mcpacket

Overview Inspect Schema Related Servers Score Discussions

mcpacket
enhancement

CHANGELOG.md

CHANGELOG.md•9.62 kB

# TCP Analysis Enhancement Changelog ## Version: Enhancement (2025-12-22) ### 🎉 Major New Features #### TCP Analysis Module Added comprehensive TCP packet analysis capabilities, the most requested feature for network troubleshooting. ### ✨ New Tools #### 1. `analyze_tcp_connections` - **Purpose**: Track and analyze TCP connection lifecycle - **Capabilities**: - Three-way handshake tracking (SYN → SYN-ACK → ACK) - Connection state machine analysis - Flag counting (SYN, ACK, RST, FIN) - Retransmission detection - Connection close reason determination - Success/failure statistics - **Parameters**: - `pcap_file`: Local path or HTTP/HTTPS URL - `server_ip`: Optional IP filter - `server_port`: Optional port filter - `detailed`: Control output verbosity - **Use Case**: Diagnose connection establishment and termination issues #### 2. `analyze_tcp_anomalies` - **Purpose**: Intelligent automatic detection of common network problems - **Capabilities**: - Client vs server RST pattern detection - Firewall blocking identification - High retransmission rate detection - Handshake failure analysis - Root cause diagnosis with confidence scoring - Evidence-based analysis - Actionable recommendations - **Detected Patterns**: - `client_rst`: Client firewall blocks (e.g., iptables) - `server_rst`: Server connection rejection - `retransmission`: Network quality issues - `handshake_failure`: Service unreachable - `syn_flood`: Potential DoS attack - `connection_timeout`: Network path issues - **Use Case**: Automated network troubleshooting with minimal manual analysis #### 3. `analyze_tcp_retransmissions` - **Purpose**: Network quality assessment through retransmission analysis - **Capabilities**: - Sequence number-based retransmission detection - Overall and per-connection retransmission rates - Configurable threshold comparison - Worst-performing connection identification - Directional analysis (client→server, server→client, bidirectional) - **Parameters**: - `pcap_file`: Local path or HTTP/HTTPS URL - `server_ip`: Optional IP filter - `threshold`: Retransmission rate threshold (default: 2%) - **Use Case**: Identify network congestion and packet loss issues #### 4. `analyze_traffic_flow` - **Purpose**: Bidirectional traffic analysis for client/server issue determination - **Capabilities**: - Separate client→server and server→client statistics - Packet and byte counting per direction - Flag analysis per direction - RST source identification (critical for firewall diagnosis) - Traffic asymmetry calculation - Pattern interpretation - **Parameters**: - `pcap_file`: Local path or HTTP/HTTPS URL - `server_ip`: Server IP (REQUIRED) - `server_port`: Optional port filter - **Use Case**: Determine whether connection issues originate from client or server ### 📚 New Documentation #### Guides - **`TCP_ANALYSIS_GUIDE.md`**: Comprehensive user guide - Quick start instructions - Tool usage examples - Common troubleshooting scenarios - Real-world examples - Best practices - Output interpretation #### Reference - **`IMPLEMENTATION_SUMMARY.md`**: Technical implementation details - Feature overview - Return structure specifications - Real-world use case walkthrough - Comparison with original proposal - Testing information - Performance considerations #### Examples - **`tcp_analysis_demo.py`**: Interactive demonstration script - Shows all four TCP tools in action - Formatted output with emojis - Sample usage patterns ### 🔧 Infrastructure Changes #### Modified Files 1. **`/src/mcpcap/core/server.py`** - Added TCPModule import - Registered four new TCP tools - Updated module initialization 2. **`/src/mcpcap/cli.py`** - Added `tcp` to default modules list - Updated help text - Updated default module configuration 3. **`/src/mcpcap/modules/__init__.py`** - Exported TCPModule class - Added to __all__ list 4. **`/README.md`** - Added TCP analysis section - Updated tool listings - Added TCP usage examples - Updated configuration examples - Added TCP prompts documentation #### New Files 1. **`/src/mcpcap/modules/tcp.py`** (700+ lines) - Complete TCP analysis module - Four analysis functions - Helper methods for packet processing - MCP prompt definitions 2. **`/tests/test_tcp.py`** - Comprehensive test suite - Tests for all four tools - Edge case handling - Filter testing - max_packets limit testing 3. **`/enhancement/IMPLEMENTATION_SUMMARY.md`** - Technical documentation - Design decisions - Return value specifications 4. **`/enhancement/TCP_ANALYSIS_GUIDE.md`** - User guide - Tutorial and examples - Troubleshooting scenarios 5. **`/enhancement/CHANGELOG.md`** (this file) - Change history - Feature summary 6. **`/examples/tcp_analysis_demo.py`** - Interactive demonstration - Sample usage code ### 🎯 Analysis Prompts Added two specialized MCP prompts for LLM-guided analysis: 1. **`tcp_connection_troubleshooting`** - Connection establishment analysis - Connection termination patterns - Network quality assessment - Traffic pattern analysis - Diagnostic guidance 2. **`tcp_security_analysis`** - Attack detection (SYN flood, port scan) - Firewall analysis - Anomaly identification - Forensic evidence collection - Security-focused interpretation ### 🚀 Performance Features - **Efficient packet grouping**: Uses `defaultdict` for O(1) connection lookup - **Sequence tracking**: Set-based sequence number tracking for retransmission detection - **Configurable limits**: Respects `--max-packets` setting - **Top-N filtering**: Returns top results to manage output size - **Memory efficient**: Iterative packet processing ### 🔒 Security Enhancements - Input validation for all parameters - Safe handling of malformed packets - No command execution from user input - Evidence-based diagnosis (no speculation) - Clear severity ratings ### 📊 Impact This enhancement addresses the **most critical gap** identified in mcpcap: **Before:** - ❌ No TCP connection tracking - ❌ No TCP anomaly detection - ❌ No retransmission analysis - ❌ No traffic flow analysis - ❌ No IP/port filtering **After:** - ✅ Complete TCP connection lifecycle tracking - ✅ Intelligent anomaly detection with confidence scoring - ✅ Comprehensive retransmission analysis - ✅ Bidirectional traffic flow analysis - ✅ Flexible IP/port filtering on all tools - ✅ Root cause diagnosis with recommendations ### 🎓 Real-World Validation The implementation was validated against a real-world scenario from the gap analysis: - **Problem**: Client unable to connect to server on port 5574 - **Diagnosis by Tools**: Client firewall (iptables) blocking connections (85% confidence) - **Supporting Evidence**: All RST packets from client, zero from server - **Recommendation**: `sudo iptables -L OUTPUT -n -v | grep 5574` - **Result**: ✅ Correctly identified the issue ### 🔄 Backward Compatibility - All existing tools remain unchanged - TCP module is optional (can be excluded with `--modules`) - No breaking changes to existing functionality - Default behavior includes TCP module ### 📝 Configuration Changes **Old Default:** ```bash mcpcap --modules dns,dhcp,icmp,capinfos ``` **New Default:** ```bash mcpcap --modules dns,dhcp,icmp,tcp,capinfos ``` **Custom (TCP only):** ```bash mcpcap --modules tcp ``` ### 🧪 Testing Added comprehensive test suite: - Module initialization - Non-existent file handling - Basic functionality for all four tools - IP/port filtering - max_packets limit support - Error handling Run tests: ```bash pytest tests/test_tcp.py -v ``` ### 📦 Dependencies No new dependencies required. Uses existing packages: - `scapy` (already required) - `requests` (already required) - `fastmcp` (already required) ### 🎨 User Experience Improvements 1. **Structured JSON output**: Consistent format across all tools 2. **Human-readable interpretations**: Analysis includes plain English explanations 3. **Actionable recommendations**: Specific commands and next steps 4. **Evidence-based diagnosis**: All findings backed by packet evidence 5. **Confidence scoring**: Know how certain the diagnosis is 6. **Severity ratings**: Understand urgency of issues ### 🔮 Future Enhancements (Proposed) Based on gap analysis, potential future additions: - Port scan detection (`analyze_port_scan`) - HTTP/HTTPS protocol analysis - Time series analysis - Smart auto-detection tool - Enhanced filtering for existing modules ### 📄 Documentation Updates Updated all documentation to reflect new capabilities: - README.md: Added TCP tools section - Added comprehensive user guide - Added implementation summary - Added example demo script - Updated CLI help text - Added MCP prompt documentation ### 🎉 Summary This release transforms mcpcap from a protocol-specific analyzer (DNS/DHCP/ICMP) into a **comprehensive network troubleshooting platform** with full TCP analysis capabilities, intelligent diagnostics, and automated problem detection. **Key Achievement**: mcpcap can now automatically diagnose the majority of TCP connection issues, providing evidence-based root cause analysis with actionable recommendations - exactly what was needed in the real-world scenario that inspired this enhancement. --- **Contributors**: Enhancement based on gap analysis and real-world requirements **Date**: 2025-12-22 **Version**: TCP Analysis Enhancement Release

Loading blob content...

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/danohn/mcpacket'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

CHANGELOG.md•9.62 kB