pcap_overview
Analyze PCAP files to extract protocol hierarchy, endpoint statistics, packet counts, and capture information for network forensics and security testing.
Instructions
Get protocol hierarchy and endpoint statistics from a PCAP. Returns protocol_hierarchy, endpoints, packet_count, and capture_info. Read-only file analysis, no network access.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| pcap_path | Yes | Path to the PCAP file |
Implementation Reference
- src/tools/pcap.ts:24-51 (handler)The `pcap_overview` tool handler implementation. It uses `tshark` and `capinfos` to extract protocol hierarchy, endpoint stats, packet counts, and capture information from a given PCAP file.
server.tool( "pcap_overview", "Get protocol hierarchy and endpoint statistics from a PCAP. Returns protocol_hierarchy, endpoints, packet_count, and capture_info. Read-only file analysis, no network access.", { pcap_path: z.string().describe("Path to the PCAP file"), }, async ({ pcap_path }) => { requireTool("tshark"); const pcap = validatePcap(pcap_path); const phs = await runCmd("tshark", ["-r", pcap, "-q", "-z", "io,phs"]); const endpoints = await runCmd("tshark", ["-r", pcap, "-q", "-z", "endpoints,ip"]); const count = await runShell(`tshark -r '${pcap}' | wc -l`); const capinfos = await runShell(`capinfos -u '${pcap}' 2>/dev/null || echo 'capinfos not available'`); const countStr = count.stdout.trim(); const packetCount = /^\d+$/.test(countStr) ? parseInt(countStr, 10) : 0; const result = { protocol_hierarchy: phs.stdout.slice(0, 3000), endpoints: endpoints.stdout.slice(0, 3000), packet_count: packetCount, capture_info: capinfos.stdout.slice(0, 1000), }; return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] }; } );