The Wireshark MCP server provides comprehensive network packet analysis capabilities by integrating Wireshark/tshark tools, enabling AI assistants to analyze pcap files, capture live traffic, and perform security analysis.
Packet Analysis: View packet summaries and detailed JSON information, extract raw hex/ASCII dumps, view packets in context, reassemble and follow complete TCP/UDP/TLS/HTTP streams with pagination, and search for patterns using string, hex, or regex matching.
Data Extraction: Extract specific protocol fields as tabular data with custom filtering, retrieve HTTP requests and DNS queries, list unique IP addresses, export embedded files from HTTP/SMB/TFTP traffic, and verify TLS decryption using keylog files.
Statistics & Reporting: Generate protocol hierarchy statistics, endpoint and conversation analysis, I/O graphs for traffic volume over time, expert information for anomaly detection (retransmissions, errors, warnings), and service response time metrics for HTTP, DNS, SMB and other protocols.
File Operations & Live Capture: Get detailed metadata for pcap files, merge multiple capture files, filter and save packets, list available network interfaces, and capture live traffic with duration, packet count, BPF filters, and ring buffer support.
Security Analysis: Check captured IP addresses against URLhaus threat intelligence feeds and scan for plaintext credentials in HTTP Basic Auth, FTP, and Telnet traffic.
Utilities: Decode common encodings (Base64, Hex, URL, Gzip, Deflate, Rot13) with auto-detection and generate ASCII charts for traffic volume and protocol hierarchy trees.
Supported Protocols: Network layer (Ethernet, IP, IPv6, TCP, UDP, SCTP, WLAN) and application layer (HTTP, HTTP/2, DNS, TLS/SSL, SMB, FTP, Telnet, TFTP, DICOM).
Provides tools for analyzing network traffic and pcap files, including packet summarization, deep packet dissection, stream reassembly, and automated extraction of HTTP requests, DNS queries, and credentials.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Wireshark MCPanalyze capture.pcap and check for any plaintext credentials"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
What is this?
Wireshark MCP is an MCP Server that wraps tshark into structured tools, letting AI assistants like Claude or Cursor perform deep packet analysis without you touching the command line.
Prerequisites
Python 3.10+
Wireshark installed with
tsharkavailable in your PATHAny MCP-compatible client: Claude Desktop, Claude Code, Cursor, VS Code, etc.
Installation
Configuration
Edit claude_desktop_config.json:
macOS:
~/Library/Application Support/Claude/claude_desktop_config.jsonWindows:
%APPDATA%\Claude\claude_desktop_config.json
Or edit ~/.claude/claude_desktop_config.json with the same JSON format above.
Go to Settings → Features → MCP Servers → Add new MCP server:
Name:
wiresharkType:
commandCommand:
uv tool run wireshark-mcp
Or edit .cursor/mcp.json in your project root:
Or edit ~/.codex/config.toml:
Go to Settings → MCP → Add MCP Server → Manual, then paste:
Or edit .trae/mcp.json in your project root.
Docker / SSE mode:
docker compose up -dthen point your client tohttp://localhost:8080/sse
Quick Start
Paste this into your AI client after pointing it at a pcap file:
Tools
Tool | Description |
| One-call security audit: 8-phase analysis (threat intel, credential scan, port scan, DNS tunnel, cleartext, anomalies) with risk scoring (0-100) and recommendations |
| One-call traffic overview: file info, protocol distribution, top talkers, conversations, hostnames, anomaly summary, suggested next steps |
| Smart file opener: analyzes pcap content and dynamically activates protocol-specific tools (Progressive Discovery) |
💡 These tools replace the need to manually chain 5-10 tool calls. Just call one and get a complete report.
Tool | Description |
| Paginated packet list with display filter and custom column support |
| Full JSON dissection of a single frame, with optional layer filtering to cut token usage |
| Raw Hex + ASCII dump (Wireshark's "Packet Bytes" pane) |
| View N packets before and after a frame for contextual debugging |
| Reassemble a full TCP / UDP / HTTP stream with pagination and search |
| Pattern search across raw bytes or decoded fields (Regex supported) |
Tool | Description |
| Extract any tshark fields as a table |
| HTTP method, URI, and host for every request |
| All DNS queries in the capture |
| All unique source, destination, or both IP addresses |
| Extract embedded files (HTTP, SMB, TFTP, etc.) |
| Confirm TLS decryption using a keylog file |
Tool | Description |
| Protocol Hierarchy Statistics — see what protocols dominate |
| All endpoints sorted by traffic volume |
| Communication pairs with byte/packet counts |
| Traffic volume over time (spot DDoS, scans, bursts) |
| Wireshark's expert analysis: errors, warnings, notes |
| SRT stats for HTTP, DNS, and other protocols |
Tool | Description |
| File metadata via |
| Merge multiple captures into one file |
| Apply a display filter and save matching packets to a new file |
| List available network interfaces |
| Start a live capture (duration, packet count, BPF filter, ring buffer) |
Tool | Description |
| Cross-reference captured IPs against URLhaus threat intelligence |
| Detect plaintext credentials in HTTP Basic Auth, FTP, and Telnet |
| Detect SYN, FIN, NULL, and Xmas port scans with configurable threshold |
| Detect DNS tunneling (long queries, TXT abuse, subdomain entropy) |
| Detect DoS/DDoS patterns (SYN flood, ICMP/UDP flood, DNS amplification) |
| Comprehensive anomaly analysis: cleartext protocols, unusual ports, expert warnings |
Tool | Description |
| TLS version, cipher suite, SNI, and certificate info from Client/Server Hello |
| TCP retransmissions, duplicate ACKs, zero window, resets, out-of-order analysis |
| ARP spoofing detection: IP-MAC conflicts, gratuitous ARP floods |
| SMTP email metadata: sender, recipient, mail server info |
| DHCP lease information: assigned IPs, hostnames, DNS servers |
Tool | Description |
| Auto-detect and decode Base64, Hex, URL encoding, Gzip, Deflate, Rot13, and more |
| ASCII bar chart of traffic over time — spot DDoS or scan patterns instantly |
| ASCII protocol tree — visual overview of what's in the capture |
Note: Security, Protocol, and Threat tools are contextual — they activate automatically when you call
wireshark_open_file. The Agentic tools (security_audit,quick_analysis) are always available.
MCP Resources
Resource URI | Description |
| Complete display filter syntax cheatsheet with common examples |
| Protocol field name reference for filters and extraction |
| Recommended analysis workflows and tips |
MCP Prompts
Prompt | Description |
| Full security audit workflow: threat intel, credential scan, attack detection |
| Network performance analysis: TCP health, response times, bottlenecks |
| CTF challenge solver: flag search, stream analysis, steganography checks |
| IR workflow: triage, IOC extraction, attack timeline, containment |
| Quick traffic summary with protocol breakdown and visualization |
Development
Install dev dependencies:
Test with the MCP Inspector (opens a local web UI to call tools interactively):
Run the test suite:
Lint & type check:
Docker:
CLI options:
See CONTRIBUTING.md for the full development setup guide.
