mcp-wireshark

Community-maintained MCP server for Wireshark / tshark. Not affiliated with Wireshark or Anthropic. Give your AI assistant direct access to packet captures. Ask Claude to summarize a .pcap, follow a TCP stream, filter for a specific protocol, or capture live traffic — all without leaving the chat.

Quick start with Claude Code

pip install mcp-wireshark
claude mcp add --transport stdio --scope user mcp-wireshark -- mcp-wireshark

That's it. Open Claude Code and try:

"Summarize ./capture.pcap and tell me which IPs talked the most."

--scope user makes the server available across every Claude Code project. Drop the flag to install it for the current project only. See claude mcp docs for more.

Verify the install

claude mcp list

You should see mcp-wireshark listed. Inside Claude Code, ask:

"Run check_installation."

If tshark is on your PATH, it returns the version. If not, see troubleshooting.

Tools

The server exposes 13 tools, split cleanly between read tools (safe, no side effects) and write tools (capture traffic or write files). Both groups are annotated with the standard MCP readOnlyHint so any compliant client can surface the distinction.

Read tools

Safe to call freely — they only inspect state.

Write tools

These create files or capture live traffic. Compliant clients may prompt before invoking.

See it in action

These clips run the real tools against demo/demo.pcapng — a short home-network capture. Regenerate them with python demo/render_gif.py <scene>.

summarize_pcap — characterize an unknown capture at a glance

decode_protocol — filter to a protocol and get a compact table (here: TLS SNI and DNS-over-HTTPS lookups)

expert_info — let tshark surface the warnings and anomalies for you

Example prompts

Drop these into Claude Code as-is:

List my network interfaces.
Summarize ./traffic.pcap.
From ./traffic.pcap, show me only HTTP requests.
Follow TCP stream 0 in ./traffic.pcap and tell me what protocol is in it.
Capture 30 seconds of traffic on Wi-Fi filtered to tcp.port == 443.
Export every DNS packet from ./traffic.pcap to ./dns.json.
Decode the GOOSE messages in ./substation.pcapng — only stNum >= 1.
Run expert analysis on ./traffic.pcap and group findings by severity.
Show me the IP conversations in ./traffic.pcap.

Useful display filters

For substation engineers analyzing IEC 61850 traffic:

Other clients

Anything that speaks MCP works. The package installs an mcp-wireshark binary on PATH.

Edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
    "mcpServers": {
        "wireshark": {
            "command": "mcp-wireshark"
        }
    }
}

Create .vscode/mcp.json in your workspace:

{
    "servers": {
        "wireshark": {
            "command": "mcp-wireshark"
        }
    }
}

Use the same stdio invocation: command: mcp-wireshark. No transport flags.

Prerequisites

• Python 3.10+

• Wireshark installed; tshark reachable on PATH

Install with pip or uv:

pip install mcp-wireshark
# or
uvx mcp-wireshark

Troubleshooting

Add Wireshark to your system PATH:

1. Press Win+R → run sysdm.cpl → Advanced → Environment Variables

2. Edit Path → add C:\Program Files\Wireshark

3. Restart your terminal and Claude Code, then re-run check_installation

(Avoid passing PATH through claude mcp add --env — values are taken literally, no %PATH% expansion.)

Add yourself to the wireshark group, then log out and back in:

sudo usermod -aG wireshark $USER

• Confirm the interface name from list_interfaces (Wireshark uses different names than ifconfig/ip)

• On macOS, you may need to install ChmodBPF (ships with the Wireshark .dmg)

• Check that no display filter is excluding everything

Development

git clone https://github.com/khuynh22/mcp-wireshark.git
cd mcp-wireshark
python -m venv venv && source venv/bin/activate  # Windows: venv\Scripts\activate
pip install -e ".[dev]"

pytest                   # tests
black src tests          # format
ruff check src tests     # lint
mypy src                 # type check

The codebase is organized so new tools land in one of two clearly-scoped files:

• src/mcp_wireshark/read_tools.py — anything that just inspects state

• src/mcp_wireshark/write_tools.py — anything that captures traffic or writes files

server.py only contains routing. See CLAUDE.md and CONTRIBUTING.md.

Security

Every file path is validated (.. rejected, extension allow-listed). Every display filter is checked for shell metacharacters. tshark is always invoked via asyncio.create_subprocess_exec, never shell=True. Hard caps: 10k packets per call, 5 min per live capture. See SECURITY.md.

License

MIT — see LICENSE.