stop_capture_session
Terminate an active capture session, analyze packets, and customize results using display filters and output formats. Supports saved configurations and TLS decryption via SSL keylog files.
Instructions
Stop a running capture session and analyze packets. LLMs control all analysis parameters including display filters and output formats. Can use saved configurations.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| configName | No | Name of saved configuration to use for analysis parameters | |
| customFields | No | Custom tshark field list (only used with outputFormat=fields) | |
| displayFilter | No | Wireshark display filter for analysis (e.g., "tls.handshake.type == 1") | |
| outputFormat | No | Output format: json (-T json), fields (custom -e), or text (default wireshark output) | text |
| sessionId | Yes | Session ID returned from start_capture_session | |
| sslKeylogFile | No | ABSOLUTE path to SSL keylog file for TLS decryption |
Input Schema (JSON Schema)
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": false,
"properties": {
"configName": {
"description": "Name of saved configuration to use for analysis parameters",
"type": "string"
},
"customFields": {
"description": "Custom tshark field list (only used with outputFormat=fields)",
"type": "string"
},
"displayFilter": {
"description": "Wireshark display filter for analysis (e.g., \"tls.handshake.type == 1\")",
"type": "string"
},
"outputFormat": {
"default": "text",
"description": "Output format: json (-T json), fields (custom -e), or text (default wireshark output)",
"enum": [
"json",
"fields",
"text"
],
"type": "string"
},
"sessionId": {
"description": "Session ID returned from start_capture_session",
"type": "string"
},
"sslKeylogFile": {
"description": "ABSOLUTE path to SSL keylog file for TLS decryption",
"type": "string"
}
},
"required": [
"sessionId"
],
"type": "object"
}