Wireshark MCP
Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| WIRESHARK_MCP_SHARKD | No | Path to sharkd executable. | |
| WIRESHARK_MCP_TSHARK | No | Path to tshark executable. | |
| WIRESHARK_MCP_BIN_DIR | No | Directory containing Wireshark command-line tools (tshark, dumpcap, etc.). | |
| WIRESHARK_MCP_DUMPCAP | No | Path to dumpcap executable. | |
| WIRESHARK_MCP_EDITCAP | No | Path to editcap executable. | |
| WIRESHARK_MCP_RANDPKT | No | Path to randpkt executable. | |
| WIRESHARK_MCP_WORKDIR | No | Working directory for captures and metadata. | |
| WIRESHARK_MCP_CAPINFOS | No | Path to capinfos executable. | |
| WIRESHARK_MCP_MERGECAP | No | Path to mergecap executable. | |
| WIRESHARK_MCP_TEX2PCAP | No | Path to text2pcap executable. | |
| WIRESHARK_MCP_RING_FILE_COUNT | No | Number of ring-buffer files. | |
| WIRESHARK_MCP_MAX_OUTPUT_BYTES | No | Maximum bytes of output returned by MCP tools. | |
| WIRESHARK_MCP_DEFAULT_INTERFACE | No | Default network interface for live capture. | |
| WIRESHARK_MCP_RING_FILE_SIZE_MIB | No | Size of each ring-buffer file in MiB. | |
| WIRESHARK_MCP_MAX_CAPTURE_SECONDS | No | Maximum duration for single-file capture in seconds. | |
| WIRESHARK_MCP_LONG_CAPTURE_SECONDS | No | Duration threshold for ring-buffer capture in seconds. |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": false
} |
| prompts | {
"listChanged": false
} |
| resources | {
"subscribe": false,
"listChanged": false
} |
| experimental | {} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| diagnostics_check_installA | Report detected Wireshark binaries and versions. |
| diagnostics_supported_featuresA | Return registry counts that summarize local Wireshark dissection support. |
| capture_list_interfacesB | List live capture interfaces. |
| capture_list_linktypesB | List link-layer types supported by an interface. |
| capture_listA | List managed live or previous capture sessions and artifact summaries. |
| capture_sampleC | Capture a short bounded sample to a pcapng artifact. |
| capture_startC | Start a bounded live capture. Long captures use ring-buffer rotation by default. |
| capture_statusB | Return process and artifact status for a running or previous capture. |
| capture_checkpointA | Persist and return metadata for a capture without stopping it. |
| capture_stopC | Stop a managed capture. |
| capture_deleteB | Delete or mark a managed capture session after optionally stopping it. |
| capture_ring_bufferC | Start a long ring-buffer capture using configured file count and size limits. |
| capture_tail_summaryC | Summarize the newest pcapng file in a managed capture directory. |
| file_infoA | Return capinfos metadata for a capture file. |
| file_typeC | Return capture file type. |
| file_verify_readableB | Verify that tshark can read at least one packet from a capture. |
| packets_summaryC | Return LLM-sized packet list rows. |
| packets_jsonC | Return bounded tshark JSON packet output. |
| packets_fieldsC | Extract selected tshark display fields. |
| packets_filterC | Apply a display filter and return matching summaries. |
| packets_rangeC | Return packet summaries for a frame range. |
| packets_hexdumpC | Return packet hexdumps for bounded packets. |
| filter_validateC | Validate a display filter against a capture. |
| stats_protocol_hierarchyC | Return protocol hierarchy statistics. |
| stats_conversationsC | Return conversation statistics for a protocol. |
| stats_endpointsC | Return endpoint statistics for a protocol. |
| stats_ioC | Return IO statistics. |
| stats_expertC | Return Wireshark expert information. |
| stats_httpC | Return HTTP request/response fields. |
| stats_dnsC | Return DNS query/response fields. |
| stats_tlsC | Return TLS handshake and SNI-oriented fields. |
| stats_tcpC | Return notable TCP stream fields. |
| registry_protocolsC | Search the local Wireshark protocol registry. |
| registry_fieldsC | Search the local Wireshark display field registry. |
| registry_field_detailC | Return registry lines matching a field abbreviation. |
| registry_preferencesC | Search current Wireshark preferences. |
| registry_dissector_tablesC | Search dissector tables. |
| registry_tapsA | List tshark statistics taps. |
| registry_output_formatsC | List capture output formats for a Wireshark utility. |
| decode_asC | Analyze a capture with a tshark decode-as rule. |
| protocol_enable_disableD | Analyze with selected protocols enabled or disabled. |
| heuristic_enable_disableC | Analyze with selected heuristic dissectors enabled or disabled. |
| profile_analyzeC | Analyze with a Wireshark configuration profile. |
| transform_trimC | Trim a capture by time or packet range. |
| transform_deduplicateC | Remove duplicate packets with editcap. |
| transform_mergeC | Merge multiple capture files. |
| transform_reorderC | Reorder a capture by timestamp. |
| transform_convert_formatC | Convert capture file format. |
| generate_from_hexdumpC | Generate a capture from a text hex dump. |
| generate_random_captureC | Generate a local random or malformed packet capture with randpkt. |
| rawshark_fieldsC | Run rawshark over raw pcap records with explicit encapsulation and fields. |
| sharkd_openC | Open a capture in a local console-mode sharkd session. |
| sharkd_sessionsB | List managed sharkd sessions. |
| sharkd_requestC | Send a bounded generic JSON-RPC request to a managed sharkd session. |
| sharkd_statusC | Get sharkd status for a loaded capture. |
| sharkd_framesA | Return sharkd packet-list frames for a bounded range or display filter. |
| sharkd_frameC | Return sharkd details for one frame, optionally with protocol tree and bytes. |
| sharkd_followC | Follow a stream in sharkd using a protocol name and display filter. |
| sharkd_closeC | Close a managed sharkd session. |
| llm_capture_briefC | Return a compact capture brief with metadata, top protocols, talkers, and notable packets. |
| llm_top_talkersC | Return ranked source-to-destination talkers from a bounded packet sample. |
| llm_protocol_findingsC | Return notable protocol findings such as resets, retransmissions, failures, and alerts. |
| llm_timelineC | Return a protocol-count timeline using bounded packet summaries. |
| llm_ioc_candidatesC | Return candidate IPs, domains, HTTP hosts, URIs, user agents, and TLS SNI values. |
| llm_follow_stream_hintC | Rank TCP streams worth following based on packet counts and examples. |
| llm_dns_summaryC | Return DNS query, answer, and response-code summary for LLM triage. |
| llm_http_summaryB | Return HTTP host, method, status, error, and slow-response summary. |
| llm_tls_summaryC | Return TLS SNI, handshake type, and alert summary. |
| llm_tcp_healthC | Return TCP stream health markers such as retransmissions, resets, and zero-window events. |
| llm_investigateC | Run a compact investigation recipe set and return next-tool hints. |
| llm_protocol_inventoryC | Inventory observed protocols, expert rows, suggested filters, and next tools. |
| llm_protocol_summaryC | Summarize one protocol using curated fields or Wireshark registry discovery. |
| llm_investigate_allC | Run inventory and bounded summaries for the top observed protocols. |
| llm_profile_catalogB | Return curated protocol analysis profiles and fallback behavior. |
| open_in_wiresharkC | Open a capture in the Wireshark GUI. |
| wireshark_cliD | Expert escape hatch for allowlisted Wireshark binaries only. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/andsopwn/wireshark-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server