-
securityA
license-
qualityA comprehensive code analysis and management tool that integrates with Claude Desktop to analyze code at project and file levels, helping adapt changes to projects intelligently.
Last updated -
39
MIT License
Built on Python with specific compatibility requirements (3.9+) for the server implementation
Incorporates VirusTotal's threat intelligence for malware detection and security analysis of network traffic
Provides comprehensive tools for Wireshark-based packet capture, analysis, and security monitoring with AI-enhanced capabilities
🦈 Wireshark MCP Server - Production Ready
Professional Wireshark MCP server with 18 comprehensive network analysis tools for Claude Desktop integration.
🚀 Features
18 Complete Network Analysis Tools - Comprehensive packet analysis suite
Real-time JSON Streaming - Live packet capture in multiple formats
Advanced PCAP Operations - Split, merge, time-slice, and convert files
Security Analysis - Threat detection and anomaly analysis
LLM-Powered Filter Generation - Natural language to Wireshark filters
Enterprise-Ready - Production-grade error handling and logging
📦 Quick Setup
Prerequisites
# Linux (Ubuntu/Debian)
sudo apt-get install wireshark tshark tcpdump python3-pip
# macOS
brew install wireshark tcpdump python3
# Windows
choco install wireshark python3
Installation
git clone https://github.com/priestlypython/wireshark-mcp.git
cd wireshark-mcp
pip install -r requirements.txt
# Configure permissions (Linux)
sudo usermod -a -G wireshark $USER
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
newgrp wireshark
Claude Desktop Configuration
Add to your claude_desktop_config.json:
{
"mcpServers": {
"wireshark-mcp": {
"command": "python",
"args": ["/path/to/wireshark-mcp/enhanced_server.py"],
"cwd": "/path/to/wireshark-mcp",
"env": {
"PYTHONPATH": "/path/to/wireshark-mcp",
"WIRESHARK_PATH": "/usr/bin",
"TSHARK_PATH": "/usr/bin/tshark",
"TCPDUMP_PATH": "/usr/sbin/tcpdump"
}
}
}
}
🛠️ All 18 Tools
Core Analysis Tools (8)
Tool | Purpose | Output |
| System info & interfaces | JSON with capabilities |
| Validate installation | Dependency status |
| AI filter generation | Wireshark display filter |
| Live packet capture | Packet array |
| PCAP analysis | Comprehensive stats |
| JSON streaming | Real-time packets |
| Protocol analysis | Hierarchy & conversations |
| Advanced analysis | Security & performance |
Advanced Tools (10)
Tool | Purpose | Output |
| Extract time windows | Time-sliced PCAP |
| Split PCAP files | Multiple split files |
| Merge PCAP files | Merged PCAP file |
| Convert hex to PCAP | PCAP file |
| HTTP traffic analysis | Transaction details |
| DNS query analysis | Query patterns & anomalies |
| SSL/TLS inspection | Certificate & cipher info |
| Performance analysis | Latency metrics |
| Security analysis | Threat scores & indicators |
| SSH remote capture | Remote packet data |
💡 Usage Examples
System Information
# Check system capabilities
wireshark_system_info(info_type="all")
# → Returns interfaces, capabilities, server status
Live Packet Capture
# Capture HTTP traffic for 30 seconds
wireshark_live_capture(
interface="eth0",
duration=30,
filter="tcp port 80",
max_packets=1000
)
# → Returns captured packets with analysis
PCAP Analysis
# Comprehensive PCAP analysis
wireshark_analyze_pcap(
filepath="/path/to/capture.pcap",
analysis_type="comprehensive"
)
# → File info, protocols, security analysis
Filter Generation
# Generate filter from natural language
wireshark_generate_filter(
description="Show all HTTP traffic from 192.168.1.0/24",
complexity="intermediate"
)
# → Returns optimized Wireshark filter
PCAP Operations
# Split large PCAP by time
wireshark_pcap_time_slice(
input_file="/path/to/large.pcap",
start_time="2025-01-01T10:00:00",
end_time="2025-01-01T11:00:00"
)
# → Creates time-sliced PCAP file
# Merge multiple PCAPs
wireshark_pcap_merger(
input_files=["file1.pcap", "file2.pcap"],
output_file="merged.pcap",
sort_chronologically=true
)
# → Creates chronologically sorted merged file
Security Analysis
# Threat detection
wireshark_threat_detector(
input_file="/path/to/suspicious.pcap",
detection_mode="comprehensive",
sensitivity="high"
)
# → Threat scores, anomalies, behavioral analysis
# DNS tunneling detection
wireshark_dns_analyzer(
input_file="/path/to/capture.pcap",
analysis_type="comprehensive",
detect_tunneling=true
)
# → DNS patterns, suspicious domains, entropy analysis
🔧 Expected Outputs
Structured JSON Results
All tools return well-structured JSON with:
Status indicators (✅ Success, ❌ Error)
Rich metadata (file sizes, timestamps, statistics)
Analysis results (protocols, conversations, threats)
Recommendations (filter suggestions, security insights)
File Operations
PCAP manipulation tools create properly formatted files:
Time-sliced captures with precise timestamps
Split files with organized naming conventions
Merged files with chronological packet ordering
Converted files maintaining packet integrity
Security Intelligence
Advanced analysis provides:
Threat scores (0-100 risk assessment)
Anomaly detection (statistical analysis)
Pattern recognition (attack signatures)
Behavioral analysis (network health indicators)
🚨 Troubleshooting
Permission Issues (Common)
# Linux: Set capabilities
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
sudo usermod -a -G wireshark $USER
# macOS: Run Wireshark as admin once
sudo /Applications/Wireshark.app/Contents/MacOS/Wireshark
# Windows: Run as Administrator
Tool Not Found
Ensure Wireshark is installed and in PATH
Check
wireshark_validate_setuptool for missing dependenciesVerify configuration paths in Claude Desktop config
No Packets Captured
Check interface permissions with
wireshark_system_infoVerify network traffic exists on selected interface
Try different interface (eth0, wlan0, any)
✅ Test Results
Latest Test Date: 2025-08-20
Success Rate: 94.4% (17/18 tools fully operational)
Category | Tools | Status |
Core System Tools | 3/3 | ✅ 100% |
Capture Tools | 2/2 | ✅ 100% |
Analysis Tools | 4/4 | ✅ 100% |
PCAP Manipulation | 4/4 | ✅ 100% |
Protocol Analyzers | 4/4 | ✅ 100% |
Remote Capture | 0/1 | ⚠️ Requires SSH |
See WIRESHARK_MCP_TEST_REPORT.md for detailed test results.
📊 Performance
Processing Rate: 10,000+ packets/second
File Support: Multi-GB PCAP files with streaming
Memory Efficient: Chunked processing for large files
Real-time: Sub-second response times
Concurrent: Multiple analysis operations supported
Average Response: ~300ms per operation
🛡️ Security
Secure Permissions: Linux capabilities instead of root
Process Isolation: Sandboxed subprocess execution
Automatic Cleanup: Temporary files removed after use
Audit Logging: Comprehensive operation logging
Error Handling: Graceful failure with informative messages
📄 License
MIT License - see LICENSE for details.
🦈 Professional network analysis powered by AI. Built for enterprise, designed for developers.
This server cannot be installed
hybrid server
The server is able to function both locally and remotely, depending on the configuration or use case.
Enterprise network analysis platform that enables AI-powered packet analysis, threat detection, and network security capabilities through Claude Desktop integration.
Related MCP Servers
- AsecurityFlicenseAqualityA comprehensive toolkit for Ethereum blockchain analysis within Claude AI, enabling contract auditing, wallet analysis, profitability tracking, and on-chain data retrieval.Last updated -1171811
- -securityAlicense-qualityProvides Claude with real-time system monitoring capabilities, including CPU, memory, disk, network, battery, and internet speed metrics.Last updated -1MIT License
- -securityAlicense-qualityA Model Context Protocol server that provides network analysis tools for security professionals, enabling AI models like Claude to perform tasks such as ASN lookups, DNS analysis, WHOIS retrieval, and IP geolocation for security investigations.Last updated -1Apache 2.0