('total_queries', 0)}") print(f"Unique domains: {result.get('unique_domains', 0)}") # 7. SSL/TLS Inspector Demo print("\n7️⃣ Testing SSL/TLS Inspector") print("-" * 40) ssl_inspector = WiresharkSSLInspector() if Path(test_file).exists(): result = await ssl_inspector.analyze_ssl_handshakes(test_file) print(f"SSL handshakes found: {result.get('total_handshakes', 0)}") print(f"TLS versions: {result.get('tls_versions', {})}") # 8. Latency Profiler Demo print("\n8️⃣ Testing Latency Profiler") print("-" * 40) latency_profiler = WiresharkLatencyProfiler() if Path(test_file).exists(): result = await latency_profiler.analyze_tcp_latency(test_file) print(f"TCP measurements: {result.get('total_measurements', 0)}") if result.get('overall_latency_ms'): print(f"Average latency: {result['overall_latency_ms'].get('avg', 0):.2f} ms") # 9. Threat Detector Demo print("\n9️⃣ Testing Threat Detector") print("-" * 40) threat_detector = WiresharkThreatDetector() if Path(test_file).exists(): result = await threat_detector.detect_port_scans(test_file) print(f"Port scans detected: {result.get('scans_detected', 0)}") # Also test DDoS detection ddos_result = await threat_detector.detect_ddos_patterns(test_file) print(f"DDoS detected: {ddos_result.get('ddos_detected', False)}") # 10. Remote Capture Demo (Simulation) print("\n🔟 Testing Remote Capture (Simulation)") print("-" * 40) remote_capture = WiresharkRemoteCapture() # This would require actual SSH access, so we'll just show the structure print("Remote capture configured for SSH-based packet capture") print("Methods available:") print(" - capture_single_host(): Capture from one remote host") print(" - capture_multi_host(): Synchronized multi-host capture") print("\n" + "=" * 60) print("✅ Advanced Tools Demo Complete!") print("\n🎉 All 10 advanced Wireshark tools implemented successfully!") if __name__ == "__main__": asyncio.run(demo_advanced_tools()) @server.list_tools() """Extract specific time windows from PCAP files using editcap""" def __init__(self): self.tool = "editcap" self.supported_formats = ["pcap", "pcapng"] async def slice_by_time_range( self, input_file: str, start_time: str, end_time: str, output_file: str = None, preserve_comments: bool = True ) -> Dict[str, Any]: """Extract packets within specific time range""" try: # Validate input file if not Path(input_file).exists(): return {"status": "❌ Error", "error": "Input file not found"} # Generate output filename if not provided if not output_file: timestamp = datetime.now().strftime("%Y%m%d_%H%M%S") output_file = f"/tmp/time_slice_{Path(input_file).stem}_{timestamp}.pcap" # Convert time formats start_str = self._format_time(start_time) end_str = self._format_time(end_time) # Build command cmd = [self.tool] if start_str: cmd.extend(["-A", start_str]) if end_str: cmd.extend(["-B", end_str]) if not preserve_comments: cmd.append("--discard-packet-comments") cmd.extend([input_file, output_file]) # Execute result = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await result.communicate() if result.returncode == 0: # Get basic statistics if Path(output_file).exists(): file_size = Path(output_file).stat().st_size stats = {"file_size_bytes": file_size, "output_exists": True} else: stats = {"output_exists": False} return { "status": "✅ Success", "input_file": input_file, "output_file": output_file, "time_range": {"start": start_str, "end": end_str}, "statistics": stats, "message": stdout.decode().strip() } else: return { "status": "❌ Error", "error": stderr.decode().strip() } except Exception as e: return {"status": "❌ Error", "error": str(e)} def _format_time(self, time_input: str) -> str: """Format time for editcap""" if not time_input: return "" # If it looks like ISO format, convert it if "T" in str(time_input) or "-" in str(time_input): try: dt = datetime.fromisoformat(time_input.replace("Z", "+00:00")) return dt.strftime("%Y-%m-%d %H:%M:%S") except: return str(time_input) return str(time_input) @server.list_tools() async def list_tools() -> List[Tool]: """List all available enhanced Wireshark MCP tools.""" logger.info("📋 Listing Enhanced Wireshark MCP tools") return [ # Original tools Tool( name="wireshark_system_info", description="Get system information and available network interfaces", inputSchema={ "type": "object", "properties": { "info_type": { "type": "string", "enum": ["interfaces", "capabilities", "system", "all"], "description": "Type of system information to retrieve", "default": "all" } } } ), Tool( name="wireshark_validate_setup", description="Validate Wireshark installation and dependencies", inputSchema={ "type": "object", "properties": { "full_check": { "type": "boolean", "description": "Perform comprehensive validation", "default": False } } } ), Tool( name="wireshark_generate_filter", description="Generate Wireshark display filters from natural language descriptions", inputSchema={ "type": "object", "properties": { "description": { "type": "string", "description": "Natural language description of desired traffic" }, "complexity": { "type": "string", "enum": ["simple", "intermediate", "advanced"], "description": "Desired filter complexity level", "default": "intermediate" } }, "required": ["description"] } ), Tool( name="wireshark_live_capture", description="Capture live network traffic with intelligent filtering", inputSchema={ "type": "object", "properties": { "interface": { "type": "string", "description": "Network interface to capture from (e.g., 'eth0', 'any')" }, "duration": { "type": "integer", "description": "Capture duration in seconds", "default": 60 }, "filter": { "type": "string", "description": "Wireshark display filter", "default": "" }, "max_packets": { "type": "integer", "description": "Maximum number of packets to capture", "default": 1000 } }, "required": ["interface"] } ), Tool( name="wireshark_analyze_pcap", description="Analyze existing PCAP files with comprehensive reporting", inputSchema={ "type": "object", "properties": { "filepath": { "type": "string", "description": "Path to PCAP/PCAPNG file" }, "analysis_type": { "type": "string", "enum": ["quick", "comprehensive", "security", "performance"], "description": "Type of analysis to perform", "default": "comprehensive" } }, "required": ["filepath"] } ), # NEW: Real-time JSON Packet Capture Tool( name="wireshark_realtime_json_capture", description="Capture live network traffic in real-time JSON format with streaming support", inputSchema={ "type": "object", "properties": { "interface": { "type": "string", "description": "Network interface to capture from (e.g., 'eth0', 'any')" }, "duration": { "type": "integer", "description": "Capture duration in seconds", "default": 30 }, "filter": { "type": "string", "description": "BPF capture filter", "default": "" }, "max_packets": { "type": "integer", "description": "Maximum number of packets to capture", "default": 1000 }, "json_format": { "type": "string", "enum": ["ek", "json", "jsonraw"], "description": "JSON output format (ek=Elasticsearch, json=standard, jsonraw=raw)", "default": "ek" } }, "required": ["interface"] } ), # NEW: Protocol Statistics & Conversations Tool( name="wireshark_protocol_statistics", description="Generate comprehensive protocol statistics and conversation analysis", inputSchema={ "type": "object", "properties": { "source": { "type": "string", "description": "Source: 'live' for interface or path to PCAP file" }, "analysis_type": { "type": "string", "enum": ["protocol_hierarchy", "conversations", "endpoints", "io_stats", "all"], "description": "Type of statistical analysis", "default": "all" }, "protocol": { "type": "string", "enum": ["tcp", "udp", "ip", "all"], "description": "Protocol to analyze for conversations", "default": "all" }, "time_interval": { "type": "integer", "description": "Time interval for I/O statistics (seconds)", "default": 60 } }, "required": ["source"] } ), # ENHANCED: PCAP File Analysis with more features Tool( name="wireshark_analyze_pcap_enhanced", description="Enhanced PCAP file analysis with streaming support for large files", inputSchema={ "type": "object", "properties": { "filepath": { "type": "string", "description": "Path to PCAP/PCAPNG file" }, "analysis_type": { "type": "string", "enum": ["quick", "comprehensive", "security", "performance", "conversations", "statistics"], "description": "Type of analysis to perform", "default": "comprehensive" }, "chunk_size": { "type": "integer", "description": "Number of packets to process at once (for large files)", "default": 10000 }, "output_format": { "type": "string", "enum": ["text", "json", "summary"], "description": "Output format for analysis results", "default": "json" } }, "required": ["filepath"] } ), # ADVANCED TOOL: PCAP Time Slicer Tool( name="wireshark_pcap_time_slice", description="Extract specific time windows from PCAP captures using editcap", inputSchema={ "type": "object", "properties": { "input_file": { "type": "string", "description": "Path to input PCAP file" }, "start_time": { "type": "string", "description": "Start time (ISO format: YYYY-MM-DDThh:mm:ss or Unix epoch)" }, "end_time": { "type": "string", "description": "End time (ISO format: YYYY-MM-DDThh:mm:ss or Unix epoch)" }, "output_file": { "type": "string", "description": "Output file path (optional)", "default": None } }, "required": ["input_file", "start_time", "end_time"] } ) , # ===== ALL 10 ADVANCED TOOLS ===== Tool( name="wireshark_pcap_time_slice", description="Extract specific time windows from PCAP captures using editcap", inputSchema={ "type": "object", "properties": { "input_file": { "type": "string", "description": "Input PCAP file path" }, "start_time": { "type": "string", "description": "Start time (ISO format: YYYY-MM-DDThh:mm:ss or Unix epoch)" }, "end_time": { "type": "string", "description": "End time (ISO format: YYYY-MM-DDThh:mm:ss or Unix epoch)" }, "output_file": { "type": "string", "description": "Output file path (optional)", "default": None }, "mode": { "type": "string", "enum": ["time_range", "duration", "relative"], "description": "Slicing mode", "default": "time_range" }, "duration_seconds": { "type": "integer", "description": "Duration in seconds (for duration mode)", "default": 60 }, "start_offset": { "type": "number", "description": "Start offset in seconds (for relative mode)", "default": 0 }, "end_offset": { "type": "number", "description": "End offset in seconds (for relative mode)", "default": 60 } }, "required": ["input_file", "start_time"], "additionalProperties": False } ), Tool( name="wireshark_pcap_split", description="Split large PCAP files by packets, time, or size", inputSchema={ "type": "object", "properties": { "input_file": { "type": "string", "description": "Input PCAP file path" }, "split_by": { "type": "string", "enum": ["packets", "time", "size"], "description": "Split criteria", "default": "packets" }, "value": { "type": "integer", "description": "Split value (packets count, seconds, or MB)", "default": 1000 }, "output_prefix": { "type": "string", "description": "Output file prefix (optional)", "default": None } }, "required": ["input_file"], "additionalProperties": False } ), Tool( name="wireshark_pcap_merge", description="Intelligently merge multiple PCAP files", inputSchema={ "type": "object", "properties": { "input_files": { "type": "array", "items": {"type": "string"}, "description": "List of PCAP files to merge" }, "output_file": { "type": "string", "description": "Output file path (optional)", "default": None }, "mode": { "type": "string", "enum": ["chronological", "append"], "description": "Merge mode", "default": "chronological" }, "remove_duplicates": { "type": "boolean", "description": "Remove duplicate packets", "default": False } }, "required": ["input_files"], "additionalProperties": False } ), Tool( name="wireshark_hex_to_pcap", description="Convert hex dumps to analyzable PCAP format", inputSchema={ "type": "object", "properties": { "hex_input": { "type": "string", "description": "Hex dump string or file path" }, "output_file": { "type": "string", "description": "Output PCAP file path (optional)", "default": None }, "encapsulation": { "type": "string", "enum": ["ethernet", "ip", "udp", "tcp"], "description": "Encapsulation type", "default": "ethernet" }, "add_fake_headers": { "type": "boolean", "description": "Add fake headers for incomplete data", "default": True } }, "required": ["hex_input"], "additionalProperties": False } ), Tool( name="wireshark_http_analyze", description="Deep HTTP/HTTPS transaction analysis", inputSchema={ "type": "object", "properties": { "input_file": { "type": "string", "description": "Input PCAP file path" }, "analysis_type": { "type": "string", "enum": ["flows", "performance", "objects"], "description": "Type of HTTP analysis", "default": "flows" }, "include_bodies": { "type": "boolean", "description": "Include HTTP request/response bodies", "default": True }, "decode_gzip": { "type": "boolean", "description": "Decode gzip-compressed content", "default": True }, "output_dir": { "type": "string", "description": "Output directory for extracted objects", "default": None } }, "required": ["input_file"], "additionalProperties": False } ), Tool( name="wireshark_dns_analyze", description="DNS traffic intelligence and tunneling detection", inputSchema={ "type": "object", "properties": { "input_file": { "type": "string", "description": "Input PCAP file path" }, "analysis_type": { "type": "string", "enum": ["queries", "tunneling", "response"], "description": "Type of DNS analysis", "default": "queries" }, "group_by_domain": { "type": "boolean", "description": "Group results by domain", "default": True }, "entropy_threshold": { "type": "number", "description": "Entropy threshold for tunneling detection", "default": 3.5 } }, "required": ["input_file"], "additionalProperties": False } ), Tool( name="wireshark_ssl_inspect", description="SSL/TLS certificate analysis and traffic decryption", inputSchema={ "type": "object", "properties": { "input_file": { "type": "string", "description": "Input PCAP file path" }, "analysis_type": { "type": "string", "enum": ["handshakes", "decrypt", "certificates"], "description": "Type of SSL/TLS analysis", "default": "handshakes" }, "keylog_file": { "type": "string", "description": "SSL keylog file for decryption", "default": None }, "rsa_key_file": { "type": "string", "description": "RSA private key file for decryption", "default": None } }, "required": ["input_file"], "additionalProperties": False } ), Tool( name="wireshark_latency_profile", description="Network latency and performance profiling", inputSchema={ "type": "object", "properties": { "input_file": { "type": "string", "description": "Input PCAP file path" }, "analysis_type": { "type": "string", "enum": ["tcp", "application", "heatmap"], "description": "Type of latency analysis", "default": "tcp" }, "protocol": { "type": "string", "description": "Application protocol (for application analysis)", "default": "http" }, "percentiles": { "type": "array", "items": {"type": "integer"}, "description": "Percentiles to calculate", "default": [50, 90, 95, 99] }, "time_bucket_seconds": { "type": "integer", "description": "Time bucket size for heatmap", "default": 60 } }, "required": ["input_file"], "additionalProperties": False } ), Tool( name="wireshark_threat_detect", description="AI-powered network threat detection", inputSchema={ "type": "object", "properties": { "input_file": { "type": "string", "description": "Input PCAP file path" }, "threat_type": { "type": "string", "enum": ["port_scan", "ddos", "anomaly"], "description": "Type of threat to detect", "default": "port_scan" }, "threshold_ports": { "type": "integer", "description": "Port threshold for scan detection", "default": 10 }, "time_window": { "type": "integer", "description": "Time window in seconds", "default": 60 }, "model_path": { "type": "string", "description": "ML model path for anomaly detection", "default": None } }, "required": ["input_file"], "additionalProperties": False } ), Tool( name="wireshark_remote_capture", description="Distributed packet capture via SSH", inputSchema={ "type": "object", "properties": { "capture_mode": { "type": "string", "enum": ["single", "multi"], "description": "Single or multi-host capture", "default": "single" }, "host": { "type": "string", "description": "Remote host for single capture" }, "hosts": { "type": "array", "items": { "type": "object", "properties": { "host": {"type": "string"}, "username": {"type": "string"}, "interface": {"type": "string", "default": "any"} } }, "description": "Host list for multi capture" }, "username": { "type": "string", "description": "SSH username" }, "password": { "type": "string", "description": "SSH password (optional)", "default": None }, "key_file": { "type": "string", "description": "SSH key file path (optional)", "default": None }, "interface": { "type": "string", "description": "Network interface", "default": "any" }, "filter": { "type": "string", "description": "Capture filter", "default": "" }, "duration": { "type": "integer", "description": "Capture duration in seconds", "default": 60 }, "synchronized": { "type": "boolean", "description": "Synchronize multi-host capture", "default": True } }, "required": ["username"], "additionalProperties": False } ) ] @server.call_tool() async def call_tool(name: str, arguments: Dict[str, Any]) -> List[TextContent]: """Handle tool calls for enhanced Wireshark MCP operations.""" logger.info(f"🔧 Calling tool: {name} with args: {arguments}") try: # Original tools if name == "wireshark_system_info": return await handle_system_info(arguments) elif name == "wireshark_validate_setup": return await handle_validate_setup(arguments) elif name == "wireshark_generate_filter": return await handle_generate_filter(arguments) elif name == "wireshark_live_capture": return await handle_live_capture(arguments) elif name == "wireshark_analyze_pcap": return await handle_analyze_pcap(arguments) # New enhanced tools elif name == "wireshark_realtime_json_capture": return await handle_realtime_json_capture(arguments) elif name == "wireshark_protocol_statistics": return await handle_protocol_statistics(arguments) elif name == "wireshark_analyze_pcap_enhanced": return await handle_analyze_pcap_enhanced(arguments) elif name == "wireshark_pcap_time_slice": return await handle_pcap_time_slice(arguments) # Route all advanced tools elif name.startswith("wireshark_pcap_") or name.startswith("wireshark_http_") or \ name.startswith("wireshark_dns_") or name.startswith("wireshark_ssl_") or \ name.startswith("wireshark_latency_") or name.startswith("wireshark_threat_") or \ name.startswith("wireshark_hex_") or name.startswith("wireshark_remote_"): return await handle_advanced_tool(name, arguments) else: return [TextContent(type="text", text=f"❌ Unknown tool: {name}")] except Exception as e: logger.error(f"❌ Error calling tool {name}: {e}") return [TextContent(type="text", text=f"❌ Error: {str(e)}")] async def handle_realtime_json_capture(args: Dict[str, Any]) -> List[TextContent]: """Handle real-time JSON packet capture with streaming support.""" interface = args.get("interface", "any") duration = args.get("duration", 30) filter_expr = args.get("filter", "") max_packets = args.get("max_packets", 1000) json_format = args.get("json_format", "ek") capture_id = f"capture_{int(time.time())}" try: # Create temporary file for capture temp_file = tempfile.NamedTemporaryFile(suffix='.pcap', delete=False) temp_file.close() # Build TShark command for real-time JSON output tshark_cmd = [ "tshark", "-i", interface, "-T", json_format, # JSON output format "-l", # Line buffering for real-time output "-c", str(max_packets), "-a", f"duration:{duration}" ] if filter_expr: tshark_cmd.extend(["-f", filter_expr]) logger.info(f"Starting real-time JSON capture: {' '.join(tshark_cmd)}") # Start capture process process = await asyncio.create_subprocess_exec( *tshark_cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) # Store active capture info ACTIVE_CAPTURES[capture_id] = { "process": process, "interface": interface, "started_at": datetime.now().isoformat(), "packets": [] } # Stream packets packets_captured = 0 packet_buffer = [] start_time = time.time() while True: try: # Read line with timeout line = await asyncio.wait_for( process.stdout.readline(), timeout=1.0 ) if not line: break # Parse JSON packet try: packet_json = json.loads(line.decode()) packet_buffer.append(packet_json) packets_captured += 1 # Batch packets for efficiency if len(packet_buffer) >= 10: ACTIVE_CAPTURES[capture_id]["packets"].extend(packet_buffer) packet_buffer.clear() except json.JSONDecodeError: continue # Check limits if packets_captured >= max_packets: break if time.time() - start_time >= duration: break except asyncio.TimeoutError: # Check if process is still running if process.returncode is not None: break continue # Flush remaining packets if packet_buffer: ACTIVE_CAPTURES[capture_id]["packets"].extend(packet_buffer) # Terminate process if still running if process.returncode is None: process.terminate() await process.wait() # Get capture statistics capture_stats = { "capture_id": capture_id, "status": "✅ Capture Complete", "interface": interface, "duration": f"{time.time() - start_time:.2f} seconds", "filter": filter_expr or "none", "packets_captured": packets_captured, "json_format": json_format, "sample_packets": ACTIVE_CAPTURES[capture_id]["packets"][:5], # First 5 packets as sample "total_packets_stored": len(ACTIVE_CAPTURES[capture_id]["packets"]) } # Generate summary statistics if packets_captured > 0: protocol_summary = {} for packet in ACTIVE_CAPTURES[capture_id]["packets"]: # Extract protocol info based on format if json_format == "ek": layers = packet.get("layers", {}) for layer in layers: protocol_summary[layer] = protocol_summary.get(layer, 0) + 1 elif json_format == "json": # Handle standard JSON format source = packet.get("_source", {}) layers = source.get("layers", {}) for layer in layers: protocol_summary[layer] = protocol_summary.get(layer, 0) + 1 capture_stats["protocol_summary"] = protocol_summary return [TextContent( type="text", text=f"📡 **Real-time JSON Capture Results**\n\n```json\n{json.dumps(capture_stats, indent=2)}\n```\n\n**Note**: Full packet data stored in memory. Use capture_id '{capture_id}' to retrieve all packets." )] except Exception as e: return [TextContent( type="text", text=f"❌ **Real-time Capture Failed**\n\nError: {str(e)}\n\nTroubleshooting:\n- Verify interface with: ip link show\n- Check permissions: groups $USER\n- Ensure TShark supports JSON: tshark -T ek -h" )] async def handle_protocol_statistics(args: Dict[str, Any]) -> List[TextContent]: """Generate comprehensive protocol statistics and conversation analysis.""" source = args.get("source", "") analysis_type = args.get("analysis_type", "all") protocol = args.get("protocol", "all") time_interval = args.get("time_interval", 60) if not source: return [TextContent(type="text", text="❌ Error: No source specified")] statistics_results = {} try: # Protocol Hierarchy Statistics if analysis_type in ["protocol_hierarchy", "all"]: logger.info("Generating protocol hierarchy statistics...") cmd = ["tshark", "-q", "-z", "io,phs"] if source != "live": cmd.extend(["-r", source]) else: # For live capture, use temporary capture cmd.extend(["-i", "any", "-a", "duration:10"]) result = await run_tshark_command(cmd) statistics_results["protocol_hierarchy"] = parse_protocol_hierarchy(result.stdout) # Conversation Analysis if analysis_type in ["conversations", "all"]: logger.info("Analyzing network conversations...") conversations = {} protocols_to_analyze = ["tcp", "udp", "ip"] if protocol == "all" else [protocol] for proto in protocols_to_analyze: cmd = ["tshark", "-q", "-z", f"conv,{proto}"] if source != "live": cmd.extend(["-r", source]) else: cmd.extend(["-i", "any", "-a", "duration:10"]) result = await run_tshark_command(cmd) conversations[proto] = parse_conversations(result.stdout) statistics_results["conversations"] = conversations # Endpoint Analysis if analysis_type in ["endpoints", "all"]: logger.info("Analyzing network endpoints...") endpoints = {} protocols_to_analyze = ["tcp", "udp", "ip"] if protocol == "all" else [protocol] for proto in protocols_to_analyze: cmd = ["tshark", "-q", "-z", f"endpoints,{proto}"] if source != "live": cmd.extend(["-r", source]) else: cmd.extend(["-i", "any", "-a", "duration:10"]) result = await run_tshark_command(cmd) endpoints[proto] = parse_endpoints(result.stdout) statistics_results["endpoints"] = endpoints # I/O Statistics (Time-based) if analysis_type in ["io_stats", "all"]: logger.info("Generating I/O statistics...") cmd = ["tshark", "-q", "-z", f"io,stat,{time_interval}"] if source != "live": cmd.extend(["-r", source]) else: cmd.extend(["-i", "any", "-a", "duration:60"]) result = await run_tshark_command(cmd) statistics_results["io_statistics"] = parse_io_statistics(result.stdout) # Generate summary summary = { "source": source, "analysis_type": analysis_type, "timestamp": datetime.now().isoformat(), "statistics": statistics_results } # Add insights if "protocol_hierarchy" in statistics_results: ph = statistics_results["protocol_hierarchy"] if ph.get("total_packets"): summary["insights"] = { "total_packets": ph["total_packets"], "total_bytes": ph.get("total_bytes", "unknown"), "dominant_protocol": max(ph.get("protocols", {}), key=lambda k: ph["protocols"].get(k, {}).get("packets", 0)) if ph.get("protocols") else "none" } return [TextContent( type="text", text=f"📊 **Protocol Statistics & Conversation Analysis**\n\n```json\n{json.dumps(summary, indent=2)}\n```" )] except Exception as e: return [TextContent( type="text", text=f"❌ **Statistics Generation Failed**\n\nError: {str(e)}" )] async def handle_analyze_pcap_enhanced(args: Dict[str, Any]) -> List[TextContent]: """Enhanced PCAP file analysis with streaming support for large files.""" filepath = args.get("filepath", "") analysis_type = args.get("analysis_type", "comprehensive") chunk_size = args.get("chunk_size", 10000) output_format = args.get("output_format", "json") if not filepath or not os.path.exists(filepath): return [TextContent(type="text", text="❌ Error: File not found")] file_size = os.path.getsize(filepath) analysis_results = { "file_info": { "path": filepath, "size": f"{file_size:,} bytes", "size_mb": f"{file_size / 1024 / 1024:.2f} MB" } } try: # Get file info using capinfos logger.info("Getting PCAP file information...") cmd = ["capinfos", "-M", filepath] # Machine-readable output result = await run_tshark_command(cmd) analysis_results["file_metadata"] = parse_capinfos_machine_output(result.stdout) # Perform analysis based on type if analysis_type == "quick": # Quick packet count and basic stats logger.info("Performing quick analysis...") cmd = ["tshark", "-r", filepath, "-q", "-z", "io,phs"] result = await run_tshark_command(cmd) analysis_results["quick_stats"] = parse_protocol_hierarchy(result.stdout) elif analysis_type == "conversations": # Detailed conversation analysis logger.info("Analyzing conversations...") conversations = {} for proto in ["tcp", "udp", "ip"]: cmd = ["tshark", "-r", filepath, "-q", "-z", f"conv,{proto}"] result = await run_tshark_command(cmd) conversations[proto] = parse_conversations(result.stdout) analysis_results["conversations"] = conversations elif analysis_type == "statistics": # Comprehensive statistics logger.info("Generating comprehensive statistics...") # Protocol hierarchy cmd = ["tshark", "-r", filepath, "-q", "-z", "io,phs"] result = await run_tshark_command(cmd) analysis_results["protocol_hierarchy"] = parse_protocol_hierarchy(result.stdout) # Expert info (warnings, errors, etc.) cmd = ["tshark", "-r", filepath, "-q", "-z", "expert"] result = await run_tshark_command(cmd) analysis_results["expert_info"] = parse_expert_info(result.stdout) # HTTP statistics if present cmd = ["tshark", "-r", filepath, "-q", "-z", "http,tree"] result = await run_tshark_command(cmd, ignore_errors=True) if result.returncode == 0: analysis_results["http_stats"] = parse_http_stats(result.stdout) elif analysis_type == "security": # Security-focused analysis logger.info("Performing security analysis...") security_findings = await perform_security_analysis(filepath) analysis_results["security_analysis"] = security_findings elif analysis_type == "performance": # Performance analysis logger.info("Performing performance analysis...") performance_metrics = await perform_performance_analysis(filepath) analysis_results["performance_analysis"] = performance_metrics else: # comprehensive # Run all analyses logger.info("Performing comprehensive analysis...") # Basic statistics cmd = ["tshark", "-r", filepath, "-q", "-z", "io,phs"] result = await run_tshark_command(cmd) analysis_results["protocol_hierarchy"] = parse_protocol_hierarchy(result.stdout) # Conversations conversations = {} for proto in ["tcp", "udp"]: cmd = ["tshark", "-r", filepath, "-q", "-z", f"conv,{proto}"] result = await run_tshark_command(cmd) conversations[proto] = parse_conversations(result.stdout) analysis_results["conversations"] = conversations # Expert info cmd = ["tshark", "-r", filepath, "-q", "-z", "expert"] result = await run_tshark_command(cmd) analysis_results["expert_info"] = parse_expert_info(result.stdout) # Security checks analysis_results["security_analysis"] = await perform_security_analysis(filepath) # Performance metrics analysis_results["performance_analysis"] = await perform_performance_analysis(filepath) # Format output if output_format == "json": return [TextContent( type="text", text=f"📊 **Enhanced PCAP Analysis Results**\n\n```json\n{json.dumps(analysis_results, indent=2)}\n```" )] elif output_format == "summary": summary = generate_analysis_summary(analysis_results) return [TextContent(type="text", text=summary)] else: # text text_output = generate_text_report(analysis_results) return [TextContent(type="text", text=text_output)] except Exception as e: return [TextContent( type="text", text=f"❌ **PCAP Analysis Failed**\n\nError: {str(e)}" )] async def handle_pcap_time_slice(args: Dict[str, Any]) -> List[TextContent]: """Handle PCAP time slicing using the WiresharkPCAPTimeSlicer.""" try: slicer = WiresharkPCAPTimeSlicer() result = await slicer.slice_by_time_range( input_file=args.get("input_file"), start_time=args.get("start_time"), end_time=args.get("end_time"), output_file=args.get("output_file") ) # Format the result for display if result["status"] == "✅ Success": formatted_result = f"""🦈 **PCAP Time Slice Results** ✅ **Operation Successful** 📁 **Files:** - Input: {result['input_file']} - Output: {result['output_file']} ⏰ **Time Range:** - Start: {result['time_range']['start']} - End: {result['time_range']['end']} 📊 **Statistics:** ```json {json.dumps(result['statistics'], indent=2)} ```""" else: formatted_result = f"❌ **PCAP Time Slice Failed**\n\nError: {result.get('error', 'Unknown error')}" return [TextContent(type="text", text=formatted_result)] except Exception as e: return [TextContent( type="text", text=f"❌ **PCAP Time Slice Failed**\n\nError: {str(e)}" )] # Universal handler for all advanced tools async def handle_advanced_tool(tool_name: str, arguments: Dict[str, Any]) -> List[TextContent]: """Handle all advanced tools with a single dispatcher.""" try: # Map tool names to classes and methods tool_map = { "wireshark_pcap_time_slice": (WiresharkPCAPTimeSlicer, "slice_by_time_range"), "wireshark_pcap_split": (WiresharkPCAPSplitter, "split_pcap"), "wireshark_pcap_merge": (WiresharkPCAPMerger, "merge_pcaps"), "wireshark_hex_to_pcap": (WiresharkHexToPCAP, "convert_hex_to_pcap"), "wireshark_http_analyze": (WiresharkHTTPAnalyzer, "analyze_http_traffic"), "wireshark_dns_analyze": (WiresharkDNSAnalyzer, "analyze_dns_queries"), "wireshark_ssl_inspect": (WiresharkSSLInspector, "inspect_ssl_traffic"), "wireshark_latency_profile": (WiresharkLatencyProfiler, "profile_latency"), "wireshark_threat_detect": (WiresharkThreatDetector, "detect_threats"), "wireshark_remote_capture": (WiresharkRemoteCapture, "capture_remote") } if tool_name in tool_map: tool_class, method_name = tool_map[tool_name] instance = tool_class() method = getattr(instance, method_name) result = await method(**arguments) # Format result if result.get("status") == "✅ Success": formatted = f"🦈 **{tool_name.replace('_', ' ').title()} Results**\n\n✅ Success\n\n```json\n{json.dumps(result, indent=2)}\n```" else: formatted = f"❌ **{tool_name} Failed**\n\nError: {result.get('error', 'Unknown error')}" return [TextContent(type="text", text=formatted)] else: return [TextContent(type="text", text=f"❌ Unknown advanced tool: {tool_name}")] except Exception as e: return [TextContent(type="text", text=f"❌ Advanced tool error: {str(e)}")] # Helper functions async def run_tshark_command(cmd: List[str], timeout: int = 300, ignore_errors: bool = False) -> subprocess.CompletedProcess: """Run a TShark command with timeout and error handling.""" try: result = await asyncio.wait_for( asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ), timeout=timeout ) stdout, stderr = await result.communicate() if result.returncode != 0 and not ignore_errors: raise RuntimeError(f"Command failed: {stderr.decode()}") return subprocess.CompletedProcess( cmd, result.returncode, stdout.decode(), stderr.decode() ) except asyncio.TimeoutError: raise RuntimeError(f"Command timed out after {timeout} seconds") def parse_protocol_hierarchy(output: str) -> Dict[str, Any]: """Parse TShark protocol hierarchy statistics output.""" lines = output.strip().split('\n') stats = { "protocols": {}, "total_packets": 0, "total_bytes": 0 } for line in lines: if "frames:" in line and "bytes:" in line: # Parse protocol line match = re.search(r'(\S+)\s+frames:(\d+)\s+bytes:(\d+)', line) if match: protocol = match.group(1).strip() frames = int(match.group(2)) bytes_count = int(match.group(3)) stats["protocols"][protocol] = { "packets": frames, "bytes": bytes_count } # Update totals for top-level protocols if not line.startswith(' '): stats["total_packets"] += frames stats["total_bytes"] += bytes_count return stats def parse_conversations(output: str) -> Dict[str, Any]: """Parse TShark conversation statistics output.""" lines = output.strip().split('\n') conversations = [] # Find the data section data_started = False for line in lines: if '<->' in line and not line.startswith('='): data_started = True # Parse conversation line parts = line.split() if len(parts) >= 10: conversations.append({ "address_a": parts[0], "port_a": parts[1] if len(parts) > 1 else "N/A", "address_b": parts[3], "port_b": parts[4] if len(parts) > 4 else "N/A", "packets_a_to_b": int(parts[5]) if parts[5].isdigit() else 0, "bytes_a_to_b": int(parts[6]) if parts[6].isdigit() else 0, "packets_b_to_a": int(parts[8]) if len(parts) > 8 and parts[8].isdigit() else 0, "bytes_b_to_a": int(parts[9]) if len(parts) > 9 and parts[9].isdigit() else 0 }) return { "count": len(conversations), "conversations": conversations[:10], # Top 10 conversations "total_listed": len(conversations) } def parse_endpoints(output: str) -> Dict[str, Any]: """Parse TShark endpoint statistics output.""" lines = output.strip().split('\n') endpoints = [] for line in lines: if re.match(r'^\d+\.\d+\.\d+\.\d+', line) or re.match(r'^[0-9a-fA-F:]+', line): parts = line.split() if len(parts) >= 3: endpoints.append({ "address": parts[0], "packets": int(parts[1]) if parts[1].isdigit() else 0, "bytes": int(parts[2]) if parts[2].isdigit() else 0 }) # Sort by packets endpoints.sort(key=lambda x: x["packets"], reverse=True) return { "count": len(endpoints), "top_talkers": endpoints[:10], # Top 10 endpoints "total_endpoints": len(endpoints) } def parse_io_statistics(output: str) -> Dict[str, Any]: """Parse TShark I/O statistics output.""" lines = output.strip().split('\n') intervals = [] for line in lines: if "Interval:" in line or "-" in line and "|" in line: # Parse interval line match = re.search(r'(\d+\.\d+)\s*-\s*(\d+\.\d+)\s+(\d+)', line) if match: intervals.append({ "start": float(match.group(1)), "end": float(match.group(2)), "packets": int(match.group(3)) }) return { "interval_count": len(intervals), "intervals": intervals } def parse_capinfos_machine_output(output: str) -> Dict[str, Any]: """Parse capinfos machine-readable output.""" info = {} for line in output.strip().split('\n'): if '\t' in line: key, value = line.split('\t', 1) info[key] = value return info def parse_expert_info(output: str) -> Dict[str, Any]: """Parse TShark expert info output.""" expert_info = { "errors": 0, "warnings": 0, "notes": 0, "chats": 0 } for line in output.split('\n'): if "Errors" in line: match = re.search(r'Errors\s*\((\d+)\)', line) if match: expert_info["errors"] = int(match.group(1)) elif "Warnings" in line: match = re.search(r'Warnings\s*\((\d+)\)', line) if match: expert_info["warnings"] = int(match.group(1)) elif "Notes" in line: match = re.search(r'Notes\s*\((\d+)\)', line) if match: expert_info["notes"] = int(match.group(1)) elif "Chats" in line: match = re.search(r'Chats\s*\((\d+)\)', line) if match: expert_info["chats"] = int(match.group(1)) return expert_info def parse_http_stats(output: str) -> Dict[str, Any]: """Parse HTTP statistics from TShark output.""" http_stats = { "requests": 0, "responses": 0, "methods": {}, "status_codes": {} } # Simple parsing - can be enhanced for line in output.split('\n'): if "GET" in line: http_stats["methods"]["GET"] = http_stats["methods"].get("GET", 0) + 1 elif "POST" in line: http_stats["methods"]["POST"] = http_stats["methods"].get("POST", 0) + 1 # Add more parsing as needed return http_stats async def perform_security_analysis(filepath: str) -> Dict[str, Any]: """Perform security-focused analysis on PCAP file.""" security_findings = { "suspicious_patterns": {}, "threat_indicators": 0 } # Security checks security_checks = [ ("TCP SYN Flood", "tcp.flags.syn==1 and tcp.flags.ack==0"), ("Port Scan", "tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <= 1024"), ("DNS Tunneling", "dns and frame.len > 512"), ("Suspicious HTTP", "http.request.method == POST and frame.len > 8192"), ("Non-standard Ports", "tcp.port > 49151 or udp.port > 49151"), ("ICMP Tunneling", "icmp and data.len > 48"), ("ARP Spoofing", "arp.opcode == 2") ] for check_name, filter_expr in security_checks: try: cmd = ["tshark", "-r", filepath, "-Y", filter_expr, "-T", "fields", "-e", "frame.number"] result = await run_tshark_command(cmd, timeout=60) if result.stdout.strip(): count = len(result.stdout.strip().split('\n')) security_findings["suspicious_patterns"][check_name] = count security_findings["threat_indicators"] += 1 except Exception as e: logger.warning(f"Security check '{check_name}' failed: {e}") return security_findings async def perform_performance_analysis(filepath: str) -> Dict[str, Any]: """Perform performance-focused analysis on PCAP file.""" performance_metrics = { "tcp_issues": {}, "overall_health": "Unknown" } # TCP performance checks tcp_checks = [ ("Retransmissions", "tcp.analysis.retransmission"), ("Duplicate ACKs", "tcp.analysis.duplicate_ack"), ("Zero Window", "tcp.analysis.zero_window"), ("Window Full", "tcp.analysis.window_full"), ("Out of Order", "tcp.analysis.out_of_order"), ("Fast Retransmission", "tcp.analysis.fast_retransmission") ] total_issues = 0 for check_name, filter_expr in tcp_checks: try: cmd = ["tshark", "-r", filepath, "-Y", filter_expr, "-T", "fields", "-e", "frame.number"] result = await run_tshark_command(cmd, timeout=60) if result.stdout.strip(): count = len(result.stdout.strip().split('\n')) performance_metrics["tcp_issues"][check_name] = count total_issues += count except Exception as e: logger.warning(f"Performance check '{check_name}' failed: {e}") # Determine overall health if total_issues == 0: performance_metrics["overall_health"] = "Excellent" elif total_issues < 100: performance_metrics["overall_health"] = "Good" elif total_issues < 1000: performance_metrics["overall_health"] = "Fair" else: performance_metrics["overall_health"] = "Poor" performance_metrics["total_issues"] = total_issues return performance_metrics def generate_analysis_summary(results: Dict[str, Any]) -> str: """Generate a human-readable summary of analysis results.""" summary = "📊 **PCAP Analysis Summary**\n\n" # File info if "file_info" in results: summary += f"**File**: {results['file_info']['path']}\n" summary += f"**Size**: {results['file_info']['size_mb']}\n\n" # Metadata if "file_metadata" in results: meta = results["file_metadata"] if "Number of packets" in meta: summary += f"**Total Packets**: {meta['Number of packets']}\n" if "Capture duration" in meta: summary += f"**Duration**: {meta['Capture duration']}\n\n" # Protocol summary if "protocol_hierarchy" in results: ph = results["protocol_hierarchy"] summary += "**Top Protocols**:\n" sorted_protos = sorted( ph["protocols"].items(), key=lambda x: x[1]["packets"], reverse=True )[:5] for proto, stats in sorted_protos: summary += f"- {proto}: {stats['packets']:,} packets\n" summary += "\n" # Security findings if "security_analysis" in results: sec = results["security_analysis"] if sec["threat_indicators"] > 0: summary += f"⚠️ **Security Alerts**: {sec['threat_indicators']} suspicious patterns detected\n" for pattern, count in sec["suspicious_patterns"].items(): summary += f"- {pattern}: {count} occurrences\n" summary += "\n" # Performance issues if "performance_analysis" in results: perf = results["performance_analysis"] summary += f"**Network Health**: {perf['overall_health']}\n" if perf["total_issues"] > 0: summary += f"**Performance Issues**: {perf['total_issues']} total\n" for issue, count in perf["tcp_issues"].items(): if count > 0: summary += f"- {issue}: {count}\n" return summary def generate_text_report(results: Dict[str, Any]) -> str: """Generate a detailed text report of analysis results.""" report = "=" * 60 + "\n" report += "ENHANCED PCAP ANALYSIS REPORT\n" report += "=" * 60 + "\n\n" # Recursively format the results def format_dict(d: Dict, indent: int = 0) -> str: output = "" prefix = " " * indent for key, value in d.items(): if isinstance(value, dict): output += f"{prefix}{key}:\n" output += format_dict(value, indent + 1) elif isinstance(value, list): output += f"{prefix}{key}: [{len(value)} items]\n" for i, item in enumerate(value[:3]): # Show first 3 items if isinstance(item, dict): output += f"{prefix} [{i}]:\n" output += format_dict(item, indent + 2) else: output += f"{prefix} - {item}\n" if len(value) > 3: output += f"{prefix} ... and {len(value) - 3} more\n" else: output += f"{prefix}{key}: {value}\n" return output report += format_dict(results) return report # Original handler functions from server.py async def handle_system_info(args: Dict[str, Any]) -> List[TextContent]: """Handle system information requests.""" info_type = args.get("info_type", "all") result = { "wireshark_mcp_server": "3.0.0 Complete - All 18 Tools", "status": "✅ Active", "capabilities": ["Live Capture", "PCAP Analysis", "Filter Generation", "Security Analysis", "JSON Streaming", "Protocol Statistics"] } if info_type in ["interfaces", "all"]: try: # Get network interfaces using ip command interfaces_result = subprocess.run( ["ip", "link", "show"], capture_output=True, text=True, timeout=10 ) if interfaces_result.returncode == 0: interfaces = [] for line in interfaces_result.stdout.split('\n'): if ': ' in line and 'state' in line: interface_name = line.split(':')[1].strip().split('@')[0] interfaces.append(interface_name) result["network_interfaces"] = interfaces else: result["network_interfaces"] = ["Unable to retrieve interfaces"] except Exception as e: result["network_interfaces"] = [f"Error: {str(e)}"] if info_type in ["capabilities", "all"]: result["tools_available"] = [ "System Information", "Setup Validation", "Filter Generation", "Live Capture", "PCAP Analysis", "Real-time JSON Capture", "Protocol Statistics", "Enhanced Analysis", "PCAP Time Slicer", "PCAP Splitter", "PCAP Merger", "Hex-to-PCAP Converter", "HTTP Deep Analyzer", "DNS Query Analyzer", "SSL/TLS Inspector", "Latency Profiler", "Threat Detector", "Remote Capture" ] return [TextContent( type="text", text=f"🦈 **Wireshark MCP System Information**\n\n{json.dumps(result, indent=2)}" )] async def handle_validate_setup(args: Dict[str, Any]) -> List[TextContent]: """Validate Wireshark installation and setup.""" full_check = args.get("full_check", False) validation_results = { "wireshark_mcp_server": "✅ Running (Enhanced Version)", "python_version": f"✅ {os.sys.version.split()[0]}", "dependencies": {} } # Check for required tools tools_to_check = ["tshark", "tcpdump", "dumpcap", "capinfos"] for tool in tools_to_check: try: result = subprocess.run( ["which", tool], capture_output=True, text=True, timeout=5 ) if result.returncode == 0: validation_results["dependencies"][tool] = f"✅ {result.stdout.strip()}" else: validation_results["dependencies"][tool] = "❌ Not found" except Exception as e: validation_results["dependencies"][tool] = f"❌ Error: {str(e)}" # Check permissions try: # Check if we can access network interfaces result = subprocess.run( ["ip", "link", "show"], capture_output=True, text=True, timeout=5 ) if result.returncode == 0: validation_results["network_access"] = "✅ Available" else: validation_results["network_access"] = "❌ Limited" except Exception: validation_results["network_access"] = "❌ Error checking access" # Check enhanced features validation_results["enhanced_features"] = { "json_capture": "✅ Available", "protocol_statistics": "✅ Available", "streaming_analysis": "✅ Available" } return [TextContent( type="text", text=f"🔍 **Wireshark MCP Setup Validation**\n\n{json.dumps(validation_results, indent=2)}" )] async def handle_generate_filter(args: Dict[str, Any]) -> List[TextContent]: """Generate Wireshark filters from natural language with advanced parsing.""" description = args.get("description", "") complexity = args.get("complexity", "intermediate") # Enhanced filter generation with regex patterns and subnet support generated_filter = await advanced_filter_generation(description, complexity) result = { "description": description, "generated_filter": generated_filter["filter"], "complexity": complexity, "suggestions": generated_filter["suggestions"], "matched_patterns": generated_filter["matched_patterns"], "parsing_notes": generated_filter.get("notes", []) } return [TextContent( type="text", text=f"🎯 **Generated Wireshark Filter**\n\n**Input**: {description}\n\n**Filter**: `{generated_filter['filter']}`\n\n**Details**:\n{json.dumps(result, indent=2)}" )] async def handle_live_capture(args: Dict[str, Any]) -> List[TextContent]: """Handle live packet capture with automatic permissions detection.""" interface = args.get("interface", "any") duration = args.get("duration", 60) filter_expr = args.get("filter", "") max_packets = args.get("max_packets", 1000) # Check if we have capture capabilities # Enhanced implementation - try capture regardless of permission check # This allows fallback methods to work even if primary permissions are missing try: capture_result = await perform_live_capture_enhanced(interface, duration, filter_expr, max_packets) return [TextContent( type="text", text=f"📡 **Live Packet Capture Results**\n\n{json.dumps(capture_result, indent=2)}" )] except Exception as e: error_result = { "status": "❌ Capture Failed", "interface": interface, "error": str(e), "troubleshooting": [ "Verify interface name with: ip link show", "Check permissions with: ./test_capture_permissions.py", "Ensure you're in wireshark group: groups $USER" ] } return [TextContent( type="text", text=f"❌ **Live Capture Failed**\n\n{json.dumps(error_result, indent=2)}" )] async def handle_analyze_pcap(args: Dict[str, Any]) -> List[TextContent]: """Handle PCAP file analysis with real packet inspection.""" filepath = args.get("filepath", "") analysis_type = args.get("analysis_type", "comprehensive") if not filepath: return [TextContent(type="text", text="❌ Error: No filepath provided")] # Check if file exists if not os.path.exists(filepath): return [TextContent(type="text", text=f"❌ Error: File not found: {filepath}")] # Check file permissions if not os.access(filepath, os.R_OK): return [TextContent(type="text", text=f"❌ Error: Cannot read file: {filepath}")] try: analysis_result = await analyze_pcap_file(filepath, analysis_type) return [TextContent( type="text", text=f"📊 **PCAP Analysis Results**\n\n{json.dumps(analysis_result, indent=2)}" )] except Exception as e: error_result = { "status": "❌ Analysis Failed", "file": filepath, "error": str(e), "troubleshooting": [ "Verify file is a valid PCAP/PCAPNG file", "Check file permissions: ls -la", "Try with tshark: tshark -r filename.pcap" ] } return [TextContent( type="text", text=f"❌ **PCAP Analysis Failed**\n\n{json.dumps(error_result, indent=2)}" )] # Helper functions from original server.py async def check_capture_permissions() -> bool: """Check if we have permissions to capture packets without sudo.""" try: # Test dumpcap first (preferred method) result = subprocess.run( ["dumpcap", "-D"], # List interfaces capture_output=True, text=True, timeout=5 ) if result.returncode == 0 and "Capture interface" in result.stdout: return True except Exception: pass try: # Test tshark as fallback result = subprocess.run( ["tshark", "-D"], # List interfaces capture_output=True, text=True, timeout=5 ) if result.returncode == 0 and len(result.stdout.strip()) > 0: return True except Exception: pass return False async def perform_live_capture(interface: str, duration: int, filter_expr: str, max_packets: int) -> Dict[str, Any]: """Perform actual live packet capture using available tools.""" # Create temporary file for capture temp_file = tempfile.NamedTemporaryFile(suffix='.pcap', delete=False) temp_file.close() try: # Try dumpcap first (most secure) capture_cmd = [ "dumpcap", "-i", interface, "-c", str(max_packets), "-a", f"duration:{duration}", "-w", temp_file.name ] if filter_expr: capture_cmd.extend(["-f", filter_expr]) logger.info(f"Starting packet capture: {' '.join(capture_cmd)}") # Run capture with timeout result = subprocess.run( capture_cmd, capture_output=True, text=True, timeout=duration + 10 # Extra time for cleanup ) if result.returncode != 0: # Try tshark as fallback capture_cmd = [ "tshark", "-i", interface, "-c", str(max_packets), "-a", f"duration:{duration}", "-w", temp_file.name ] if filter_expr: capture_cmd.extend(["-f", filter_expr]) result = subprocess.run( capture_cmd, capture_output=True, text=True, timeout=duration + 10 ) # Analyze the captured file file_size = os.path.getsize(temp_file.name) if os.path.exists(temp_file.name) else 0 if file_size > 0: # Get packet count using tshark try: count_result = subprocess.run( ["tshark", "-r", temp_file.name, "-T", "fields", "-e", "frame.number"], capture_output=True, text=True, timeout=10 ) packet_count = len(count_result.stdout.strip().split('\n')) if count_result.stdout.strip() else 0 except Exception: packet_count = "unknown" capture_result = { "status": "✅ Capture Successful", "interface": interface, "duration": f"{duration} seconds", "filter": filter_expr or "none", "packets_captured": packet_count, "file_size": f"{file_size} bytes", "capture_file": temp_file.name, "note": "Capture file saved temporarily - analyze quickly before cleanup" } else: capture_result = { "status": "⚠️ No Packets Captured", "interface": interface, "duration": f"{duration} seconds", "filter": filter_expr or "none", "possible_reasons": [ "Interface has no traffic", "Filter too restrictive", "Interface not active", "Permission issues" ] } return capture_result except subprocess.TimeoutExpired: return { "status": "⚠️ Capture Timeout", "interface": interface, "note": "Capture took longer than expected - may have succeeded partially" } except Exception as e: return { "status": "❌ Capture Error", "interface": interface, "error": str(e) } finally: # Clean up temp file after a delay (allow time for analysis) try: if os.path.exists(temp_file.name): # Schedule cleanup after 5 minutes asyncio.create_task(delayed_cleanup(temp_file.name, 300)) except Exception: pass async def perform_live_capture_enhanced(interface: str, duration: int, filter_expr: str, max_packets: int) -> Dict[str, Any]: """Enhanced live capture with multiple fallback methods for extended duration support.""" capture_start_time = asyncio.get_event_loop().time() # Method 1: Try traditional tshark first try: cmd = [ 'tshark', '-i', interface, '-c', str(max_packets), '-a', f'duration:{duration}', '-T', 'json' ] if filter_expr: cmd.extend(['-f', filter_expr]) proc = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await asyncio.wait_for(proc.communicate(), timeout=duration + 30) if proc.returncode == 0: try: packets = json.loads(stdout.decode()) if stdout.decode().strip() else [] capture_time = asyncio.get_event_loop().time() - capture_start_time return { "status": "✅ Success", "method_used": "tshark_direct", "interface": interface, "duration": duration, "filter": filter_expr, "packets_captured": len(packets), "max_packets": max_packets, "packets": packets[:10], # Return first 10 for display "capture_time_seconds": round(capture_time, 2), "note": "Direct tshark capture successful" } except json.JSONDecodeError: return { "status": "⚠️ Partial Success", "method_used": "tshark_direct", "interface": interface, "raw_output": stdout.decode()[:1000], "error": "Could not parse JSON output" } else: # Try fallback methods logger.info(f"tshark direct failed ({stderr.decode()[:100]}...), trying fallback methods") return await _enhanced_capture_fallback(interface, duration, filter_expr, max_packets, capture_start_time) except asyncio.TimeoutError: # Try fallback methods even on timeout logger.info(f"tshark timed out after {duration}s, trying fallback methods") return await _enhanced_capture_fallback(interface, duration, filter_expr, max_packets, capture_start_time) except Exception as e: # Try fallback methods on any exception logger.info(f"tshark failed with exception ({str(e)}), trying fallback methods") return await _enhanced_capture_fallback(interface, duration, filter_expr, max_packets, capture_start_time) async def _enhanced_capture_fallback( interface: str, duration: int, filter_expr: str, max_packets: int, start_time: float ) -> Dict[str, Any]: """Enhanced fallback capture methods for when tshark fails due to permissions.""" import tempfile # Method 2: Try tcpdump + tshark analysis (most reliable fallback) try: with tempfile.NamedTemporaryFile(suffix='.pcap', delete=False) as tmp: pcap_file = tmp.name # Build tcpdump command cmd = [ 'timeout', str(duration + 10), # Add buffer time 'tcpdump', '-i', interface, '-w', pcap_file, '-c', str(max_packets), '-q' ] if filter_expr: cmd.append(filter_expr) # Capture with tcpdump proc = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await asyncio.wait_for(proc.communicate(), timeout=duration + 15) if proc.returncode in [0, 124]: # Success or timeout (expected) # Parse with tshark parse_cmd = ['tshark', '-r', pcap_file, '-T', 'json', '-c', str(min(10, max_packets))] parse_proc = await asyncio.create_subprocess_exec( *parse_cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) parse_stdout, parse_stderr = await parse_proc.communicate() if parse_proc.returncode == 0: try: packets = json.loads(parse_stdout.decode()) if parse_stdout.decode().strip() else [] capture_time = asyncio.get_event_loop().time() - start_time # Clean up temp file os.unlink(pcap_file) return { "status": "✅ Success", "method_used": "tcpdump + tshark analysis", "interface": interface, "duration": duration, "filter": filter_expr, "packets_captured": len(packets), "max_packets": max_packets, "packets": packets, "capture_time_seconds": round(capture_time, 2), "note": "Enhanced capture with permission workaround - supports extended duration (5+ minutes)", "recommendation": "Original tshark failed, used tcpdump fallback successfully" } except json.JSONDecodeError: os.unlink(pcap_file) if os.path.exists(pcap_file) else None # Continue to next method pass else: os.unlink(pcap_file) if os.path.exists(pcap_file) else None logger.info(f"tshark parse failed: {parse_stderr.decode()[:100]}") else: os.unlink(pcap_file) if os.path.exists(pcap_file) else None logger.info(f"tcpdump failed: {stderr.decode()[:100]}") except Exception as e: logger.info(f"tcpdump fallback failed: {str(e)}") if 'pcap_file' in locals() and os.path.exists(pcap_file): os.unlink(pcap_file) # Method 3: Try sg wireshark (group switching) try: cmd = [ 'sg', 'wireshark', '-c', f'timeout {duration + 5} tshark -i {interface} -c {max_packets} -T json' ] if filter_expr: cmd[-1] += f' -f "{filter_expr}"' proc = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await asyncio.wait_for(proc.communicate(), timeout=duration + 10) if proc.returncode in [0, 124]: try: packets = json.loads(stdout.decode()) if stdout.decode().strip() else [] capture_time = asyncio.get_event_loop().time() - start_time return { "status": "✅ Success", "method_used": "sg wireshark + tshark", "interface": interface, "duration": duration, "filter": filter_expr, "packets_captured": len(packets), "max_packets": max_packets, "packets": packets[:10], "capture_time_seconds": round(capture_time, 2), "note": "Used group switching to access wireshark group", "recommendation": "Consider restarting Claude Desktop to activate wireshark group permanently" } except json.JSONDecodeError: logger.info("sg wireshark: JSON decode failed") else: logger.info(f"sg wireshark failed: {stderr.decode()[:100]}") except Exception as e: logger.info(f"sg wireshark fallback failed: {str(e)}") # All methods failed capture_time = asyncio.get_event_loop().time() - start_time return { "status": "❌ All capture methods failed", "method_used": "none - all fallbacks exhausted", "interface": interface, "duration": duration, "filter": filter_expr, "max_packets": max_packets, "capture_time_seconds": round(capture_time, 2), "error": "Permission denied - tshark, tcpdump, and sg wireshark all failed", "recommendations": [ "1. Run: sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/tcpdump", "2. Run: sudo usermod -a -G wireshark $USER", "3. Restart Claude Desktop to activate wireshark group", "4. Or use async background capture with: async_long_capture.py" ] } async def delayed_cleanup(filepath: str, delay_seconds: int): """Clean up temporary files after a delay.""" try: await asyncio.sleep(delay_seconds) if os.path.exists(filepath): os.unlink(filepath) logger.info(f"Cleaned up temporary file: {filepath}") except Exception as e: logger.warning(f"Failed to clean up {filepath}: {e}") async def analyze_pcap_file(filepath: str, analysis_type: str) -> Dict[str, Any]: """Analyze PCAP file using tshark for comprehensive packet inspection.""" file_info = { "file": filepath, "file_size": f"{os.path.getsize(filepath)} bytes", "analysis_type": analysis_type } try: # Basic file info using capinfos try: capinfos_result = subprocess.run( ["capinfos", filepath], capture_output=True, text=True, timeout=30 ) if capinfos_result.returncode == 0: file_info["file_details"] = parse_capinfos_output(capinfos_result.stdout) except Exception: # Fallback to tshark for basic info pass # Packet analysis based on type if analysis_type == "quick": analysis_result = await quick_pcap_analysis(filepath) elif analysis_type == "security": analysis_result = await security_pcap_analysis(filepath) elif analysis_type == "performance": analysis_result = await performance_pcap_analysis(filepath) else: # comprehensive analysis_result = await comprehensive_pcap_analysis(filepath) return { "status": "✅ Analysis Complete", "file_info": file_info, **analysis_result } except Exception as e: return { "status": "❌ Analysis Error", "file_info": file_info, "error": str(e) } def parse_capinfos_output(output: str) -> Dict[str, str]: """Parse capinfos output into structured data.""" info = {} for line in output.split('\n'): if ':' in line: key, value = line.split(':', 1) info[key.strip()] = value.strip() return info async def quick_pcap_analysis(filepath: str) -> Dict[str, Any]: """Quick analysis - basic packet counts and protocols.""" try: # Get total packet count count_result = subprocess.run( ["tshark", "-r", filepath, "-T", "fields", "-e", "frame.number"], capture_output=True, text=True, timeout=30 ) total_packets = len(count_result.stdout.strip().split('\n')) if count_result.stdout.strip() else 0 # Get protocol statistics proto_result = subprocess.run( ["tshark", "-r", filepath, "-q", "-z", "ptype,tree"], capture_output=True, text=True, timeout=30 ) protocols = {} if proto_result.returncode == 0: for line in proto_result.stdout.split('\n'): if 'frames:' in line and '%' in line: parts = line.split() if len(parts) >= 3: protocol = parts[-1] count = parts[0] protocols[protocol] = count return { "analysis_summary": { "total_packets": total_packets, "protocols": protocols, "analysis_duration": "< 30 seconds" } } except Exception as e: return {"quick_analysis_error": str(e)} async def security_pcap_analysis(filepath: str) -> Dict[str, Any]: """Security-focused analysis - suspicious patterns and threats.""" try: security_findings = {} # Check for suspicious traffic patterns suspicious_patterns = [ ("TCP SYN flood", "tcp.flags.syn==1 and tcp.flags.ack==0"), ("Port scan indicators", "tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <= 1024"), ("DNS tunneling", "dns.qry.name contains \".\" and frame.len > 512"), ("Large HTTP requests", "http.request and frame.len > 8192"), ("Non-standard ports", "tcp.port > 49151 or udp.port > 49151") ] for pattern_name, filter_expr in suspicious_patterns: try: result = subprocess.run( ["tshark", "-r", filepath, "-Y", filter_expr, "-T", "fields", "-e", "frame.number"], capture_output=True, text=True, timeout=30 ) if result.returncode == 0 and result.stdout.strip(): matches = len(result.stdout.strip().split('\n')) security_findings[pattern_name] = f"{matches} occurrences" except Exception: security_findings[pattern_name] = "Analysis failed" return { "security_analysis": security_findings, "threat_indicators": len([v for v in security_findings.values() if "occurrences" in v]) } except Exception as e: return {"security_analysis_error": str(e)} async def performance_pcap_analysis(filepath: str) -> Dict[str, Any]: """Performance analysis - latency, throughput, errors.""" try: performance_metrics = {} # Analyze TCP performance issues tcp_issues = [ ("Retransmissions", "tcp.analysis.retransmission"), ("Duplicate ACKs", "tcp.analysis.duplicate_ack"), ("Zero Window", "tcp.analysis.zero_window"), ("Keep Alive", "tcp.analysis.keep_alive") ] for issue_name, filter_expr in tcp_issues: try: result = subprocess.run( ["tshark", "-r", filepath, "-Y", filter_expr, "-T", "fields", "-e", "frame.number"], capture_output=True, text=True, timeout=30 ) if result.returncode == 0 and result.stdout.strip(): count = len(result.stdout.strip().split('\n')) performance_metrics[issue_name] = count else: performance_metrics[issue_name] = 0 except Exception: performance_metrics[issue_name] = "Analysis failed" return { "performance_analysis": performance_metrics, "network_health": "Good" if sum(v for v in performance_metrics.values() if isinstance(v, int)) == 0 else "Issues detected" } except Exception as e: return {"performance_analysis_error": str(e)} async def comprehensive_pcap_analysis(filepath: str) -> Dict[str, Any]: """Comprehensive analysis combining all analysis types.""" try: # Run all analysis types quick_results = await quick_pcap_analysis(filepath) security_results = await security_pcap_analysis(filepath) performance_results = await performance_pcap_analysis(filepath) # Additional comprehensive statistics comprehensive_stats = {} # Get conversation statistics try: conv_result = subprocess.run( ["tshark", "-r", filepath, "-q", "-z", "conv,tcp"], capture_output=True, text=True, timeout=30 ) if conv_result.returncode == 0: lines = conv_result.stdout.split('\n') tcp_conversations = len([l for l in lines if '<->' in l]) comprehensive_stats["tcp_conversations"] = tcp_conversations except Exception: comprehensive_stats["tcp_conversations"] = "Analysis failed" return { "comprehensive_analysis": { **quick_results, **security_results, **performance_results, "additional_stats": comprehensive_stats } } except Exception as e: return {"comprehensive_analysis_error": str(e)} async def advanced_filter_generation(description: str, complexity: str) -> Dict[str, Any]: """Advanced filter generation with regex patterns, subnet support, and smart parsing.""" description_lower = description.lower() matched_patterns = [] filter_parts = [] notes = [] # Enhanced pattern matching with regex patterns = { # Network patterns with subnet support "ip_address": (r'\b(?:\d{1,3}\.){3}\d{1,3}\b', lambda m: f'ip.addr == {m.group()}'), "subnet_cidr": (r'\b(?:\d{1,3}\.){3}\d{1,3}/\d{1,2}\b', lambda m: f'ip.addr == {m.group()}'), "ip_range": (r'\b(?:\d{1,3}\.){3}\d{1,3}\s*-\s*(?:\d{1,3}\.){3}\d{1,3}\b', lambda m: parse_ip_range(m.group())), # Port patterns "port_number": (r'\bport\s+(\d+)\b', lambda m: f'tcp.port == {m.group(1)} or udp.port == {m.group(1)}'), "port_range": (r'\bports?\s+(\d+)\s*-\s*(\d+)\b', lambda m: f'(tcp.port >= {m.group(1)} and tcp.port <= {m.group(2)}) or (udp.port >= {m.group(1)} and udp.port <= {m.group(2)})'), # Protocol patterns "http_traffic": (r'\bhttp\b(?!\w)', lambda m: 'http'), "https_traffic": (r'\bhttps?\s+secure|ssl|tls\b', lambda m: 'tls'), "dns_queries": (r'\bdns\b(?!\w)', lambda m: 'dns'), "email_traffic": (r'\bemail|smtp|pop|imap\b', lambda m: 'smtp or pop or imap'), "ssh_traffic": (r'\bssh\b(?!\w)', lambda m: 'ssh'), "ftp_traffic": (r'\bftp\b(?!\w)', lambda m: 'ftp'), # Advanced patterns "slow_connections": (r'\bslow|high\s+latency|delayed?\b', lambda m: 'tcp.analysis.ack_rtt > 0.1'), "error_traffic": (r'\berrors?|retransmission|failed?\b', lambda m: 'tcp.analysis.retransmission or tcp.analysis.duplicate_ack'), "large_packets": (r'\blarge\s+packets?|big\s+frames?\b', lambda m: 'frame.len > 1500'), # Host patterns "hostname": (r'\b(?:host|server|domain)\s+([a-zA-Z0-9.-]+\.[a-zA-Z]{2,})\b', lambda m: f'ip.host == "{m.group(1)}"'), "contains_domain": (r'\b(?:contains?|includes?)\s+([a-zA-Z0-9.-]+\.[a-zA-Z]{2,})\b', lambda m: f'http.host contains "{m.group(1)}"'), } # Protocol keyword mapping (fallback) protocol_keywords = { "web": "http or tls", "tcp": "tcp", "udp": "udp", "icmp": "icmp", "ping": "icmp", "arp": "arp", "broadcast": "eth.dst == ff:ff:ff:ff:ff:ff", "multicast": "ip.dst[0:4] == 0x0e" } # Apply regex patterns for pattern_name, (regex, formatter) in patterns.items(): matches = re.finditer(regex, description_lower) for match in matches: try: filter_expr = formatter(match) filter_parts.append(filter_expr) matched_patterns.append(pattern_name) notes.append(f"Detected {pattern_name}: {match.group()}") except Exception as e: notes.append(f"Error parsing {pattern_name}: {str(e)}") # Apply keyword matching if no regex matches if not filter_parts: for keyword, filter_expr in protocol_keywords.items(): if keyword in description_lower: filter_parts.append(filter_expr) matched_patterns.append(f"keyword_{keyword}") # Generate final filter if filter_parts: if len(filter_parts) == 1: final_filter = filter_parts[0] else: # Intelligently combine filters final_filter = combine_filters_intelligently(filter_parts, description_lower) else: # Ultimate fallback if any(word in description_lower for word in ["traffic", "packets", "network"]): final_filter = "tcp or udp" else: final_filter = "tcp" notes.append("Used fallback filter - consider more specific description") # Generate contextual suggestions suggestions = generate_contextual_suggestions(description_lower, matched_patterns) return { "filter": final_filter, "matched_patterns": matched_patterns, "suggestions": suggestions, "notes": notes } def parse_ip_range(range_str: str) -> str: """Parse IP range like '192.168.1.1 - 192.168.1.100' into Wireshark filter.""" try: start_ip, end_ip = [ip.strip() for ip in range_str.split('-')] return f'ip.addr >= {start_ip} and ip.addr <= {end_ip}' except Exception: return f'ip.addr == {range_str}' # Fallback def combine_filters_intelligently(filter_parts: List[str], description: str) -> str: """Intelligently combine multiple filter parts based on context.""" # Check for exclusion words if any(word in description for word in ["not", "except", "exclude", "without"]): # Use NOT logic for exclusions if len(filter_parts) >= 2: return f"({filter_parts[0]}) and not ({filter_parts[1]})" # Check for OR logic indicators if any(word in description for word in ["or", "either", "any"]): return " or ".join(f"({part})" for part in filter_parts) # Default to AND logic return " and ".join(f"({part})" for part in filter_parts) def generate_contextual_suggestions(description: str, matched_patterns: List[str]) -> List[str]: """Generate contextual suggestions based on what was detected.""" suggestions = [] # Basic suggestions suggestions.extend([ "Use specific IP addresses: ip.addr == 192.168.1.1", "Filter by port: tcp.port == 80 or udp.port == 53", "Combine with operators: (http) and (ip.addr == 192.168.1.0/24)" ]) # Context-specific suggestions if any("ip" in pattern for pattern in matched_patterns): suggestions.append("Try subnet notation: ip.addr == 192.168.1.0/24") suggestions.append("Use IP ranges: ip.addr >= 10.0.0.1 and ip.addr <= 10.0.0.100") if any("port" in pattern for pattern in matched_patterns): suggestions.append("Specific protocols: tcp.port == 443 (HTTPS) or udp.port == 53 (DNS)") if any("http" in pattern for pattern in matched_patterns): suggestions.append("HTTP methods: http.request.method == GET") suggestions.append("HTTP hosts: http.host == \"example.com\"") if "slow" in description or "latency" in description: suggestions.append("RTT analysis: tcp.analysis.ack_rtt > 0.05") suggestions.append("Window scaling: tcp.window_size_scalefactor > 1") return suggestions[:6] # Limit to 6 suggestions async def main(): """Main server entry point.""" logger.info("🦈 Starting Enhanced Wireshark MCP Server v2.0") logger.info("✨ Features: JSON Capture, Protocol Statistics, Enhanced Analysis") logger.info("📊 Total Tools Available: 8") async with stdio_server() as (read_stream, write_stream): await server.run( read_stream, write_stream, server.create_initialization_options() ) if __name__ == "__main__": asyncio.run(main())