Skip to main content
Glama

Wireshark MCP Server

Wireshark MCP Server

A Model Context Protocol (MCP) server that provides AI assistants with direct access to Wireshark network analysis capabilities. This tool enables AI-powered network troubleshooting, packet analysis, and network monitoring through a secure, standardized interface.

Features

  • Live Packet Capture: Capture network traffic in real-time from any network interface

  • PCAP File Analysis: Analyze existing packet capture files with advanced filtering

  • Protocol Statistics: Generate comprehensive protocol hierarchy and conversation statistics

  • Network Interface Management: List and interact with available network interfaces

  • Security Controls: Comprehensive input validation and privilege management

  • Async Operations: Non-blocking operations for high-performance analysis

Requirements

System Requirements

  • Python 3.9+ with pip package manager

  • Wireshark/TShark installed and accessible from command line

  • Network capture permissions (see setup instructions below)

  • Windows/Linux/macOS compatibility

Network Permissions Setup

Windows

  1. Install Wireshark with WinPcap/Npcap during installation

  2. Run as Administrator or ensure user has network capture permissions

Linux

# Add user to wireshark group sudo usermod -aG wireshark $USER # Or set capabilities on dumpcap (preferred) sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap # Logout and login again for group changes to take effect

macOS

# Ensure user has admin privileges or use sudo for captures # Wireshark installer typically handles permissions

Installation

  1. Clone or download the project files

  2. Install Python dependencies:

    pip install -r requirements.txt
  3. Verify Wireshark installation:

    tshark --version

Configuration

Claude Desktop Integration

  1. Locate your Claude Desktop config file:

    • Windows: %APPDATA%\Claude\claude_desktop_config.json

    • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json

    • Linux: ~/.config/Claude/claude_desktop_config.json

  2. Add the Wireshark MCP server configuration:

    { "mcpServers": { "wireshark": { "command": "python", "args": ["/absolute/path/to/wireshark-mcp-server.py"], "env": { "PYTHONPATH": "/absolute/path/to/project/directory", "MCP_LOG_LEVEL": "INFO" } } } }
  3. Restart Claude Desktop to load the new server

VS Code/Cursor Integration

For VS Code or Cursor, configure the MCP server in your IDE's MCP settings, pointing to the wireshark-mcp-server.py file.

Available Tools

get_network_interfaces()

Lists all available network interfaces for packet capture.

Usage:

Please list the available network interfaces

capture_live_packets(interface, count, capture_filter, timeout)

Captures live network packets from a specified interface.

Parameters:

  • interface: Network interface name (e.g., "eth0", "Wi-Fi") or number (e.g., "1")

  • count: Number of packets to capture (default: 50, max: 1000)

  • capture_filter: BPF capture filter expression (optional)

  • timeout: Capture timeout in seconds (default: 30, max: 60)

Usage:

Capture 100 packets from interface eth0 with filter "tcp port 80"

analyze_pcap_file(filepath, display_filter, max_packets)

Analyzes existing PCAP/PCAPNG files with optional filtering.

Parameters:

  • filepath: Path to the PCAP/PCAPNG file

  • display_filter: Wireshark display filter expression (optional)

  • max_packets: Maximum number of packets to analyze (default: 100, max: 1000)

Usage:

Analyze the file /path/to/capture.pcap and show only HTTP requests

get_protocol_statistics(filepath)

Generates protocol hierarchy and IP conversation statistics from a capture file.

Parameters:

  • filepath: Path to the PCAP/PCAPNG file

Usage:

Generate protocol statistics for /path/to/capture.pcap

get_capture_file_info(filepath)

Retrieves detailed information about a capture file (size, duration, packet count, etc.).

Parameters:

  • filepath: Path to the PCAP/PCAPNG file

Usage:

Get information about the capture file /path/to/capture.pcap

Filter Examples

Capture Filters (BPF Syntax)

  • "tcp port 80" - HTTP traffic

  • "host 192.168.1.1" - Traffic to/from specific host

  • "net 10.0.0.0/8" - Traffic on specific network

  • "tcp and port 443" - HTTPS traffic

  • "icmp" - ICMP/ping traffic

Display Filters (Wireshark Syntax)

  • "http.request" - HTTP requests only

  • "tcp.flags.syn == 1" - TCP SYN packets

  • "dns.flags.response == 1" - DNS responses

  • "ip.addr == 192.168.1.1" - Traffic to/from specific IP

  • "tcp.analysis.retransmission" - TCP retransmissions

Security Features

  • Input Validation: All user inputs are validated against security patterns

  • File Path Sanitization: File paths are resolved and validated for safety

  • Resource Limits: Capture duration, packet counts, and file sizes are limited

  • Interface Validation: Only valid network interface names are accepted

  • Filter Validation: Capture and display filters are checked for dangerous patterns

Usage Examples

Basic Network Troubleshooting

AI Assistant: "I need to troubleshoot network connectivity issues" User: "Capture 200 packets from the main network interface and look for any issues"

HTTP Traffic Analysis

AI Assistant: "Let me analyze your web traffic" User: "Capture traffic on port 80 and 443 for 60 seconds and show me the top websites accessed"

Security Investigation

AI Assistant: "Analyzing suspicious network activity" User: "Examine this PCAP file for any unusual connections or potential security threats"

Performance Analysis

AI Assistant: "Investigating network performance issues" User: "Generate protocol statistics from this capture file to identify bandwidth usage"

Troubleshooting

Common Issues

  1. "TShark not found" error

    • Ensure Wireshark is installed and tshark is in your PATH

    • On Windows, check C:\Program Files\Wireshark\tshark.exe

  2. Permission denied for packet capture

    • Follow the network permissions setup instructions above

    • On Linux/macOS, you may need to use sudo for live captures

  3. "FastMCP not installed" error

    • Install required dependencies: pip install -r requirements.txt

  4. Interface not found

    • Use get_network_interfaces() to see available interfaces

    • Interface names vary by operating system

Debug Mode

Enable debug logging by setting the environment variable:

export MCP_LOG_LEVEL=DEBUG python wireshark-mcp-server.py

Development

Testing the Server

# Install development dependencies pip install -r requirements.txt # Test the server directly python wireshark-mcp-server.py # Run with debug logging MCP_LOG_LEVEL=DEBUG python wireshark-mcp-server.py

Contributing

  1. Fork the repository

  2. Create a feature branch

  3. Add tests for new functionality

  4. Submit a pull request

License

This project is provided as-is for educational and professional use. Please ensure compliance with your organization's security and network monitoring policies.

Support

For issues and questions:

  1. Check the troubleshooting section above

  2. Verify Wireshark installation and permissions

  3. Check the project logs for detailed error messages

  4. Ensure all requirements are properly installed

Acknowledgments

  • Built on the Model Context Protocol (MCP) by Anthropic

  • Utilizes the Wireshark network analysis toolkit

  • Designed for secure, AI-powered network analysis

Related MCP Servers

  • -
    security
    A
    license
    -
    quality
    Enables AI assistants to perform network scanning operations using NMAP, offering a standardized interface for network analysis and security assessments through AI conversations.
    Last updated -
    13
    33
    MIT License
  • A
    security
    A
    license
    A
    quality
    Provides tools to interact with the Farcaster network, allowing AI models to fetch casts, search channels, and analyze content.
    Last updated -
    3
    2
    MIT License
    • Apple
  • -
    security
    F
    license
    -
    quality
    An integration that enables AI assistants to interact with network data through a standardized protocol, providing AI-ready tools and interfaces for network automation and management.
    Last updated -
    15
  • -
    security
    F
    license
    -
    quality
    A Model Context Protocol server that integrates Wireshark's network analysis capabilities with AI systems like Claude, allowing direct analysis of network packet data without manual copying.
    Last updated -
    8
    • Apple
    • Linux

View all related MCP servers

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/mixelpixx/Wireshark-MCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server