Check if Wireshark/tshark is installed and return version info.

List all network interfaces available for packet capture.

Read and analyze packets from a .pcap or .pcapng file. Returns a preview of up to 5 packets in JSON plus the total match count.

Apply a Wireshark display filter to a pcap file and return a preview of matching packets.

Get a high-level summary of a pcap file: I/O stats, protocol hierarchy, and top IP conversations. Prefer this over read_pcap when the goal is to characterize a capture.

Generate the protocol hierarchy statistics for a pcap file.

Follow a TCP stream by index and return its ASCII payload.

Follow a UDP stream by index and return its ASCII payload.

Run tshark expert analysis on a pcap file. Returns warnings, errors, and notes grouped by severity. Useful for diagnosing protocol issues without reading individual packets.

Extract protocol-specific fields from a pcap file using tshark '-T fields'. Pass a known protocol name to use curated defaults (supported: dns, goose, http, icmp, mms, sip, sv, tls), or supply your own 'fields' list for any other protocol. Returns a tab-separated table — much smaller than full JSON. Use a 'filter' to narrow results (e.g. only request packets, only specific stNum values).

Run a tshark '-z' aggregate-statistics report on a pcap file and return its parsed output. Use this for protocol-hierarchy, conversation, endpoint, and per-protocol stat tables — much more compact than per-packet JSON. Supported (protocol, variant) pairs: conv: eth, ip, ipv6, tcp, udp; dns: tree; endpoints: eth, ip, ipv6, tcp, udp; http: stat, tree; http_req: tree; io: phs, stat; rpc: srt; sip: stat; smb: srt; smb2: srt.

Capture live network traffic from an interface. Writes to a temporary pcap that is deleted after the preview is returned.

Export packets from a pcap file to a JSON file at output_path. Creates the output file if it does not exist; overwrites if it does.