Enables packet capture and analysis through Wireshark/tshark integration, allowing the agent to start recording network traffic, analyze packet contents, apply filters, decrypt SSL/TLS traffic, and troubleshoot network issues
A Model Context Protocol (MCP) server that provides network packet capture and analysis capabilities through Wireshark/tshark integration. Designed for AI assistants to perform network security analysis, troubleshooting, and packet inspection.
This server was thought for situations where you want your agent to debug a program that sends requests and verify the packet traffic, allowing the following workflow:
Start recording packets
Run tool or perform request
Stop recording and analyze results
SharkMCP provides a simple, local development-focused architecture:
Async Packet Capture: Start background capture sessions with configurable filters and timeouts.
PCAP File Analysis: Analyze existing packet capture files
Flexible Output Formats: JSON, custom fields, or traditional text output
SSL/TLS Decryption: Support for SSL keylog files to decrypt HTTPS traffic
Reusable Configurations: Save and reuse capture/analysis configurations
/!\ Packet information can be very extensive. Make sure to use a scoped display filter not to overload the context of your conversation.
Wireshark/tshark: Must be installed and accessible
Node.js: Version 18+
pnpm: Package manager (recommended)
macOS (using Homebrew):
Ubuntu/Debian:
Windows: Download from wireshark.org
Clone the repository:
Install dependencies:
Build the project:
Run the server:
SharkMCP includes comprehensive integration tests that verify packet capture functionality.
To decrypt HTTPS traffic, export the SSLKEYLOGFILE environment variable:
Then configure your applications to log SSL keys to this file. Many applications support this automatically when the environment variable is set.
Then pass the log file pathname to the MCP server in the stop_capture_session tool.
start_capture_session: Start background packet capture
stop_capture_session: Stop capture and analyze results
analyze_pcap_file: Analyze existing PCAP files
manage_config: Save/load reusable configurations
Start a capture session:
Analyze captured traffic:
Save a configuration:
Network Permissions: Packet capture requires elevated privileges
File Access: Temporary files are created in /tmp/
Docker Security: Container runs as non-root user
SSL Keylog: Sensitive SSL keys should be handled securely
"tshark not found":
Ensure Wireshark is installed and tshark is in PATH
Check installation with: tshark -v
Permission denied for packet capture:
On Linux: Add user to wireshark group or run with sudo
On macOS: Grant Terminal network access in System Preferences
On Windows: Run as Administrator
No packets captured:
Verify network interface name (ip link on Linux, ifconfig on macOS)
Check capture filter syntax
Ensure traffic is present on the interface
Fork the repository
Create a feature branch
Make your changes following the existing code style
Add tests for new functionality
Submit a pull request
MIT License
Feel free to open an issue with any question or suggestion you may have.
local-only server
The server can only run on the client's local machine because it depends on local resources.
A Model Context Protocol server that provides network packet capture and analysis capabilities through Wireshark/tshark integration, enabling AI assistants to perform network security analysis and troubleshooting.
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/kriztalz/SharkMCP'
If you have feedback or need assistance with the MCP directory API, please join our Discord server