Wireshark MCP Server

A Model Context Protocol (MCP) server that provides network packet analysis capabilities via Wireshark/tshark on a remote machine (e.g., Kali Linux).

This server enables AI assistants to perform sophisticated network traffic analysis, packet capture, protocol inspection, and security-focused operations through a standardized MCP interface.

Features

• Live Packet Capture - Capture network traffic on remote interfaces with BPF filters

• PCAP Analysis - Read and analyze existing pcap files

• Protocol Statistics - Generate protocol hierarchy, conversations, endpoints, and I/O statistics

• Stream Reconstruction - Follow TCP, UDP, HTTP, and TLS streams

• File Extraction - Extract files from HTTP, SMB, DICOM, IMF, and TFTP traffic

• Deep Packet Inspection - Decode packets with full protocol details

• Credential Extraction - Search for credentials in HTTP Basic Auth, FTP, Telnet, and form submissions

• HTTP Object Export - List and export HTTP objects from captures

Prerequisites

• Node.js 18+

• SSH access to a remote machine with tshark installed (e.g., Kali Linux)

• SSH key-based authentication configured (password-less)

• sudo access on the remote machine for packet capture

Installation

git clone https://github.com/schwarztim/sec-wireshark-mcp.git
cd sec-wireshark-mcp
npm install
npm run build

Configuration

Set the following environment variables:

Example Configuration

export WIRESHARK_SSH_HOST="192.168.1.100"
export WIRESHARK_SSH_USER="kali"

Or use an SSH config entry:

# ~/.ssh/config
Host kali
    HostName 192.168.1.100
    User kali
    IdentityFile ~/.ssh/id_rsa

Usage with Claude Desktop

Add to your Claude Desktop configuration (~/.claude/user-mcps.json or Claude Desktop settings):

{
  "mcpServers": {
    "wireshark": {
      "command": "node",
      "args": ["/path/to/sec-wireshark-mcp/dist/index.js"],
      "env": {
        "WIRESHARK_SSH_HOST": "kali",
        "WIRESHARK_SSH_USER": "kali"
      }
    }
  }
}

Available Tools

tshark_list_interfaces

List available network interfaces on the remote machine for packet capture.

tshark_capture

Start packet capture on a specified interface.

Parameters:

• interface (required): Network interface (e.g., eth0, wlan0)

• count: Number of packets to capture (default: 10, max: 1000)

• filter: BPF capture filter (e.g., port 80, host 192.168.1.1)

• timeout: Capture timeout in seconds (default: 10, max: 60)

• outputFile: Save capture to pcap file on remote host

tshark_read_pcap

Read and analyze a pcap file.

Parameters:

• file (required): Path to the pcap file on remote host

• filter: Wireshark display filter

• count: Maximum packets to return (default: 100, max: 1000)

• fields: Specific fields to extract (e.g., ['ip.src', 'ip.dst', 'tcp.port'])

tshark_filter

Apply a display filter to a pcap file.

Parameters:

• file (required): Path to the pcap file

• filter (required): Display filter (e.g., http.request, dns, tcp.flags.syn == 1)

• outputFormat: json, text, or fields (default: json)

• fields: Fields to extract when using fields format

tshark_stats

Generate protocol statistics from a pcap file.

Parameters:

• file (required): Path to the pcap file

• type (required): hierarchy, conversations, endpoints, io, http, or dns

• protocol: Protocol for conversations/endpoints (e.g., tcp, udp, ip)

tshark_follow_stream

Reconstruct a TCP, UDP, HTTP, or TLS stream.

Parameters:

• file (required): Path to the pcap file

• protocol (required): tcp, udp, http, or tls

• streamIndex: Stream index number (default: 0)

• format: ascii, hex, or raw (default: ascii)

tshark_extract_files

Extract files from protocol traffic.

Parameters:

• file (required): Path to the pcap file

• protocol: http, dicom, imf, smb, or tftp (default: http)

• outputDir: Directory for extracted files (default: /tmp/mcp-extracted)

tshark_decode

Deep packet inspection with full protocol details.

Parameters:

• file (required): Path to the pcap file

• packetNumber: Specific packet number to decode

• filter: Display filter to select packets

• protocols: Specific protocols to show (e.g., ['http', 'tcp', 'ip'])

• verbose: Show all protocol details (default: false)

tshark_extract_credentials

Search for potential credentials in network traffic.

Parameters:

• file (required): Path to the pcap file

Searches for HTTP Basic Auth, FTP credentials, HTTP POST form data, and Telnet data.

tshark_export_objects

List and export HTTP objects from a capture.

Parameters:

• file (required): Path to the pcap file

• listOnly: Only list objects without extracting (default: true)

• outputDir: Directory for extracted objects

Security Considerations

• This server executes commands on a remote machine via SSH

• Input sanitization is implemented to prevent command injection

• Use SSH key authentication with appropriate permissions

• Consider network segmentation for the capture machine

• The remote machine requires sudo access for live capture

• Credential extraction features should be used only for authorized security testing

Development

# Run in development mode
npm run dev

# Build for production
npm run build

# Start production server
npm start

License

MIT License - see LICENSE for details.

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

Related Projects

• Model Context Protocol - The protocol specification

• Wireshark - Network protocol analyzer

• tshark - Terminal-based Wireshark