Skip to main content
Glama
deenesjakoruzh
weirdmachine64

SharkMCP

by weirdmachine64
OverviewSchemaRelated ServersScoreDiscussions
Python
Local

SharkMCP

An MCP server that exposes sharkd — Wireshark's programmatic interface — as a set of tools for LLMs. Load PCAP/PCAPNG files and analyse them with natural language.

Requirements

  • Python 3.10+

  • Wireshark (provides sharkd)

Installation

git clone https://github.com/weirdmachine64/sharkmcp.git
cd sharkmcp
pip install -e .

Or run directly from the repo without installing:

uvx --from git+https://github.com/weirdmachine64/sharkmcp sharkmcp

Configuration

Add to your .mcp.json:

{
  "mcpServers": {
    "sharkmcp": {
      "command": "uvx",
      "args": ["--from", "git+https://github.com/weirdmachine64/sharkmcp", "sharkmcp"],
      "env": {
        "SHARKMCP_TIMEOUT": "300"
      }
    }
  }
}

Env var

Default

Description

SHARKMCP_SHARKD_BIN

sharkd

Path to sharkd binary

SHARKMCP_TIMEOUT

300

Per-request timeout in seconds

Tools

Each loaded PCAP gets a dedicated sharkd subprocess. Results from expensive scans (conversations, expert info, export objects) are cached in memory so paginated follow-up calls are served without re-scanning.

Session

Tool

Description

load_pcap(path, alias?)

Load a PCAP/PCAPNG file

list_pcaps()

List all loaded PCAPs

unload_pcap(alias)

Terminate session and free memory

Overview

Tool

Description

pcap_summary(alias)

Frame count, duration, file size, protocols seen

server_info(alias)

All available tap types, follow protocols, field types

Packet Inspection

Tool

Description

list_packets(alias, filter?, columns?, refs?)

Paginated frame list with display filter

packet_detail(alias, frame, include_bytes?, include_hidden?)

Full protocol tree for one frame

extract_fields(alias, fields, filter?)

Extract arbitrary fields per packet as a table

Utilities

Tool

Description

validate(alias, filter?, field?)

Validate a display filter and/or field name

complete(alias, field?, pref?)

Autocomplete field or preference names by prefix

get_preference(alias, preference?)

Read dissector preferences

set_preference(alias, name, value)

Set a dissector preference for this session

set_frame_comment(alias, frame, comment)

Annotate a frame (session-scoped)

Traffic Structure

Tool

Description

protocol_hierarchy(alias, filter?)

Nested protocol tree with frame/byte counts

io_stats(alias, interval_ms?, filter?)

Per-interval frame and byte counts

iograph(alias, graphs, interval_ms?, filters?)

Multi-line traffic graph; supports packets, bytes, bits, sum:<field>, avg:<field>, min:<field>, max:<field>, load:<field>, frames:<field>

follow_stream(alias, protocol, filter)

Reassemble a stream (tcp, udp, tls, http, http2, quic, sip, dccp, websocket)

Conversations & Topology

Tool

Description

conversations(alias, type?, sort_by?)

Conversation table — bytes/frames per peer pair

endpoints(alias, type?, sort_by?)

Endpoint table — tx/rx per host

Supported layer types for both: tcp, udp, ip, ipv6, eth, sctp, dccp, mptcp, wifi, bluetooth, zigbee, fc, fddi, usb, and more.

Protocol Statistics

Tool

Description

expert_info(alias, filter?)

Per-frame anomaly detection — errors, warnings, notes, chats

protocol_stats(alias, protocol)

Aggregate stats for dns, http, http_requests, http_server, sip, dhcp, h225, http2, rtsp

service_response_time(alias, protocol)

Request/response latency for smb, smb2, snmp, ldap, diameter, rpc, gtp, and more

response_time_delay(alias, protocol)

Round-trip delay for radius, h225_ras, megaco, mgcp

sequence_diagram(alias, type?)

Flow diagram data for tcp, icmp, icmpv6, any

Media & VoIP

Tool

Description

voip_calls(alias, filter?)

SIP/H.323 call list with state and participants

rtp_streams(alias, stream_spec?)

RTP stream inventory; pass stream_spec for per-stream jitter/loss

multicast_streams(alias, filter?)

UDP multicast stream statistics

Export & Objects

Tool

Description

export_objects(alias, type?)

List extractable objects (http, imf, smb, tftp, dicom, ftp-data)

download_object(alias, token)

Download an object, TLS session keys (ssl-secrets), or RTP audio (rtp:<spec>) as base64

Escape Hatch

Tool

Description

tap(alias, specs, filter?, skip?, limit?)

Run any sharkd tap directly — up to 16 specs in one PCAP scan. Use server_info to discover valid identifiers.

Example

> load_pcap("/captures/traffic.pcap", alias="traffic")
> protocol_hierarchy("traffic")
> expert_info("traffic", limit=20)
> conversations("traffic", type="tcp", sort_by="bytes")
> extract_fields("traffic", ["dns.qry.name", "dns.a"], filter="dns")
> follow_stream("traffic", "http", "tcp.stream eq 0")
> export_objects("traffic", type="http")
> download_object("traffic", "eo:http_0")

Architecture

    LLM
     │  MCP (stdio)
     ▼
 SharkMCP server
     │  JSON-RPC 2.0 (stdin/stdout)
     ├─ sharkd [pcap-1]
     ├─ sharkd [pcap-2]
     └─ sharkd [pcap-N]

One sharkd subprocess per loaded PCAP. Sessions are isolated — concurrent queries on different aliases never block each other.

Install Server
A
license - permissive license
B
quality
C
maintenance

How are these scores calculated?

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Tools

View all tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/weirdmachine64/SharkMCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server