TShark MCP

MCP service for analyzing network traffic with tshark.

Installation

pip install -e .

Requirements

• Python 3.10+

• tshark (part of Wireshark)

Configuration

TShark Path

By default, the service will search for tshark in the following order:

1. TSHARK_PATH environment variable

2. macOS default: /Applications/Wireshark.app/Contents/MacOS/tshark

3. System PATH

You can set the tshark path via environment variable:

export TSHARK_PATH=/path/to/tshark

MCP Client Configuration

Add to your MCP client configuration (e.g., Claude Desktop):

{
  "mcpServers": {
    "tshark": {
      "command": "/path/to/python",
      "args": ["-m", "tshark_mcp.server"],
      "env": {
        "TSHARK_PATH": "/Applications/Wireshark.app/Contents/MacOS/tshark"
      }
    }
  }
}

Usage

Start the MCP server:

tshark-mcp

Or run directly:

python -m tshark_mcp.server

Tools

analyze_pcap_file

Analyze a pcap/pcapng file and extract all TCP streams with their application layer data.

Parameters:

• file_path (required): Path to the pcap/pcapng file

• filter (optional): BPF filter expression

Returns: All TCP streams with protocol identification and payload data.

list_tcp_streams

List all TCP streams in a pcap file with basic information.

Parameters:

• file_path (required): Path to the pcap/pcapng file

Returns: Stream list with addresses, ports, packet counts, and protocol.

extract_stream_data

Extract payload data from a specific TCP stream.

Parameters:

• file_path (required): Path to the pcap/pcapng file

• stream_index (required): TCP stream index (0-based)

• direction (optional): "client", "server", or "both" (default: "both")

Returns: Payload data for the specified direction(s).

analyze_pcap_data

Analyze base64-encoded pcap data.

Parameters:

• data (required): Base64-encoded pcap/pcapng data

• filter (optional): BPF filter expression

Returns: All TCP streams with protocol identification and payload data.