What can you do with this server?

The mcpcap server is a Model Context Protocol (MCP) interface that enables LLMs to analyze network packet capture (PCAP) files through specialized protocol analysis tools. **Protocol Analysis Capabilities:** * **DNS Analysis**: Extract queries/responses, identify domains/subdomains, analyze query types (A, AAAA, MX, CNAME), track frequency, and detect security issues * **DHCP Analysis**: Track transactions (DISCOVER, OFFER, REQUEST, ACK), identify clients/servers, monitor IP assignments and lease information, analyze DHCP options, and detect anomalies * **ICMP Analysis**: Analyze ping requests/replies with response times, identify connectivity issues, track TTL values and routing paths, detect ICMP error messages, and monitor for attacks * **TCP Analysis**: Track three-way handshakes and connection lifecycles, analyze successful/failed connections, filter by server IP/port, detect anomalies (RST patterns, retransmissions, handshake failures), measure retransmission rates, and perform bidirectional traffic flow analysis * **PCAP Metadata (CapInfos)**: Extract file information (size, name, encapsulation), packet statistics (count, data size, average packet size), temporal analysis (duration, timestamps, rates), and throughput metrics **Key Features:** * **Remote & Local File Support**: Analyze PCAP files from HTTP/HTTPS URLs or absolute local file paths (supports `.pcap`, `.pcapng`, `.cap` formats) * **No Upload Required**: Stateless operation with no file upload support—files accessed via paths/URLs only * **Modular Architecture**: Use protocol modules independently or combined, easily extensible for new protocols * **Structured Output**: JSON-formatted results optimized for LLM consumption * **Specialized Prompts**: Guidance for security, network troubleshooting, and forensic investigations across protocols

Which integrations are available for this server?

Provides network packet capture analysis capabilities similar to [Wireshark](/mcp/servers/integrations/wireshark)'s capinfos utility, enabling analysis of PCAP files for DNS, DHCP, ICMP, and TCP protocols with metadata extraction and packet statistics.

How do I use mcpacket?

1. Click on "Install Server". 2. Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state. 3. In the chat, type `@` followed by the MCP server name and your instructions, e.g., "`@mcpacket` analyze DNS traffic in /home/user/network_capture.pcap" That's it! The server will respond to your query, and you can continue using it as needed. Here is a [step-by-step guide with screenshots](https://glama.ai/blog/2025-07-08-how-to-install-and-use-mcp-servers).

mcpcap

A modular Python MCP (Model Context Protocol) Server for analyzing PCAP files. mcpcap enables LLMs to read and analyze network packet captures with protocol-specific analysis tools that accept local file paths or remote URLs as parameters (no file uploads - provide the path or URL to your PCAP file).

Overview

mcpcap uses a modular architecture to analyze different network protocols found in PCAP files. Each module provides specialized analysis tools that can be called independently with any PCAP file, making it perfect for integration with Claude Desktop and other MCP clients.

Key Features

Stateless MCP Tools: Each analysis accepts PCAP file paths or URLs as parameters (no file uploads)
Modular Architecture: DNS, DHCP, ICMP, TCP, and CapInfos modules with easy extensibility for new protocols
Advanced TCP Analysis: Connection tracking, anomaly detection, retransmission analysis, and traffic flow inspection
Local & Remote PCAP Support: Analyze files from local storage or HTTP URLs
Scapy Integration: Leverages scapy's comprehensive packet parsing capabilities
Specialized Analysis Prompts: Security, networking, and forensic analysis guidance
JSON Responses: Structured data format optimized for LLM consumption

Installation

mcpcap requires Python 3.10 or greater.

Using pip

pip install mcpcap

Using uv

uv add mcpcap

Using uvx (for one-time usage)

uvx mcpcap

Quick Start

1. Start the MCP Server

Start mcpcap as a stateless MCP server:

# Default: Start with DNS, DHCP, ICMP, TCP, and CapInfos modules mcpcap # Start with specific modules only mcpcap --modules dns,tcp # With packet analysis limits mcpcap --max-packets 1000

2. Connect Your MCP Client

Configure your MCP client (like Claude Desktop) to connect to the mcpcap server:

{ "mcpServers": { "mcpcap": { "command": "mcpcap", "args": [] } } }

3. Analyze PCAP Files

Use the analysis tools with any PCAP file by providing the file path or URL (not file uploads):

DNS Analysis:

analyze_dns_packets("/path/to/dns.pcap") analyze_dns_packets("https://example.com/remote.pcap")

DHCP Analysis:

analyze_dhcp_packets("/path/to/dhcp.pcap") analyze_dhcp_packets("https://example.com/dhcp-capture.pcap")

ICMP Analysis:

analyze_icmp_packets("/path/to/icmp.pcap") analyze_icmp_packets("https://example.com/ping-capture.pcap")

TCP Connection Analysis:

analyze_tcp_connections("/path/to/capture.pcap") analyze_tcp_connections("/path/to/capture.pcap", server_ip="192.168.1.1", server_port=80)

TCP Anomaly Detection:

analyze_tcp_anomalies("/path/to/capture.pcap", server_ip="10.0.0.1")

TCP Retransmission Analysis:

analyze_tcp_retransmissions("/path/to/capture.pcap")

Traffic Flow Analysis:

analyze_traffic_flow("/path/to/capture.pcap", server_ip="192.168.1.100")

CapInfos Analysis:

analyze_capinfos("/path/to/any.pcap") analyze_capinfos("https://example.com/capture.pcap")

Available Tools

DNS Analysis Tools

analyze_dns_packets(pcap_file): Complete DNS traffic analysis
- Extract DNS queries and responses
- Identify queried domains and subdomains
- Analyze query types (A, AAAA, MX, CNAME, etc.)
- Track query frequency and patterns
- Detect potential security issues

DHCP Analysis Tools

analyze_dhcp_packets(pcap_file): Complete DHCP traffic analysis
- Track DHCP transactions (DISCOVER, OFFER, REQUEST, ACK)
- Identify DHCP clients and servers
- Monitor IP address assignments and lease information
- Analyze DHCP options and configurations
- Detect DHCP anomalies and security issues

ICMP Analysis Tools

analyze_icmp_packets(pcap_file): Complete ICMP traffic analysis
- Analyze ping requests and replies with response times
- Identify network connectivity and reachability issues
- Track TTL values and routing paths (traceroute data)
- Detect ICMP error messages (unreachable, time exceeded)
- Monitor for potential ICMP-based attacks or reconnaissance

TCP Analysis Tools

analyze_tcp_connections(pcap_file, server_ip=None, server_port=None, detailed=False): TCP connection state analysis
- Track TCP three-way handshake (SYN, SYN-ACK, ACK)
- Analyze connection lifecycle and termination (FIN, RST)
- Identify successful vs failed connections
- Filter by server IP and/or port
- Detect connection issues and abnormal closures
analyze_tcp_anomalies(pcap_file, server_ip=None, server_port=None): Intelligent TCP anomaly detection
- Automatically detect common network problems
- Identify client vs server-initiated RST patterns (firewall blocks)
- Detect high retransmission rates (network quality issues)
- Diagnose handshake failures
- Root cause analysis with confidence scoring
- Actionable recommendations
analyze_tcp_retransmissions(pcap_file, server_ip=None, threshold=0.02): TCP retransmission analysis
- Measure overall and per-connection retransmission rates
- Identify connections with quality issues
- Compare against configurable thresholds
- Detect network congestion and packet loss
analyze_traffic_flow(pcap_file, server_ip, server_port=None): Bidirectional traffic flow analysis
- Analyze client-to-server vs server-to-client traffic
- Identify traffic asymmetry
- Determine RST packet sources
- Interpret connection patterns and behaviors

CapInfos Analysis Tools

analyze_capinfos(pcap_file): PCAP file metadata and statistics
- File information (size, name, link layer encapsulation)
- Packet statistics (count, data size, average packet size)
- Temporal analysis (duration, timestamps, packet rates)
- Data throughput metrics (bytes/second, bits/second)
- Similar to Wireshark's capinfos(1) utility

Analysis Prompts

mcpcap provides specialized analysis prompts to guide LLM analysis:

DNS Prompts

security_analysis - Focus on threat detection, DGA domains, DNS tunneling
network_troubleshooting - Identify DNS performance and configuration issues
forensic_investigation - Timeline reconstruction and evidence collection

DHCP Prompts

dhcp_network_analysis - Network administration and IP management
dhcp_security_analysis - Security threats and rogue DHCP detection
dhcp_forensic_investigation - Forensic analysis of DHCP transactions

ICMP Prompts

icmp_network_diagnostics - Network connectivity and path analysis
icmp_security_analysis - ICMP-based attacks and reconnaissance detection
icmp_forensic_investigation - Timeline reconstruction and network mapping

TCP Prompts

tcp_connection_troubleshooting - Connection issues, handshake analysis, termination patterns
tcp_security_analysis - Attack detection, firewall analysis, anomaly identification

Configuration Options

Module Selection

# Load specific modules mcpcap --modules dns # DNS analysis only mcpcap --modules tcp # TCP analysis only mcpcap --modules dhcp # DHCP analysis only mcpcap --modules icmp # ICMP analysis only mcpcap --modules dns,tcp # DNS and TCP analysis mcpcap --modules dns,dhcp,icmp,tcp,capinfos # All modules (default)

Analysis Limits

# Limit packet analysis for large files mcpcap --max-packets 1000

Complete Configuration Example

mcpcap --modules dns,dhcp,icmp,tcp,capinfos --max-packets 500

CLI Reference

mcpcap [--modules MODULES] [--max-packets N]

Options:

--modules MODULES: Comma-separated modules to load (default: dns,dhcp,icmp,tcp,capinfos)
- Available modules: dns, dhcp, icmp, tcp, capinfos
--max-packets N: Maximum packets to analyze per file (default: unlimited)

Examples:

# Start with all modules mcpcap # DNS and TCP analysis only mcpcap --modules dns,tcp # TCP analysis for troubleshooting connections mcpcap --modules tcp # With packet limits for large files mcpcap --max-packets 1000

Examples

Example PCAP files are included in the examples/ directory:

dns.pcap - DNS traffic for testing DNS analysis
dhcp.pcap - DHCP 4-way handshake capture
icmp.pcap - ICMP ping and traceroute traffic

Using with MCP Inspector

npm install -g @modelcontextprotocol/inspector npx @modelcontextprotocol/inspector mcpcap

Then test the tools:

// In the MCP Inspector web interface analyze_dns_packets("./examples/dns.pcap") analyze_dhcp_packets("./examples/dhcp.pcap") analyze_icmp_packets("./examples/icmp.pcap") analyze_capinfos("./examples/dns.pcap")

Architecture

mcpcap's modular design supports easy extension:

Core Components

BaseModule: Shared file handling, validation, and remote download
Protocol Modules: DNS, DHCP, ICMP, and TCP analysis implementations
MCP Interface: Tool registration and prompt management
FastMCP Framework: MCP server implementation

Tool Flow

MCP Client Request → analyze_*_packets(pcap_file) → BaseModule.analyze_packets() → Module._analyze_protocol_file() → Structured JSON Response

Adding New Modules

Create new protocol modules by:

Inheriting from BaseModule
Implementing _analyze_protocol_file(pcap_file)
Registering analysis tools with the MCP server
Adding specialized analysis prompts

Future modules might include:

HTTP/HTTPS traffic analysis
UDP connection analysis
BGP routing analysis
SSL/TLS certificate analysis
Network forensics tools
Port scan detection

Remote File Support

Both analysis tools accept remote PCAP files via HTTP/HTTPS URLs:

# Examples of remote analysis analyze_dns_packets("https://wiki.wireshark.org/uploads/dns.cap") analyze_dhcp_packets("https://example.com/network-capture.pcap") analyze_icmp_packets("https://example.com/ping-test.pcap") analyze_capinfos("https://example.com/network-metadata.pcap")

Features:

Automatic temporary download and cleanup
Support for .pcap, .pcapng, and .cap files
HTTP/HTTPS protocols supported

Security Considerations

When analyzing PCAP files:

Files may contain sensitive network information
Remote downloads are performed over HTTPS when possible
Temporary files are cleaned up automatically
Consider the source and trustworthiness of remote files

Contributing

Contributions welcome! Areas for contribution:

New Protocol Modules: Add support for HTTP, BGP, TCP, etc.
Enhanced Analysis: Improve existing DNS/DHCP analysis
Security Features: Add more threat detection capabilities
Performance: Optimize analysis for large PCAP files

License

MIT

Requirements

Python 3.10+
scapy (packet parsing and analysis)
requests (remote file access)
fastmcp (MCP server framework)

Documentation

GitHub: github.com/mcpcap/mcpcap
Documentation: docs.mcpcap.ai
Website: mcpcap.ai

Support

For questions, issues, or feature requests, please open an issue on GitHub.

Install Server

security – no known vulnerabilities

license - permissive license

quality - confirmed to work

How are these scores calculated?

Resources

GitHub Repository

Need Help?

Report Issue

Related Servers