netops-mcp
Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| NETOPS_DENY | No | Denylist of targets | |
| NETOPS_ALLOW | No | Comma/space list of allowed targets (host or CIDR) — strict mode | |
| NETOPS_MAX_PORTS | No | Cap for tcp_port_check (default 20) | |
| NETOPS_HOSTS_FILE | No | Override the hosts-file path (used by config_correlate) | |
| NETOPS_LOCAL_ONLY | No | Disable all outbound third-party calls (Globalping, egress echo) | |
| NETOPS_ENABLE_WRITE | No | Allow mutating WireGuard ops (wg_peer_add/remove); still dry-run unless confirm:true |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": true
} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| dns_lookupA | Resolve DNS records for a name. Supports A/AAAA/MX/TXT/NS/CNAME/SOA and an optional custom resolver. Use this when you ONLY need to check DNS resolution. For a full 'why can't I reach X' verdict that also checks ping/TCP/TLS/HTTP, use net_diagnose instead. |
| net_pingA | Reachability check. Uses ICMP ping when available, falls back to a TCP connect (works without root). Use this when you ONLY need to know if a host is alive. It does NOT check application ports or HTTP — for that use tcp_port_check or net_diagnose. |
| tcp_port_checkA | Check whether specific TCP ports on a host accept connections. This is a connectivity check of named ports — NOT a discovery scan. Capped by scope-guard. Use this when you need to verify a SPECIFIC port is open at the TCP level. It does NOT send HTTP or check TLS. Use after net_ping confirms the host is alive, or when ICMP is blocked. |
| tls_inspectA | Open a TLS connection and report certificate chain, expiry (days), SANs, protocol, cipher, handshake timing, and validation status. |
| http_probeA | GET a URL and report status, redirect chain, server header, and a timing breakdown (DNS / connect / TLS / TTFB / total). |
| tracerouteA | Trace the network path to a host hop by hop, with per-hop latency. Wraps system traceroute/tracert. |
| mtu_blackholeA | Path-MTU discovery via Don't-Fragment pings. Detects the classic MTU black hole — small packets pass, large ones vanish with no ICMP reply — the reason connections establish but then hang on big transfers over VPN/PPPoE links. |
| cert_sweepA | Check TLS certificate expiry across many domains at once. Pass an explicit list, and/or config paths (nginx/Caddy/Traefik/compose files or dirs) to auto-extract the domains. Sorts by soonest expiry and flags certs expiring within warn_days. |
| net_diagnoseA | One-shot diagnosis: resolves DNS, pings, checks TCP, inspects TLS, and probes HTTP for a target, then returns a verdict on where the failure is. |
| net_triangulateA | Runs the same reachability test from THIS machine and from Globalping's worldwide probes, then verdicts whether a failure is your side, your network/ISP, or the target. Disabled in --local-only mode. |
| diagnosis_bundleA | Runs a full battery of probes against a target and returns a clean Markdown report you can paste straight into a bug report or support ticket. Includes DNS, reachability, TLS, HTTP timing, optional global probes, and local context. |
| config_correlateA | Reads /etc/hosts and resolv.conf and cross-checks them against live DNS — surfaces the hidden config that explains weird resolution (stale /etc/hosts pin, overriding resolver). No remote service can do this. |
| tunnel_diffA | Compares egress identity and reachability from the default route vs. bound to a specific interface IP (e.g. your VPN interface). Reveals split-tunnel surprises and egress differences. Needs network access for the egress check. |
| dns_leak_checkA | Reports your public egress IP and the DNS resolvers your system is actually using, and flags whether resolvers look like a local/ISP server (potential leak) vs a tunnel resolver. Heuristic. Needs network access for egress IP. |
| wg_statusA | Reads WireGuard interfaces and peers (via |
| wg_config_generateA | Generate a fresh WireGuard keypair and a ready-to-paste client config. Read-only — it does NOT modify any interface; it just prints the config and keys for you to use. |
| wg_peer_addA | Add or update a peer on a WireGuard interface ( |
| wg_peer_removeA | Remove a peer from a WireGuard interface ( |
| net_overviewA | Snapshot of local interfaces, resolvers, and WireGuard interfaces — quick context for the assistant. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Socialpranker/netops-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server