analyze_pcap_file

Instructions

Implementation Reference

• src/tools/analyze-pcap-file.ts:21-78 (handler)

  The main asynchronous handler function that performs PCAP file analysis, handling input arguments, loading configurations if specified, verifying file existence, calling the shared analyzePcap utility, trimming output, and returning formatted results or errors.

  export async function analyzePcapFileHandler(args: any) {
    try {
      let { filePath, displayFilter, outputFormat, customFields, sslKeylogFile, configName } = args;
  
      // If configName is provided, load and use that configuration for analysis
      if (configName) {
        const savedConfig = await loadFilterConfig(configName);
        if (!savedConfig) {
          return {
            content: [{
              type: 'text' as const,
              text: `Error: Configuration '${configName}' not found. Use manage_config with action 'list' to see available configurations.`,
            }],
            isError: true
          };
        }
        
        // Override analysis parameters with saved config (saved config takes precedence)
        if (savedConfig.displayFilter) displayFilter = savedConfig.displayFilter;
        if (savedConfig.outputFormat) outputFormat = savedConfig.outputFormat;
        if (savedConfig.customFields) customFields = savedConfig.customFields;
        
        console.error(`Using saved configuration '${configName}' for analysis: ${JSON.stringify(savedConfig)}`);
      }
  
      // Verify file exists before proceeding
      await fs.access(filePath);
  
      // Analyze the file using the reusable function
      const output = await analyzePcap(
        filePath,
        displayFilter,
        outputFormat,
        customFields,
        sslKeylogFile
      );
  
      const keylogToUse = sslKeylogFile || process.env.SSLKEYLOGFILE;
  
      // Trim output if too large
      const trimmedOutput = trimOutput(output, outputFormat);
  
      const configInfo = configName ? `\nUsing saved config: ${configName}` : '';
      
      return {
        content: [{
          type: 'text' as const,
          text: `Analysis of '${filePath}' complete!${configInfo}\nDisplay Filter: ${displayFilter || 'none'}\nOutput Format: ${outputFormat}\nSSL Decryption: ${keylogToUse ? 'Enabled' : 'Disabled'}\n\nPacket Analysis Results:\n${trimmedOutput}`,
        }],
      };
    } catch (error: any) {
      console.error(`Error analyzing PCAP file: ${error.message}`);
      return { 
        content: [{ type: 'text' as const, text: `Error: ${error.message}` }], 
        isError: true 
      };
    }
  } 

• src/tools/analyze-pcap-file.ts:8-15 (schema)

  Input schema using Zod for validating tool parameters including file path, display filter, output format, custom fields, SSL keylog file, and optional config name.

  export const analyzePcapFileSchema = {
    filePath: z.string().describe('Path to the local .pcap or .pcapng file to analyze.'),
    displayFilter: z.string().optional().describe('Wireshark display filter for analysis (e.g., "tls.handshake.type == 1")'),
    outputFormat: z.enum(['json', 'fields', 'text']).optional().default('text').describe('Output format: json (-T json), fields (custom -e), or text (default wireshark output)'),
    customFields: z.string().optional().describe('Custom tshark field list (only used with outputFormat=fields)'),
    sslKeylogFile: z.string().optional().describe('ABSOLUTE path to SSL keylog file for TLS decryption'),
    configName: z.string().optional().describe('Name of saved configuration to use for analysis parameters')
  };

• src/index.ts:39-45 (registration)

  MCP server tool registration for 'analyze_pcap_file', specifying the tool name, description, input schema, and handler function.

  // Tool 3: Analyze an existing PCAP file
  server.tool(
    'analyze_pcap_file',
    'Analyze a local pcap/pcapng file. LLMs control all analysis parameters including filters, output formats, and custom fields. Can use saved configurations.',
    analyzePcapFileSchema,
    async (args) => analyzePcapFileHandler(args)
  );