Skip to main content
Glama

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault
NETOPS_DENYNoDenylist of targets
NETOPS_ALLOWNoComma/space list of allowed targets (host or CIDR) — strict mode
NETOPS_MAX_PORTSNoCap for tcp_port_check (default 20)
NETOPS_HOSTS_FILENoOverride the hosts-file path (used by config_correlate)
NETOPS_LOCAL_ONLYNoDisable all outbound third-party calls (Globalping, egress echo)
NETOPS_ENABLE_WRITENoAllow mutating WireGuard ops (wg_peer_add/remove); still dry-run unless confirm:true

Capabilities

Features and capabilities supported by this server

CapabilityDetails
tools
{
  "listChanged": true
}

Tools

Functions exposed to the LLM to take actions

NameDescription
dns_lookupA

Resolve DNS records for a name. Supports A/AAAA/MX/TXT/NS/CNAME/SOA and an optional custom resolver. Use this when you ONLY need to check DNS resolution. For a full 'why can't I reach X' verdict that also checks ping/TCP/TLS/HTTP, use net_diagnose instead.

net_pingA

Reachability check. Uses ICMP ping when available, falls back to a TCP connect (works without root). Use this when you ONLY need to know if a host is alive. It does NOT check application ports or HTTP — for that use tcp_port_check or net_diagnose.

tcp_port_checkA

Check whether specific TCP ports on a host accept connections. This is a connectivity check of named ports — NOT a discovery scan. Capped by scope-guard. Use this when you need to verify a SPECIFIC port is open at the TCP level. It does NOT send HTTP or check TLS. Use after net_ping confirms the host is alive, or when ICMP is blocked.

tls_inspectA

Open a TLS connection and report certificate chain, expiry (days), SANs, protocol, cipher, handshake timing, and validation status.

http_probeA

GET a URL and report status, redirect chain, server header, and a timing breakdown (DNS / connect / TLS / TTFB / total).

tracerouteA

Trace the network path to a host hop by hop, with per-hop latency. Wraps system traceroute/tracert.

mtu_blackholeA

Path-MTU discovery via Don't-Fragment pings. Detects the classic MTU black hole — small packets pass, large ones vanish with no ICMP reply — the reason connections establish but then hang on big transfers over VPN/PPPoE links.

cert_sweepA

Check TLS certificate expiry across many domains at once. Pass an explicit list, and/or config paths (nginx/Caddy/Traefik/compose files or dirs) to auto-extract the domains. Sorts by soonest expiry and flags certs expiring within warn_days.

net_diagnoseA

One-shot diagnosis: resolves DNS, pings, checks TCP, inspects TLS, and probes HTTP for a target, then returns a verdict on where the failure is.

net_triangulateA

Runs the same reachability test from THIS machine and from Globalping's worldwide probes, then verdicts whether a failure is your side, your network/ISP, or the target. Disabled in --local-only mode.

diagnosis_bundleA

Runs a full battery of probes against a target and returns a clean Markdown report you can paste straight into a bug report or support ticket. Includes DNS, reachability, TLS, HTTP timing, optional global probes, and local context.

config_correlateA

Reads /etc/hosts and resolv.conf and cross-checks them against live DNS — surfaces the hidden config that explains weird resolution (stale /etc/hosts pin, overriding resolver). No remote service can do this.

tunnel_diffA

Compares egress identity and reachability from the default route vs. bound to a specific interface IP (e.g. your VPN interface). Reveals split-tunnel surprises and egress differences. Needs network access for the egress check.

dns_leak_checkA

Reports your public egress IP and the DNS resolvers your system is actually using, and flags whether resolvers look like a local/ISP server (potential leak) vs a tunnel resolver. Heuristic. Needs network access for egress IP.

wg_statusA

Reads WireGuard interfaces and peers (via wg show): handshake recency, endpoints, allowed-IPs, transfer. Read-only. Flags peers with stale handshakes.

wg_config_generateA

Generate a fresh WireGuard keypair and a ready-to-paste client config. Read-only — it does NOT modify any interface; it just prints the config and keys for you to use.

wg_peer_addA

Add or update a peer on a WireGuard interface (wg set). Mutating: requires --enable-write, and runs as a dry-run unless confirm:true. Needs privileges to apply.

wg_peer_removeA

Remove a peer from a WireGuard interface (wg set ... remove). Mutating: requires --enable-write, and runs as a dry-run unless confirm:true.

net_overviewA

Snapshot of local interfaces, resolvers, and WireGuard interfaces — quick context for the assistant.

Prompts

Interactive templates invoked by user choice

NameDescription

No prompts

Resources

Contextual data attached and managed by the client

NameDescription

No resources

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Socialpranker/netops-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server