tshark-mcp
Allows AI agents to perform network packet analysis using Wireshark's TShark tool, including PCAP analysis, live capture, TLS decryption, and telecom/SS7 signaling protocol analysis.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@tshark-mcpextract SIP calls from capture.pcap"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
TShark MCP Server
An MCP (Model Context Protocol) server that exposes TShark as tools for AI-assisted network packet analysis. Supports PCAP analysis, live capture, TLS decryption, and telecom / SS7 signaling protocols.
Requirements
Python 3.10+
Wireshark / TShark installed on the system
mergecap(bundled with Wireshark, required formerge_pcap_files)
Installation
# Recommended — installs into an isolated env and puts the
# tshark-mcp / tshark-mcp-http commands on your PATH.
uv tool install tshark-mcp
# With Windows service support (Windows only).
uv tool install "tshark-mcp[windows-service]"
# Or into a project venv:
uv pip install tshark-mcpFrom a local source build (in the project root):
uv build
uv tool install --reinstall ".\dist\tshark_mcp-1.0.0-py3-none-any.whl[windows-service]"Verify the commands are on PATH:
Get-Command tshark-mcp, tshark-mcp-http, tshark-mcp-win-service | Select-Object Name, SourceUninstall the system installation (after removing the Windows service if any — see below):
uv tool uninstall tshark-mcpAfter install you have three console scripts:
Command | Default | What it does |
| stdio | Run via MCP client (Claude Code / VS Code) — client manages the process |
| HTTP on 127.0.0.1:8100 | Standalone HTTP server (WSL, remote, shared) |
| Windows service | Register as a Windows service (auto-start at boot) |
Running modes
STDIO — managed by your MCP client
The MCP client launches tshark-mcp as a child process. You don't run anything manually. Just configure the client.
Claude Code — .mcp.json (project) or ~/.claude.json (user):
{
"mcpServers": {
"tshark-mcp": {
"type": "stdio",
"command": "tshark-mcp"
}
}
}Or via CLI:
claude mcp add tshark-mcp -- tshark-mcpVS Code — .vscode/mcp.json (project) or your user mcp.json:
{
"servers": {
"tshark-mcp": {
"type": "stdio",
"command": "tshark-mcp"
}
}
}If
tshark-mcpis not on PATH (you installed viauv pip installinstead ofuv tool install), replacecommand: "tshark-mcp"withcommand: "uv", args: ["tool", "run", "tshark-mcp"].
HTTP — standalone server
You start the server yourself; clients connect to its URL. Stays running across client restarts and can be shared by multiple clients.
# Default 127.0.0.1:8100, endpoint /mcp
tshark-mcp-http
# Custom host/port
tshark-mcp-http --host 0.0.0.0 --port 9000
# Use a config file (see Configuration below)
tshark-mcp-http --config /path/to/config.tomlThe endpoint URL is http://<host>:<port>/mcp.
Claude Code:
{
"mcpServers": {
"tshark-mcp": {
"type": "http",
"url": "http://127.0.0.1:8100/mcp"
}
}
}Or via CLI:
claude mcp add --transport http tshark-mcp http://127.0.0.1:8100/mcpVS Code:
{
"servers": {
"tshark-mcp": {
"type": "http",
"url": "http://127.0.0.1:8100/mcp"
}
}
}WSL: run the HTTP server inside WSL and point Windows-side Claude Code / VS Code at
http://127.0.0.1:8100/mcp— WSL2 forwardslocalhostautomatically.
Windows service — auto-start at boot
Register tshark-mcp-http as a Windows service. Survives reboots, runs in the background under LocalSystem. All commands below need an elevated PowerShell (admin).
pywin32 expects options BEFORE the verb (
install/start/stop/remove).tshark-mcp-win-service install --startup autois wrong — it must be--startup auto install.
Install + start:
tshark-mcp-win-service --startup auto install
tshark-mcp-win-service --wait 15 startVerify it's running:
Get-Service TsharkMcp # Status should be Running
Get-NetTCPConnection -LocalPort 8100 -State Listen # 127.0.0.1:8100 listeningManage:
tshark-mcp-win-service stop
tshark-mcp-win-service restart # reload after editing config.tomlUninstall the service only:
tshark-mcp-win-service stop
tshark-mcp-win-service removeFull cleanup (service + uv tool + leftover pywin32 DLLs):
# 1. Remove the service (admin PS)
tshark-mcp-win-service stop
tshark-mcp-win-service remove
# 2. Uninstall the uv tool venv (admin not required)
uv tool uninstall tshark-mcp
# 3. Optional — pywin32 leaves two DLLs in the uv-managed Python dir.
# Only remove these if no other pywin32-using uv tool is installed.
$pyDir = "$env:APPDATA\uv\python\cpython-3.13-windows-x86_64-none"
Remove-Item -Force -ErrorAction SilentlyContinue `
"$pyDir\pywintypes313.dll", "$pyDir\pythoncom313.dll"Because Windows services don't receive command-line arguments, configure the service via:
Config file at
%PROGRAMDATA%\tshark-mcp\config.toml(recommended) — restart the service after editingSystem-wide environment variables (
TSHARK_MCP_HOST,TSHARK_MCP_PORT,TSHARK_PATH, …)
Once running, point your MCP client at http://127.0.0.1:8100/mcp exactly as in the HTTP section above.
Configuration
Configuration is layered — later sources override earlier ones:
built-in defaults < config file (TOML) < environment variables < CLI argumentsConfig file (TOML)
Search order (first match wins):
--config <path>CLI argumentTSHARK_MCP_CONFIGenvironment variableWindows:
%APPDATA%\tshark-mcp\config.toml, then%PROGRAMDATA%\tshark-mcp\config.tomlLinux/macOS:
$XDG_CONFIG_HOME/tshark-mcp/config.toml(or~/.config/tshark-mcp/config.toml), then/etc/tshark-mcp/config.toml
Full schema (also see config.example.toml):
[server]
# stdio | http | streamable-http | sse
# "http" is an alias for "streamable-http" (the current MCP HTTP transport).
# "sse" is the deprecated MCP HTTP+SSE transport; kept for legacy clients.
transport = "http"
host = "127.0.0.1"
port = 8100
# Optional endpoint paths (default to FastMCP defaults)
# mount_path = "/"
# streamable_http_path = "/mcp"
# sse_path = "/sse"
# message_path = "/messages"
[tshark]
# Override tshark binary location (otherwise auto-detected).
# path = "C:\\Program Files\\Wireshark\\tshark.exe"Environment variables
Variable | Maps to |
| Path to TOML config file |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CLI arguments
tshark-mcp and tshark-mcp-http accept the same flags:
--config PATH TOML config file (overrides search paths)
--transport {stdio,http,streamable-http,sse}
--host HOST
--port PORT
--mount-path PATH
--streamable-http-path PATH default '/mcp'
--sse-path PATH
--message-path PATH
--tshark-path PATH tshark binary (overrides TSHARK_PATH env)The two scripts differ only in their starting defaults — tshark-mcp starts from stdio defaults, tshark-mcp-http starts from transport=http, host=127.0.0.1, port=8100. Either way, file → env → CLI all layer on top.
TShark binary auto-detection
If [tshark] path, TSHARK_PATH, and --tshark-path are all unset, the server probes:
Windows:
C:\Program Files\Wireshark\tshark.exe,C:\Program Files (x86)\Wireshark\tshark.exemacOS:
/usr/local/bin/tshark,/opt/homebrew/bin/tsharkLinux:
/usr/bin/tshark,/usr/sbin/tshark,/usr/local/bin/tshark
Then falls back to PATH lookup.
Tools (25 total)
Basic Analysis
Tool | Key Parameters | Description |
|
| Packet summaries with optional display filter and TLS decryption |
| — | Protocol hierarchy statistics ( |
|
| Full verbose detail for a specific packet (1-based index) |
|
| Extract any tshark field as tab-separated values |
|
| Export packets as JSON for structured analysis |
|
| Run any raw tshark command |
Traffic Aggregation & Statistics
Tool | Key Parameters | Description |
|
| Conversation statistics — protocol: |
|
| Host-pair communication matrix (ip.src × ip.dst), ranked by bytes |
|
| Packets and bytes per time bucket — identifies bursts and periodic patterns |
|
| Group packets by any field combination (e.g. |
Protocol-Specific Analysis
Tool | Key Parameters | Description |
|
| DNS query patterns, NXDOMAIN detection, response time statistics |
|
| RTT, retransmissions, window size — diagnose network quality issues |
|
| Reconstruct a TCP / UDP / SCTP stream as ASCII text |
Telecom / SS7 Signaling
These tools handle the telecom core network signaling stack: SCTP → M3UA → SCCP → TCAP → MAP
Tool | Key Parameters | Description |
|
| Group TCAP messages (Begin/Continue/End/Abort) by transaction ID (OTID/DTID) |
|
| MAP operation frequency table + per-IMSI activity summary |
TLS Decryption
Requires a TLS key log file generated by the target application.
Tool | Description |
| Reconstruct a decrypted TLS stream as plaintext from a PCAP + key log file |
| Capture live traffic and immediately show decrypted TLS content |
| Read this first — full TLS decryption workflow including debugger-based key extraction |
Live Capture
Tool | Key Parameters | Description |
| — | List available network interfaces for live capture |
|
| Capture live packets (max 500 packets / 60 s) |
|
| Capture traffic for a specific process by PID |
File Operations
Tool | Key Parameters | Description |
|
| Filter packets from a PCAP and save to a new PCAP file |
|
| Extract files transferred over HTTP / SMB / TFTP / IMF / DICOM |
|
| Merge multiple PCAPs in timestamp order (uses |
Process Management
Tool | Description |
| List running processes with PIDs (filter by name) |
Examples
General PCAP Analysis
# Protocol hierarchy — confirm what layers are in the capture
get_packet_statistics("/captures/traffic.pcap")
# First 100 packets, HTTP only
analyze_pcap_file("/captures/traffic.pcap", display_filter="http")
# Extract source IPs, methods, and URIs from HTTP requests
extract_fields(
file_path="/captures/traffic.pcap",
fields="ip.src,http.request.method,http.request.uri",
display_filter="http.request"
)
# Full detail for packet 42
extract_packet_details("/captures/traffic.pcap", packet_number=42)Traffic Aggregation
# Which hosts talk to each other most? (top 20 by bytes)
get_flow_matrix("/captures/traffic.pcap")
# Traffic volume over time — 5-second buckets
get_traffic_timeseries("/captures/traffic.pcap", interval_seconds=5.0)
# TCP traffic only, 1-second buckets
get_traffic_timeseries("/captures/traffic.pcap", interval_seconds=1.0, display_filter="tcp")
# Per-service breakdown: which src IP hits which dst port most?
aggregate_flows(
file_path="/captures/traffic.pcap",
group_by="ip.src,ip.dst,tcp.dstport",
display_filter="tcp"
)
# SCTP conversation statistics
get_conversations("/captures/ss7.pcap", protocol="sctp")DNS Analysis
# Top queried domains, NXDOMAIN failures, response times
analyze_dns("/captures/traffic.pcap")
# DNS from a specific client only
analyze_dns("/captures/traffic.pcap", display_filter="ip.src == 192.168.1.10")TCP Performance Diagnosis
# RTT, retransmission rate, window size — is the network healthy?
get_tcp_performance("/captures/traffic.pcap")
# Performance for a specific server
get_tcp_performance("/captures/traffic.pcap", display_filter="ip.addr == 10.0.0.1")Stream Reconstruction
# Follow the first TCP stream
follow_stream("/captures/traffic.pcap", protocol="tcp", stream_index=0)
# Follow an SCTP stream
follow_stream("/captures/ss7.pcap", protocol="sctp", stream_index=0)
# Follow a TELNET session (TELNET runs over TCP port 23)
follow_stream("/captures/traffic.pcap", protocol="tcp", stream_index=0)Telecom / SS7 Signaling Analysis
The typical protocol stack is: SCTP → M3UA → SCCP → TCAP → MAP
# Step 1 — confirm SS7 layers are present
get_packet_statistics("/captures/ss7.pcap")
# Expected output includes: sctp, m3ua, mtp3, sccp, tcap, gsm_map
# Step 2 — reconstruct TCAP dialogues (Begin→Continue→End chains)
reconstruct_tcap_dialogue("/captures/ss7.pcap")
# Step 3 — MAP operation frequency + IMSI tracking
analyze_map_operations("/captures/ss7.pcap")
# Step 4 — raw MAP field extraction
extract_fields(
file_path="/captures/ss7.pcap",
fields="gsm_map.opr.code,gsm_map.imsi,gsm_map.msisdn.digits",
display_filter="gsm_map"
)
# SCCP routing analysis — who calls whom?
aggregate_flows(
file_path="/captures/ss7.pcap",
group_by="sccp.calling_party,sccp.called_party",
display_filter="sccp"
)
# Filter to a specific TCAP dialogue by OTID
extract_fields(
file_path="/captures/ss7.pcap",
fields="frame.time_relative,tcap.MessageType,tcap.otid,tcap.dtid,gsm_map.opr.code",
display_filter="tcap.otid == aabbccdd"
)File Extraction (Forensics)
# Extract files transferred over HTTP in a capture
export_objects(
file_path="/captures/traffic.pcap",
protocol="http",
output_dir="/tmp/extracted/"
)
# Extract SMB file transfers
export_objects(
file_path="/captures/traffic.pcap",
protocol="smb",
output_dir="/tmp/smb_files/"
)Multi-PCAP Correlation
# Merge two captures from different taps, analyze combined
merge_pcap_files(
input_files="/captures/tap1.pcap,/captures/tap2.pcap",
output_file="/captures/merged.pcap"
)
# With a display filter on the merged result
merge_pcap_files(
input_files="/captures/tap1.pcap,/captures/tap2.pcap",
output_file="/captures/merged.pcap",
display_filter="tcp"
)TLS Decryption
# Decrypt and reconstruct HTTPS stream
follow_tls_stream(
file_path="/captures/traffic.pcap",
keylog_file="C:/captures/keys.log",
stream_index=0
)
# Extract HTTP fields from decrypted traffic
extract_fields(
file_path="/captures/traffic.pcap",
fields="ip.src,http.request.method,http.request.uri",
display_filter="http.request",
keylog_file="C:/captures/keys.log"
)
# Live capture + real-time TLS decryption
capture_and_decrypt(
interface=r"\Device\NPF_{...}",
keylog_file="C:/captures/keys.log",
output_pcap="C:/captures/session.pcap",
duration=30
)Process-Specific Capture
# Find process PID
list_processes("chrome")
# → chrome.exe PID 4812
# Capture traffic for that process
capture_process(
pid=4812,
interface=r"\Device\NPF_{...}", # from list_interfaces()
output_pcap="C:/captures/chrome.pcap",
duration=30
)
# Capture + decrypt TLS in one step
capture_process(
pid=4812,
interface=r"\Device\NPF_{...}",
output_pcap="C:/captures/chrome.pcap",
duration=30,
keylog_file="C:/captures/keys.log" # set SSLKEYLOGFILE before launching Chrome
)Protocol Support Reference
Protocol | Filter | Relevant Fields | Best Tool |
TCP |
|
|
|
UDP |
|
|
|
SCTP |
|
|
|
HTTP |
|
|
|
TLS/HTTPS |
|
|
|
DNS |
|
|
|
TELNET |
| (follow TCP stream) |
|
M3UA |
|
|
|
SCCP |
|
|
|
TCAP |
|
|
|
MAP |
|
|
|
TLS Decryption Setup
TShark can decrypt TLS traffic when given the session keys written by the application. Set the SSLKEYLOGFILE environment variable before launching the target application:
# Windows
set SSLKEYLOGFILE=C:\captures\keys.log
start chrome
# Linux / macOS
export SSLKEYLOGFILE=/tmp/keys.log
google-chrome &Supported runtimes: Chrome, Edge, Firefox, curl, Python (requests / httpx / aiohttp), Go crypto/tls (with SSLKEYLOGFILE patch), Node.js (--tls-keylog).
For applications that do not support SSLKEYLOGFILE (compiled binaries, custom TLS stacks), keys must be extracted from process memory using a debugger. Call tshark_reading_manual for the complete step-by-step workflow including x64dbg-based key extraction.
Process-Specific Capture — How It Works
list_processes— find the PID of the target process.capture_process— snapshots the process's open connections at capture start, builds a BPF filter from its local ports, then runs a timed capture saving to a PCAP file.
Because the filter is derived at capture start, connections opened later still get captured if they share a port already in the filter. For long-running captures or applications with many short-lived connections, re-run capture_process as needed, or use capture_live without a filter and post-filter with filter_and_save.
Platform | Tool used internally | Notes |
Windows |
| No extra installation needed |
macOS |
| No extra installation needed |
Linux |
| Usually pre-installed; |
Development
git clone <repository-url>
cd tshark-mcp
uv sync
# Run during development
uv run server.py # stdio
uv run server.py --transport http --port 8100 # HTTP
uv run tshark-mcp-http # HTTP (entry-point alias)
# Tests (no TShark installation required — subprocess is mocked)
uv run python -m pytest test_server.py -v
# Build a local wheel and install it as a uv tool (Windows service ready)
uv build
uv tool install --reinstall ".\dist\tshark_mcp-1.0.0-py3-none-any.whl[windows-service]"
# Clean build artifacts
Remove-Item -Recurse -Force -ErrorAction SilentlyContinue dist, build, *.egg-infoProject Policies
License: see LICENSE
Contributing: see CONTRIBUTING.md
Code of conduct: see CODE_OF_CONDUCT.md
Security: see SECURITY.md
Release
Automated via .github/workflows/release.yml. Pushing a v* tag builds the wheel and publishes to PyPI using the PYPI_API_TOKEN repo secret:
git tag v1.2.3
git push origin v1.2.3Pre-release check:
uv run python scripts/release_check.pyFull release process + one-time
PYPI_API_TOKENsetup: see RELEASE.md
This server cannot be installed
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/ouonet/tshark-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server