Schema | NetMCP

NetMCP

Overview Schema Related Servers Score Discussions

Server Configuration

Describes the environment variables required to run the server.

Name	Required	Description	Default
`ABUSEIPDB_API_KEY`	No	AbuseIPDB API key for threat intelligence. Get free key at https://www.abuseipdb.com/
`NETMCP_MAX_PACKETS`	No	Maximum packets per capture operation	10000
`NETMCP_TSHARK_PATH`	No	Custom path to tshark binary (auto-detected if not set)
`NETMCP_MAX_FILE_SIZE`	No	Maximum PCAP file size in bytes (100 MB)	104857600

Capabilities

Features and capabilities supported by this server

Capability	Details
`tools`	{ "listChanged": false }
`prompts`	{ "listChanged": false }
`resources`	{ "subscribe": false, "listChanged": false }
`experimental`	{}

Tools

Functions exposed to the LLM to take actions

Name	Description
get_network_interfacesA	List all available network interfaces for packet capture.
capture_live_packetsB	Capture live network packets from a specified interface. Args: interface: Network interface name (e.g., eth0, en0, Wi-Fi) duration: Maximum capture duration in seconds packet_count: Maximum number of packets to capture bpf_filter: BPF capture filter (e.g., 'tcp port 80')
quick_captureA	Perform a quick packet capture (3 seconds, default interface). A fast way to see what's happening on the network without configuration. Args: interface: Network interface name (default: eth0) packet_count: Maximum packets to capture (default: 10)
save_capture_to_fileB	Capture network traffic and save to a PCAP file. Useful when you want to keep a capture for later analysis. Args: interface: Network interface name output_file: Path where to save the PCAP file duration: Max capture duration in seconds packet_count: Max packets to capture bpf_filter: BPF capture filter (optional)
analyze_pcap_fileB	Analyze a PCAP file with optional display filters. Args: filepath: Path to PCAP/PCAPNG file display_filter: Wireshark display filter (e.g., 'http', 'ip.addr == 10.0.0.1') max_packets: Maximum number of packets to analyze
get_protocol_statisticsB	Get protocol hierarchy statistics from a PCAP file. Args: filepath: Path to PCAP/PCAPNG file
get_capture_file_infoB	Get metadata about a PCAP capture file. Args: filepath: Path to PCAP/PCAPNG file
capture_targeted_trafficC	Capture traffic targeted to specific host, port, or protocol. Args: interface: Network interface name target_host: Filter by host IP (optional) target_port: Filter by port number (optional) protocol: Filter by protocol (tcp, udp, icmp, http) duration: Max capture duration in seconds packet_limit: Maximum packets to capture ctx: Optional MCP context for progress reporting
analyze_http_trafficA	Analyze HTTP traffic from a PCAP file. Extracts HTTP methods, hosts, URIs, user agents, and response codes. Args: filepath: Path to PCAP/PCAPNG file
detect_network_protocolsA	Detect and report network protocols in use. Args: filepath: Path to existing PCAP file (optional) interface: Network interface for live capture (if no file) duration: Duration in seconds for live capture
analyze_http_headersA	Analyze HTTP headers from a PCAP file — tokens, cookies, auth headers. Extracts: Cookies and session tokens Authorization headers (Bearer, API keys) Custom security headers Suspicious headers (X-Forwarded-For spoofing) Args: filepath: Path to PCAP/PCAPNG file include_cookies: Whether to include cookie analysis
geoip_lookupA	Look up geographic information for IP addresses. Can check specific IPs or extract all from a PCAP file. Args: ip_addresses: Comma-separated IP addresses (e.g., '1.1.1.1,8.8.8.8') filepath: PCAP file to extract IPs from (optional, overrides ip_addresses if provided)
analyze_dns_trafficA	Analyze DNS queries and responses from a PCAP file. Extracts DNS query names, types, response codes, and identifies potential DNS tunneling or suspicious patterns. Args: filepath: Path to PCAP/PCAPNG file max_queries: Maximum number of DNS rows to process
get_expert_infoA	Extract Wireshark expert information from a PCAP file. Returns warnings, errors, and notes from Wireshark's expert system. Useful for identifying protocol violations, malformed packets, etc. Args: filepath: Path to PCAP/PCAPNG file
deep_packet_analysisA	Deep packet analysis with protocol breakdown, layer details, and markdown tables. Args: file_path: Path to PCAP/PCAPNG file count: Maximum number of packets to analyze display_filter: Optional Wireshark display filter
follow_tcp_streamA	Reconstruct a TCP conversation from a PCAP file. Args: filepath: Path to PCAP/PCAPNG file stream_index: Index of the TCP stream to follow (0-based) format: Output format: ascii, hex, or raw
follow_udp_streamA	Reconstruct a UDP conversation from a PCAP file. Args: filepath: Path to PCAP/PCAPNG file stream_index: Index of the UDP stream to follow (0-based) output_format: Output format: ascii, hex, or raw
list_tcp_streamsB	List all TCP conversations found in a PCAP file. Args: filepath: Path to PCAP/PCAPNG file
export_packets_jsonA	Export packets from a PCAP file as structured JSON. Args: filepath: Path to PCAP/PCAPNG file display_filter: Wireshark display filter max_packets: Maximum packets to export
export_packets_csvA	Export packet fields from a PCAP as CSV with proper headers using tshark -E flags. Args: filepath: Path to PCAP/PCAPNG file fields: Comma-separated field names (default: standard fields including column fields) display_filter: Wireshark display filter separator: CSV field separator character (default: comma)
get_packet_summaryA	Get a quick packet summary similar to Wireshark's packet list view. Uses column fields (_ws.col.*) for human-readable output. Args: file_path: Path to PCAP/PCAPNG file count: Maximum number of packets to show (default: 20) display_filter: Optional Wireshark display filter
convert_pcap_formatA	Convert a PCAP file between pcap and pcapng formats. Args: filepath: Path to source PCAP file output_format: Target format: pcap or pcapng
extract_credentialsA	Extract potential credentials from a PCAP file. Scans for: HTTP Basic Authentication headers FTP USER/PASS commands Telnet login/password prompts Kerberos AS-REQ/AS-REP hashes (crackable with hashcat) Args: filepath: Path to PCAP/PCAPNG file
check_ip_threat_intelA	Check an IP address against threat intelligence feeds. Args: ip_address: IP address to check providers: Comma-separated providers (urlhaus, abuseipdb)
scan_capture_for_threatsA	Extract all IPs from a PCAP file and check against threat feeds. Args: filepath: Path to PCAP/PCAPNG file providers: Comma-separated providers (urlhaus, abuseipdb)
analyze_large_pcapA	Analyze a large PCAP file in chunks for memory efficiency. Processes packets in batches, accumulating statistics. Args: filepath: Path to PCAP/PCAPNG file chunk_size: Number of packets per processing chunk display_filter: Optional Wireshark display filter ctx: Optional MCP context for progress reporting
list_wireshark_profilesA	List available Wireshark profiles and their configuration files.
apply_profile_captureB	Analyze a PCAP file using a specific Wireshark profile. Args: filepath: Path to PCAP/PCAPNG file profile_name: Wireshark profile name to apply display_filter: Optional Wireshark display filter max_packets: Maximum packets to return
get_color_filtersA	Read Wireshark color filter rules from a profile or the default config. Args: profile_name: Profile name (empty string uses default config)
capture_with_profileC	Live capture using a Wireshark profile's configuration. Args: interface: Network interface name (e.g., eth0, en0) profile_name: Wireshark profile name to apply duration: Capture duration in seconds packet_count: Maximum number of packets
diff_pcap_filesA	Compare two PCAP files and report differences. Args: filepath1: Path to first PCAP file filepath2: Path to second PCAP file display_filter: Optional Wireshark display filter applied to both
merge_pcap_filesA	Merge multiple PCAP files into one using mergecap. Args: filepaths: List of PCAP file paths to merge output_file: Output file path (.pcap or .pcapng) chronological: Merge by timestamp (True) or append in order (False)
slice_pcapA	Slice or filter a PCAP file using editcap. Args: filepath: Path to input PCAP file output_file: Output file path (.pcap or .pcapng) start_packet: First packet number to keep (1-based) end_packet: Last packet number to keep start_time: Keep packets after this time (editcap -A format) end_time: Keep packets before this time (editcap -B format) remove_duplicates: Remove duplicate packets
decode_packetA	Decode a single packet in full detail. Args: filepath: Path to PCAP file packet_number: Packet number to decode (1-based) verbose: If True, return verbose text decode; if False, return JSON layers hex_dump: If True, include hex and ASCII dump of raw packet bytes (-x flag)
visualize_network_flowsA	Generate visual diagrams of network flows from a PCAP file. Produces ASCII art or Mermaid sequence diagrams showing packet exchanges between endpoints. Args: filepath: Path to PCAP/PCAPNG file flow_type: Protocol type: tcp or udp max_flows: Maximum number of packet arrows to include (1-200) output_format: Diagram format: text or mermaid
decrypt_tls_trafficA	Decrypt TLS/HTTPS traffic using an SSLKEYLOGFILE. Requires a TLS key log file (NSS Key Log Format) captured alongside the traffic. Set SSLKEYLOGFILE env var or pass keylog_file explicitly. Args: filepath: Path to PCAP/PCAPNG file containing TLS traffic keylog_file: Path to TLS key log file (NSS format) output_file: Optional path to write decrypted pcapng
extract_objectsA	Extract files from HTTP/SMB/DICOM/IMF/TFTP streams using tshark. Args: file_path: Path to PCAP/PCAPNG file protocol: Protocol to extract objects from (http, smb, dicom, imf, tftp) output_dir: Directory to write extracted files (created if empty)
get_io_statisticsB	Time-binned I/O statistics from a PCAP file. Args: file_path: Path to PCAP/PCAPNG file interval: Time interval in seconds for binning (positive number) display_filter: Optional Wireshark display filter
get_conversation_statsB	IP/TCP/UDP/Ethernet conversation statistics from a PCAP file. Args: file_path: Path to PCAP/PCAPNG file conv_type: Conversation type (eth, ip, ipv6, tcp, udp) display_filter: Optional Wireshark display filter
generate_reportB	Generate a comprehensive analysis report in markdown or HTML. Args: file_path: Path to PCAP/PCAPNG file report_format: Output format — 'markdown' or 'html' sections: Comma-separated list of sections to include
get_capture_infoB	Get detailed capture file information using capinfos. Args: file_path: Path to PCAP/PCAPNG file

Prompts

Interactive templates invoked by user choice

Name	Description
`security_audit`	Comprehensive network security audit workflow.
`network_troubleshooting`	Network troubleshooting workflow.
`incident_response`	Incident response investigation workflow.
`traffic_analysis`	General traffic analysis workflow.
`credential_analysis`	Credential exposure analysis workflow.
`network_baseline`	Establish a network baseline to understand normal traffic patterns. Guided workflow: 1. Quick capture to see immediate activity 2. Extended capture for baseline 3. Protocol distribution analysis 4. Conversation analysis

Resources

Contextual data attached and managed by the client

Name	Description
`get_interfaces`	Dynamic list of available network interfaces.
`get_captures`	List available PCAP files in common directories.
`get_system_info`	System capabilities and tool availability.
`get_analysis_history`	Recent analysis history.
`get_help`	Comprehensive help and usage guide.

Server Configuration
Capabilities
Tools
Prompts
Resources

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/cortexc0de/netmcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server