Skip to main content
Glama
cortexc0de

NetMCP

by cortexc0de
OverviewSchemaRelated ServersScoreDiscussions
Python
Hybrid

๐ŸŒ NetMCP

Professional-grade network analysis MCP server โ€” Wireshark/TShark + Nmap + Threat Intelligence

Tests Coverage CodeQL Python 3.11+ License: MIT PyPI Docker MCP

NetMCP bridges the gap between raw network data and AI comprehension. It gives Claude, Cursor, and any MCP-compliant client the ability to capture packets, scan networks, detect threats, and extract credentials โ€” all through natural language.

Quick Start โ€ข Features โ€ข Configuration โ€ข API Reference โ€ข Architecture

๐Ÿš€ Quick Start

# Install system dependencies
sudo apt-get install -y tshark nmap        # Ubuntu/Debian
# brew install wireshark nmap              # macOS

# Install NetMCP
pip install netmcp

# Run
netmcp

That's it. The server starts on stdio transport by default, ready for any MCP client.

Related MCP server: Wireshark MCP

โœจ Features

  • ๐Ÿ“ก Packet Capture โ€” Live capture, BPF filtering, targeted traffic, quick capture mode

  • ๐Ÿ”ฌ Deep Analysis โ€” PCAP parsing, protocol statistics, HTTP traffic analysis, DNS analysis, expert info, GeoIP enrichment

  • ๐Ÿ”„ Stream Reconstruction โ€” Follow TCP/UDP conversations, enumerate streams

  • ๐Ÿ“ค Flexible Export โ€” JSON, CSV, pcap/pcapng format conversion

  • ๐Ÿ” Nmap Integration โ€” Port scan, service detection, OS fingerprinting, vulnerability scan

  • ๐Ÿ›ก๏ธ Threat Intelligence โ€” URLhaus + AbuseIPDB IP reputation checks, PCAP-wide threat scan

  • ๐Ÿ”‘ Credential Extraction โ€” HTTP Basic, FTP, Telnet, Kerberos (hashcat-ready)

  • ๐ŸŒ GeoIP Mapping โ€” MaxMind GeoLite2 IP geolocation for traffic analysis

  • ๐Ÿ”’ 5-Layer Security โ€” Input validation, shell=False, rate limiting, path traversal protection, audit logging

  • ๐Ÿ’ฌ Guided Workflows โ€” Security audit, incident response, troubleshooting, traffic analysis, network baseline prompts

Advanced Features

  • ๐Ÿ”€ PCAP Diff/Merge/Slice โ€” Compare captures, combine files via mergecap, extract packet ranges via editcap

  • ๐Ÿ“Š Flow Visualization โ€” ASCII art and Mermaid sequence diagrams of network conversations

  • ๐Ÿ”“ TLS Decryption โ€” Decrypt HTTPS traffic using SSLKEYLOGFILE (NSS Key Log Format)

  • ๐ŸŽจ Wireshark Profiles โ€” List profiles, apply profile settings, parse color filters, capture with profile

  • ๐Ÿงฌ DNS Tunneling Detection โ€” Analyze DNS traffic and flag suspiciously long subdomain names

  • ๐Ÿ“ฆ Packet Decode โ€” Detailed single-packet analysis with full protocol layer dissection

  • ๐Ÿฅ Expert Information โ€” Extract Wireshark's expert warnings, errors, and protocol violation notes

๐Ÿ“Š Tool Categories

NetMCP provides 48 tools across 9 categories, plus 3 resources and 5 prompts:

Category

Tools

Description

๐Ÿ“ก Capture & Analysis

5

get_network_interfaces ยท capture_live_packets ยท quick_capture ยท save_capture_to_file ยท analyze_large_pcap

๐Ÿ”ฌ Protocol Analysis

10

analyze_pcap_file ยท get_protocol_statistics ยท get_capture_file_info ยท capture_targeted_traffic ยท analyze_http_traffic ยท detect_network_protocols ยท analyze_http_headers ยท geoip_lookup ยท analyze_dns_traffic ยท get_expert_info

๐Ÿ“Š Network Flows

2

visualize_network_flows (ASCII + Mermaid) ยท decrypt_tls_traffic

๐Ÿ”ง PCAP Tools

4

diff_pcap_files ยท merge_pcap_files ยท slice_pcap ยท decode_packet

๐Ÿ”„ Streams

3

follow_tcp_stream ยท follow_udp_stream ยท list_tcp_streams

๐Ÿ“ค Export

3

export_packets_json ยท export_packets_csv ยท convert_pcap_format

๐Ÿ” Nmap

6

nmap_port_scan ยท nmap_service_detection ยท nmap_os_detection ยท nmap_vulnerability_scan ยท nmap_quick_scan ยท nmap_comprehensive_scan

๐Ÿ›ก๏ธ Security

3

extract_credentials ยท check_ip_threat_intel ยท scan_capture_for_threats

๐ŸŽจ Wireshark Profiles

4

list_wireshark_profiles ยท apply_profile_capture ยท get_color_filters ยท capture_with_profile

๐Ÿ“– Full API reference with parameters and examples: docs/API.md

๐Ÿ”Œ Transport Options

NetMCP supports all MCP transport protocols:

Transport

Command

Use Case

stdio (default)

netmcp

Claude Desktop, Cursor, local clients

SSE

netmcp --transport sse

Web-based clients, remote access

Streamable HTTP

netmcp --transport streamable-http

Modern HTTP clients

โš™๏ธ Configuration

Claude Desktop

Edit your config file:

  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json

  • Windows: %APPDATA%\Claude\claude_desktop_config.json

  • Linux: ~/.config/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "netmcp": {
      "command": "netmcp",
      "env": {
        "ABUSEIPDB_API_KEY": "your_api_key_here"
      }
    }
  }
}

Cursor

Edit .cursor/mcp.json in your project root:

{
  "mcpServers": {
    "netmcp": {
      "command": "netmcp"
    }
  }
}

Windsurf / VS Code

Edit .vscode/mcp.json:

{
  "servers": {
    "netmcp": {
      "command": "netmcp",
      "env": {
        "ABUSEIPDB_API_KEY": "your_api_key_here"
      }
    }
  }
}

Environment Variables

Variable

Required

Default

Description

ABUSEIPDB_API_KEY

No

โ€”

AbuseIPDB API key for threat intelligence. Get free key

NETMCP_TSHARK_PATH

No

Auto-detect

Custom path to tshark binary

NETMCP_MAX_PACKETS

No

10000

Maximum packets per capture operation

NETMCP_MAX_FILE_SIZE

No

104857600

Maximum PCAP file size in bytes (100 MB)

๐Ÿ“‹ Requirements

Dependency

Required

Install

Python

3.11+

sudo apt install python3.11

TShark

Yes

sudo apt install tshark

Nmap

Optional

sudo apt install nmap

macOS

brew install wireshark nmap

Linux Permissions

# Option 1: Set capabilities (recommended)
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

# Option 2: Add user to wireshark group
sudo usermod -aG wireshark $USER && newgrp wireshark

๐Ÿ›ก๏ธ Security Model

NetMCP implements 5 layers of defense in depth:

Layer

Mechanism

Prevents

1. Input Validation

Regex, ipaddress module, Pydantic

Malformed input, injection payloads

2. Command Construction

List args, shell=False everywhere

Command injection, shell expansion

3. Subprocess Execution

Timeouts, captured output only

Runaway processes, resource exhaustion

4. File System

Path.resolve(), extension allowlist, size limits

Path traversal, symlink attacks

5. Rate Limiting

Sliding window, per-operation tracking

Abuse, DoS attacks

Additional protections:

  • ๐Ÿ”’ Never auto-escalates privileges

  • ๐Ÿ“ All operations audit-logged with timestamps

  • ๐Ÿšซ Dangerous nmap flags rejected (--script-args, --interactive, etc.)

  • โš ๏ธ Clear error messages for permission issues

๐ŸŽฏ Usage Examples

Live Packet Capture

You: Capture 100 packets from eth0 and analyze the protocols.

Claude: [capture_live_packets(interface="eth0", packet_count=100)]
       [get_protocol_statistics(filepath="capture.pcap")]
       Found 8 protocols: TCP (62%), UDP (24%), DNS (8%), HTTP (4%)...

Security Audit

You: Perform a security audit on suspicious.pcap

Claude: 1. [get_protocol_statistics] โ†’ traffic breakdown
        2. [extract_credentials] โ†’ found HTTP Basic Auth credentials
        3. [scan_capture_for_threats] โ†’ 2 malicious IPs detected
        4. Generated full security report with IOCs

Nmap Vulnerability Scan

You: Scan 192.168.1.100 for vulnerabilities

Claude: [nmap_quick_scan("192.168.1.100")] โ†’ ports 22, 80, 443 open
        [nmap_service_detection("192.168.1.100")] โ†’ nginx 1.18.0, OpenSSH 8.2
        [nmap_vulnerability_scan("192.168.1.100")] โ†’ no critical CVEs found

๐Ÿง  MCP Resources & Prompts

Resources

URI

Description

netmcp://interfaces

Dynamic list of available network interfaces

netmcp://captures

Available PCAP files in common directories

netmcp://system/info

System capabilities: tool versions, features

Prompts (Guided Workflows)

Prompt

Description

security_audit

Comprehensive PCAP security analysis with IOC extraction

network_troubleshooting

Step-by-step network diagnostics

incident_response

Security incident investigation workflow

traffic_analysis

Deep traffic analysis with GeoIP mapping

network_baseline

Establish normal traffic patterns

๐Ÿงช Development

# Clone and setup
git clone https://github.com/cortexc0de/netmcp.git
cd netmcp
python -m venv .venv
source .venv/bin/activate

# Install with dev dependencies
pip install -e ".[dev]"

# Run tests
pytest tests/ -v

# Run with coverage
pytest tests/ --cov=netmcp --cov-report=html

# Linting
ruff check src/netmcp/ tests/
ruff format --check src/netmcp/
mypy src/netmcp/

Project Structure

src/netmcp/
โ”œโ”€โ”€ server.py                # FastMCP server entry point
โ”œโ”€โ”€ core/
โ”‚   โ”œโ”€โ”€ security.py          # 5-layer input validation + rate limiting
โ”‚   โ””โ”€โ”€ formatter.py         # MCP response formatting
โ”œโ”€โ”€ interfaces/
โ”‚   โ”œโ”€โ”€ tshark.py            # TShark async CLI wrapper
โ”‚   โ”œโ”€โ”€ nmap.py              # python-nmap wrapper
โ”‚   โ””โ”€โ”€ threat_intel.py      # URLhaus + AbuseIPDB clients
โ”œโ”€โ”€ tools/                   # 48 MCP tools across 11 modules
โ”œโ”€โ”€ resources/               # 3 MCP resources
โ””โ”€โ”€ prompts/                 # 5 MCP prompts

๐Ÿค Contributing

Contributions are welcome! See CONTRIBUTING.md for guidelines.

  1. Fork the repository

  2. Create a feature branch (git checkout -b feat/amazing-feature)

  3. Run tests (pytest tests/ -v)

  4. Submit a Pull Request

๐Ÿ“„ License

MIT License โ€” see LICENSE for details.

๐Ÿ™ Acknowledgments

Transform your network analysis with AI-powered packet capture, scanning, and threat intelligence.

Install Server
A
license - permissive license
B
quality
C
maintenance

How are these scores calculated?

Maintenance

โ€“Maintainers
โ€“Response time
0dRelease cycle
2Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Tools

View all tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/cortexc0de/netmcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server