Skip to main content
Glama
operantlabs

operant-mcp

Official
by operantlabs
OverviewSchemaRelated ServersScoreDiscussions
TypeScript
Local

pcap_extract_credentials

Extract credentials from PCAP files by analyzing FTP, HTTP, and SMTP network traffic for security auditing and forensic investigations.

Instructions

Extract credentials from FTP, HTTP, and SMTP traffic. Returns ftp_credentials, http_authorization_headers, http_post_data, and smtp_data. Read-only, may contain sensitive credentials.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
pcap_pathYesPath to the PCAP file
protocolNoProtocol to extract credentials fromall

Implementation Reference

  • src/tools/pcap.ts:53-110 (handler)
    The implementation of the pcap_extract_credentials tool, which uses tshark to extract credentials from FTP, HTTP, and SMTP traffic.
    server.tool(
  "pcap_extract_credentials",
  "Extract credentials from FTP, HTTP, and SMTP traffic. Returns ftp_credentials, http_authorization_headers, http_post_data, and smtp_data. Read-only, may contain sensitive credentials.",
  {
    pcap_path: z.string().describe("Path to the PCAP file"),
    protocol: z
      .enum(["ftp", "http", "smtp", "all"])
      .describe("Protocol to extract credentials from")
      .default("all"),
  },
  async ({ pcap_path, protocol }) => {
    requireTool("tshark");
    const pcap = validatePcap(pcap_path);

    const results: Record<string, string[]> = {};

    if (protocol === "ftp" || protocol === "all") {
      const ftpRes = await runCmd("tshark", [
        "-r", pcap,
        "-Y", "ftp.request.command == USER || ftp.request.command == PASS",
        "-T", "fields",
        "-e", "ftp.request.command",
        "-e", "ftp.request.arg",
      ]);
      results["ftp_credentials"] = parseLines(ftpRes.stdout);
    }

    if (protocol === "http" || protocol === "all") {
      const httpAuth = await runCmd("tshark", [
        "-r", pcap,
        "-Y", "http.authorization",
        "-T", "fields",
        "-e", "ip.src",
        "-e", "http.request.uri",
        "-e", "http.authorization",
      ]);
      const httpPost = await runCmd("tshark", [
        "-r", pcap,
        "-Y", "http.request.method == POST",
        "-T", "fields",
        "-e", "ip.src",
        "-e", "http.request.uri",
        "-e", "http.file_data",
      ]);
      results["http_authorization_headers"] = parseLines(httpAuth.stdout).slice(0, 50);
      results["http_post_data"] = parseLines(httpPost.stdout).slice(0, 50);
    }

    if (protocol === "smtp" || protocol === "all") {
      const smtpRes = await runShell(
        `tshark -r '${pcap}' -Y 'smtp' -T fields -e smtp.req.parameter 2>/dev/null | head -50`
      );
      results["smtp_data"] = parseLines(smtpRes.stdout);
    }

    return { content: [{ type: "text", text: JSON.stringify(results, null, 2) }] };
  }
);
Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/operantlabs/operant-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server