Wireshark MCP
The Wireshark MCP server provides comprehensive network packet analysis capabilities by integrating Wireshark/tshark tools, enabling AI assistants to analyze pcap files, capture live traffic, and perform security analysis.
Packet Analysis: View packet summaries and detailed JSON information, extract raw hex/ASCII dumps, view packets in context, reassemble and follow complete TCP/UDP/TLS/HTTP streams with pagination, and search for patterns using string, hex, or regex matching.
Data Extraction: Extract specific protocol fields as tabular data with custom filtering, retrieve HTTP requests and DNS queries, list unique IP addresses, export embedded files from HTTP/SMB/TFTP traffic, and verify TLS decryption using keylog files.
Statistics & Reporting: Generate protocol hierarchy statistics, endpoint and conversation analysis, I/O graphs for traffic volume over time, expert information for anomaly detection (retransmissions, errors, warnings), and service response time metrics for HTTP, DNS, SMB and other protocols.
File Operations & Live Capture: Get detailed metadata for pcap files, merge multiple capture files, filter and save packets, list available network interfaces, and capture live traffic with duration, packet count, BPF filters, and ring buffer support.
Security Analysis: Check captured IP addresses against URLhaus threat intelligence feeds and scan for plaintext credentials in HTTP Basic Auth, FTP, and Telnet traffic.
Utilities: Decode common encodings (Base64, Hex, URL, Gzip, Deflate, Rot13) with auto-detection and generate ASCII charts for traffic volume and protocol hierarchy trees.
Supported Protocols: Network layer (Ethernet, IP, IPv6, TCP, UDP, SCTP, WLAN) and application layer (HTTP, HTTP/2, DNS, TLS/SSL, SMB, FTP, Telnet, TFTP, DICOM).
Provides tools for analyzing network traffic and pcap files, including packet summarization, deep packet dissection, stream reassembly, and automated extraction of HTTP requests, DNS queries, and credentials.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Wireshark MCPanalyze capture.pcap and check for any plaintext credentials"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Give your AI assistant a packet analyzer.
Drop a .pcap file, ask questions in plain English — get answers backed by real tshark data.
What is this?
An MCP server that wraps tshark (and optional Wireshark suite tools) into a structured analysis interface. Works with Claude Desktop, Claude Code, Cursor, VS Code, and 18+ other MCP clients.
You: "Find all DNS queries going to suspicious domains in this capture."
Claude: [calls wireshark_extract_dns_queries → wireshark_check_threats]
"Found 3 queries to domains flagged by URLhaus: ..."Install
Prerequisites: Python 3.10+ and Wireshark with tshark on PATH.
pip install wireshark-mcp
wireshark-mcp install # auto-configures all detected MCP clientsRestart your AI client — done.
Run wireshark-mcp doctor if anything looks off. See docs/manual-configuration.md for manual setup or platform-specific notes.
Quick Start
Point your AI client at a .pcap file and try:
Analyze capture.pcap using the Wireshark MCP tools.
Start with wireshark_open_file, then run wireshark_security_audit.
Write findings to report.md.Tools
40+ tools organized into categories:
Category | Highlights | Count |
Agentic Workflows |
| 4 |
Packet Analysis | Packet list, details, bytes, context, stream follow, search | 7 |
Data Extraction | HTTP requests, DNS queries, TLS handshakes, field extraction | 6 |
Statistics | Protocol hierarchy, endpoints, conversations, I/O graph, expert info | 6 |
Security | Threat intel, credential scan, port scan, DNS tunnel, DoS detection | 6 |
Protocol Deep Dive | TCP health, ARP spoofing, SMTP, DHCP | 5 |
File Ops & Capture | Live capture, merge, filter-save, file info | 5 |
Suite Utilities | editcap trim/split/dedup, text2pcap import | 5 |
Decode & Visualize | Payload decode, traffic plot, protocol tree | 3 |
The server starts with only tshark required. Optional tools (capinfos, mergecap, editcap, dumpcap, text2pcap) are auto-detected and enable extra features when present.
Documentation
Topic | Link |
Platform setup (macOS/Linux/Windows) | |
Manual client configuration | |
Prompt templates | |
Release checklist | |
Contributing | |
Changelog | |
Security policy |
Development
pip install -e ".[dev]"
pytest tests/ -v
ruff check src/ tests/See CONTRIBUTING.md for the full guide.
Maintenance
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/bx33661/Wireshark-MCP'
If you have feedback or need assistance with the MCP directory API, please join our Discord server