List available network interfaces for capture.

Returns: List of interfaces with index, name, and status

Example: wireshark_list_interfaces()

Capture live network traffic.

Args: interface: Interface index or name (from list_interfaces) output_file: Absolute path for output .pcap file duration_seconds: Capture duration (0 = unlimited) packet_count: Stop after N packets (0 = unlimited) capture_filter: BPF filter (e.g. "host 192.168.1.1 and port 80") ring_buffer: Ring buffer config (e.g. "filesize:1024,files:5")

Returns: Success message with file path or error JSON

Errors: ExecutionError: Capture failed

Example: wireshark_capture("eth0", "/tmp/capture.pcap", duration_seconds=30, capture_filter="port 80")

Filter packets from a pcap and save to a new file.

Args: input_file: Source pcap file output_file: Destination pcap file display_filter: Wireshark display filter (e.g. "http.request.method == POST")

Returns: Success message or error JSON

Errors: FileNotFound: input_file does not exist ExecutionError: Filter failed

Example: wireshark_filter_save("big.pcap", "http_only.pcap", "http")

[PHS] Get Protocol Hierarchy Statistics. Shows distribution of protocols in the capture.

Returns: Tree-structured protocol statistics or JSON error

Errors: FileNotFound: pcap_file does not exist

Example: wireshark_stats_protocol_hierarchy("traffic.pcap")

[Endpoints] List all endpoints and their traffic stats.

Args: type: Protocol type - 'eth', 'ip', 'ipv6', 'tcp', 'udp', 'sctp', 'wlan'

Returns: Endpoint statistics table or JSON error

Errors: FileNotFound: pcap_file does not exist InvalidParameter: Invalid protocol type

Example: wireshark_stats_endpoints("traffic.pcap", type="tcp")

[Conversations] Show communication pairs and their stats.

Args: type: Protocol type - 'eth', 'ip', 'ipv6', 'tcp', 'udp', 'sctp', 'wlan'

Returns: Conversation statistics table or JSON error

Errors: FileNotFound: pcap_file does not exist InvalidParameter: Invalid protocol type

Example: wireshark_stats_conversations("traffic.pcap", type="tcp")

[I/O Graph] Traffic volume over time.

Args: interval: Time interval in seconds (default: 1)

Returns: Time-series traffic statistics or JSON error

Errors: FileNotFound: pcap_file does not exist

Example: wireshark_stats_io_graph("traffic.pcap", interval=5)

[Expert Info] Automatic anomaly detection. Detects: retransmissions, errors, warnings, protocol issues.

Returns: Expert analysis results or JSON error

Errors: FileNotFound: pcap_file does not exist

Example: wireshark_stats_expert_info("traffic.pcap")

[SRT] Service Response Time statistics.

Args: protocol: Application protocol - 'http', 'dns', 'smb', etc.

Returns: Response time statistics or JSON error

Errors: FileNotFound: pcap_file does not exist

Example: wireshark_stats_service_response_time("web.pcap", protocol="http")

[Summary] Get a summary list of packets (like Wireshark's top pane). Use this first to scan traffic before drilling down.

Args: pcap_file: Path to capture file limit: Rows to return (default: 20) offset: Skip first N rows display_filter: Wireshark display filter (e.g. "tcp.port == 80") custom_columns: Comma-separated list of fields (e.g. "ip.src,http.host") If provided, replaces default columns.

Returns: Tabular list with columns: No, Time, Source, Destination, Protocol, Length, Info (Or your custom columns if specified)

Example: wireshark_get_packet_list("traffic.pcap", display_filter="http", custom_columns="ip.src,http.host,http.request.uri")

[Detail] Get full details for a SINGLE packet (like Wireshark's bottom pane).

Args: pcap_file: Path to capture file frame_number: The packet number (from wireshark_get_packet_list) layers: Comma-separated list of layers/protocols to include (e.g. "ip,tcp,http"). Reduces output size significantly.

Returns: Complete JSON structure of the packet

Example: wireshark_get_packet_details("traffic.pcap", frame_number=42, layers="http")

[Bytes] Get raw Hex/ASCII dump (like Wireshark's 'Packet Bytes' pane).

Args: pcap_file: Path to capture file frame_number: The packet number

Returns: Standard Wireshark Hex/ASCII dump.

Example: wireshark_get_packet_bytes("traffic.pcap", 42)

[Context] View packets surrounding a specific frame (before and after). Useful for understanding what led to an error or what happened immediately after.

Args: pcap_file: Path to capture file frame_number: The center packet number count: Number of packets to show before and after (default: 5)

Returns: Tabular packet list centering on the target frame.

[DEPRECATED] Read packet data in structured JSON format. WARNING: This tool can return very large, complex JSON. Retained for 1.x compatibility; new workflows should prefer wireshark_get_packet_list and wireshark_get_packet_details.

Args: pcap_file: Path to capture file limit: Maximum packets to return (default: 100) offset: Skip first N packets (pagination) display_filter: Wireshark display filter (e.g. "tcp.port == 80")

Returns: JSON array of packets with full layer details on success JSON error object on failure: {"success": false, "error": {...}}

Errors: FileNotFound: pcap_file does not exist ExecutionError: tshark JSON parsing failed

Example: wireshark_read_packets("traffic.pcap", limit=10, display_filter="http")

[Tabular] Extract specific fields as comma/tab-separated data.

Args: fields: Comma-separated field names (e.g. "ip.src,tcp.port,http.host") display_filter: Optional filter (e.g. "http.request.method == POST") limit: Max rows to return (default: 100) offset: Skip first N rows (pagination)

Returns: Tabular text output or JSON error

Errors: FileNotFound: pcap_file does not exist ExecutionError: Field extraction failed

Example: wireshark_extract_fields("file.pcap", "ip.src,ip.dst,tcp.port", display_filter="tcp")

[Convenience] List all unique IP addresses in capture.

Args: type: IP type to extract - 'src', 'dst', or 'both'

Returns: Newline-separated list of unique IPs or JSON error

Example: wireshark_list_ips("traffic.pcap", type="src")

[Search] Find packets containing specific data.

Args: pcap_file: Path to capture file match_pattern: Pattern to search for search_type: Search method - 'string', 'hex', 'regex' limit: Maximum matches to return (default: 50) scope: Search scope - 'bytes' (default), 'details', or 'filter' - 'bytes': Searches raw packet payload (frame contains) - 'details': Searches decoded text layer (frame matches) - 'filter': Uses standard Wireshark display filter syntax (e.g. "http.response.code == 200")

Returns: List of matching packets (summary view) or JSON error

Errors: FileNotFound: pcap_file does not exist

Example: wireshark_search_packets("traffic.pcap", "password", scope="bytes") wireshark_search_packets("traffic.pcap", "http.response.code == 200", scope="filter")

[Stream] Reassemble and view complete stream content. Supports pagination to avoid token limits.

Args: stream_index: Stream ID from conversations/stats protocol: Stream protocol - 'tcp', 'udp', 'tls', 'http', 'http2' output_mode: Output format - 'ascii', 'hex', 'raw' limit_lines: Max lines to return (default: 500) offset_lines: Skip first N lines (for pagination) search_content: Optional string to grep/search within the stream

Returns: Reconstructed stream data or JSON error

Errors: FileNotFound: pcap_file does not exist InvalidParameter: Invalid protocol

Example: wireshark_follow_stream("traffic.pcap", stream_index=0, search_content="password")

Get detailed metadata about a capture file. Uses capinfos to show: file type, packet count, duration, size, etc.

Returns: Detailed file metadata or JSON error

Errors: FileNotFound: pcap_file does not exist ToolNotFound: capinfos not available

Example: wireshark_get_file_info("traffic.pcap")

Merge multiple capture files into one.

Args: output_file: Path for merged output file input_files: Comma-separated list of input file paths

Returns: Success message or JSON error

Errors: FileNotFound: One or more input files not found ToolNotFound: mergecap not available

Example: wireshark_merge_pcaps("merged.pcap", "file1.pcap,file2.pcap,file3.pcap")

[Utils] Decode common encodings (Base64, Hex, URL, Gzip, etc.).

Args: data: The string to decode. encoding: Target encoding. Supported: 'base64', 'hex', 'url', 'rot13', 'gzip', 'deflate', 'html', 'unicode', 'quopri', 'ascii85'. Use 'auto' to try all and sort by readability.

Returns: Decoded string (or JSON in 'auto' mode).

[Visualization] Generate an ASCII bar chart of traffic volume (I/O Graph). Useful for identifying traffic spikes, DDoS start times, or silence patterns.

Args: pcap_file: Path to pcap file interval: Time interval bucket in seconds (default: 1)

Returns: String containing the ASCII chart

[Visualization] Generate an ASCII tree of protocol hierarchy. Shows the distribution of protocols (e.g., how much is HTTP vs DNS).

Args: pcap_file: Path to pcap file

Returns: String containing the ASCII tree

[Agent] One-call comprehensive security audit.

Automatically runs 8 analysis phases internally and returns a structured security report with risk scoring. No manual tool-chaining needed.

Phases: File summary → Protocol overview → Threat intelligence (URLhaus) → Credential exposure → Port scan detection → DNS anomaly detection → Cleartext protocol usage → Protocol anomalies (Expert Info)

Args: pcap_file: Path to capture file

Returns: Complete security audit report with risk level, findings, and recommendations.

Example: wireshark_security_audit("suspicious_traffic.pcap")

[Agent] One-call traffic overview and analysis.

Automatically gathers file info, protocol distribution, top talkers, conversations, hostnames, and anomalies into a single comprehensive report.

Phases: File info → Protocol distribution → Top talkers → Top conversations → Key hostnames (HTTP + DNS) → Anomaly summary (Expert Info)

Args: pcap_file: Path to capture file

Returns: Complete traffic analysis report with suggested next steps.

Example: wireshark_quick_analysis("capture.pcap")

Get the current Wireshark suite capabilities for this MCP server instance.

Returns: Structured capability map for required, recommended, and optional tools

Example: wireshark_get_capabilities()

Trim a capture file to a timestamp window using editcap.

Args: input_file: Source capture file output_file: Destination capture file start_time: Optional inclusive start time in editcap format stop_time: Optional exclusive stop time in editcap format

Returns: Success message or JSON error

Split a capture into multiple files using editcap.

Args: input_file: Source capture file output_prefix: Output filename prefix or base path packets_per_file: Split after this many packets per file seconds_per_file: Split after this many seconds per file

Returns: Success message or JSON error

Shift packet timestamps by a relative number of seconds using editcap.

Args: input_file: Source capture file output_file: Destination capture file seconds: Relative time adjustment in seconds

Returns: Success message or JSON error

Remove duplicate packets using editcap's duplicate window matching.

Args: input_file: Source capture file output_file: Destination capture file duplicate_window: Number of prior packets to compare against

Returns: Success message or JSON error

Convert an ASCII or hex dump into a capture file using text2pcap.

Args: input_text_file: Source text or hexdump file output_file: Destination capture file encapsulation: Output link-layer encapsulation, default is ether timestamp_format: Optional strptime-compatible timestamp format ascii_mode: Enable ASCII dump detection when the input includes an ASCII column

Returns: Success message or JSON error

[Security] Comprehensive anomaly analysis (cleartext, unusual ports, data volumes).

Args: pcap_file: Path to capture file

Returns: Comprehensive anomaly analysis or JSON error

Example: wireshark_analyze_suspicious_traffic("network.pcap")

[TCP] Analyze TCP connection health (retransmissions, dup ACKs, zero window, resets).

Args: pcap_file: Path to capture file

Returns: TCP health statistics summary or JSON error

Example: wireshark_analyze_tcp_health("slow_connection.pcap")

[Security] Match captured URLs and hostnames against cached URLhaus threat intelligence.

Args: pcap_file: Path to capture file

Returns: Threat analysis summary or JSON error

Example: wireshark_check_threats("suspicious.pcap")

[ARP] Detect potential ARP spoofing (duplicate IP-MAC, gratuitous floods, reply storms).

Args: pcap_file: Path to capture file

Returns: ARP analysis results or JSON error

Example: wireshark_detect_arp_spoofing("lan_traffic.pcap")

[Security] Detect DNS tunneling (long queries, TXT abuse, subdomain entropy).

Args: pcap_file: Path to capture file

Returns: DNS tunnel analysis results or JSON error

Example: wireshark_detect_dns_tunnel("exfiltration.pcap")

[Security] Detect DoS/DDoS patterns (SYN flood, ICMP/UDP flood, DNS amplification).

Args: pcap_file: Path to capture file

Returns: DoS detection results or JSON error

Example: wireshark_detect_dos_attack("ddos.pcap")

[Security] Detect port scanning (SYN, FIN, NULL, Xmas scans).

Args: pcap_file: Path to capture file threshold: Minimum unique destination ports to flag as scan (default: 15)

Returns: Port scan analysis results or JSON error

Example: wireshark_detect_port_scan("suspicious.pcap", threshold=10)

[Export] Extract embedded files from traffic (HTTP, SMB, TFTP, etc.).

Args: pcap_file: Path to capture file protocol: Protocol type - 'http', 'smb', 'tftp', 'imf', 'dicom' dest_dir: Destination directory for extracted files

Returns: Success message or JSON error

Example: wireshark_export_objects("traffic.pcap", "http", "/tmp/exported")

[Security] Scan for plaintext credentials (HTTP Basic Auth, FTP passwords, Telnet).

Args: pcap_file: Path to capture file

Returns: Credential findings summary or JSON error

Example: wireshark_extract_credentials("insecure.pcap")

[DHCP] Extract DHCP lease information (IPs, hostnames, DNS servers, lease times).

Args: pcap_file: Path to capture file

Returns: DHCP lease information or JSON error

Example: wireshark_extract_dhcp_info("network_boot.pcap")

[DNS] Extract DNS query details (name, type). Pre-configured for DNS analysis.

Args: pcap_file: Path to capture file limit: Maximum queries to return (default: 100)

Returns: Tabular text with DNS queries or JSON error

Example: wireshark_extract_dns_queries("dns_traffic.pcap")

[HTTP] Extract HTTP request details (method, URI, host). Pre-configured for HTTP analysis.

Args: pcap_file: Path to capture file limit: Maximum requests to return (default: 100)

Returns: Tabular text with HTTP request data or JSON error

Example: wireshark_extract_http_requests("web_traffic.pcap", limit=50)

[SMTP] Extract SMTP email metadata (sender, recipient, subject, mail server info).

Args: pcap_file: Path to capture file limit: Maximum emails to extract (default: 50)

Returns: SMTP email metadata or JSON error

Example: wireshark_extract_smtp_emails("email_traffic.pcap")

[TLS] Extract TLS/SSL handshake information (version, cipher, SNI, cert issuer).

Args: pcap_file: Path to capture file limit: Maximum handshakes to return (default: 50)

Returns: Tabular TLS handshake data or JSON error

Example: wireshark_extract_tls_handshakes("https_traffic.pcap")

[TLS] Verify TLS decryption with keylog file.

Args: pcap_file: Path to capture file keylog_file: Path to SSL/TLS keylog file (SSLKEYLOGFILE format)

Returns: Expert info with decryption status or JSON error

Example: wireshark_verify_ssl_decryption("https.pcap", "ssl_keylog.txt")

[Entry Point] Open a pcap file and recommend the most relevant analysis tools.

This is the recommended FIRST tool to call. It analyzes the capture file, detects what protocols are present, and points the assistant at the most relevant tools for this specific capture.

All contextual tools remain available for the full session. This opener provides capture-wide context and recommendations without mutating the MCP tool surface mid-session.

Args: pcap_file: Path to the capture file (.pcap, .pcapng, etc.)

Returns: File overview, protocol summary, and recommended next tools.

Example: wireshark_open_file("/path/to/capture.pcap")