Wireshark MCP Server
Provides network capture and analysis capabilities via tshark, including live capture, protocol hierarchy, conversations, endpoints, DNS/HTTP analysis, expert info, and advanced workflow tools for reconnaissance, device identification, traffic profiling, security auditing, and capture comparison.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Wireshark MCP Serveridentify devices in the last capture"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Wireshark MCP Server
Network capture and analysis via tshark, exposed as a Model Context Protocol (MCP) server. Gives AI assistants like Claude full access to Wireshark's analysis capabilities.
20 tools (15 discrete + 5 composite workflows). Portable — runs on any host with tshark installed. Windows, Linux, macOS.
What Makes This Different
Most Wireshark MCP servers give you 4-8 basic tools (capture, read, stats). This one includes composite workflow tools that chain multiple analyses into a single call:
wireshark_recon— Full network survey: protocols, top talkers, device inventory with vendor identification, DNS stats. One call.wireshark_identify_devices— Discovers devices via MAC/OUI resolution, hostname extraction (DNS/mDNS/NBNS), and port-based role classification.wireshark_traffic_profile— Deep dive on a single IP: protocols used, top peers, bytes in/out, active ports, DNS queries, activity over time.wireshark_security_audit— Checks for cleartext credentials (HTTP basic auth, FTP, telnet), unencrypted protocols, DNS anomalies, ARP anomalies, broadcast storms. Optional threat intel via URLhaus.wireshark_compare_captures— Diff two captures: new/disappeared devices, protocol distribution changes, traffic volume deltas.
Plus a bundled OUI database (~1500 vendor prefixes) for instant MAC-to-vendor resolution without external lookups.
Related MCP server: Wireshark MCP
Quick Start
Prerequisites
Python 3.11+
Wireshark installed (tshark is included)
On Linux: capture permissions (
sudo setcap cap_net_raw+ep $(which tshark)or run as root)
Install
git clone https://github.com/wgthomas/wireshark-mcp.git
cd wireshark-mcp
pip install -r requirements.txtConfigure Claude Code / Claude Desktop
Add to your MCP config (~/.claude.json or Claude Desktop settings):
{
"mcpServers": {
"wireshark": {
"command": "python",
"args": ["/path/to/wireshark-mcp/wireshark_mcp.py"],
"env": {}
}
}
}tshark is auto-detected. If it's not on your PATH, set WIRESHARK_TSHARK_PATH:
"env": {
"WIRESHARK_TSHARK_PATH": "/usr/bin/tshark"
}Tools
Discrete Tools (15)
Tool | Description |
| Available capture interfaces |
| Verify tshark and capture privileges |
| Live capture to pcapng file |
| Saved capture files |
| Protocol distribution tree |
| Who's talking to whom (top N by bytes) |
| Unique endpoints with traffic volumes |
| DNS query types, response codes, response times |
| Traffic volume over time intervals |
| HTTP methods and response codes |
| Wireshark warnings, errors, and notes |
| Custom tshark field extraction |
| First N packets summary |
| MAC address vendor lookup |
| tshark version and path |
Workflow Tools (5)
Tool | Description |
| Full network reconnaissance |
| Device discovery and classification |
| Single IP deep dive |
| Security-focused analysis |
| Diff two capture files |
All workflow tools accept either a pcap_file path or an interface for live capture.
Configuration
All settings via environment variables with WIRESHARK_ prefix:
Variable | Default | Description |
| Auto-detected | Path to tshark binary |
|
| Where to save captures |
|
| Capture duration (seconds) |
|
| Max packets per capture |
|
| Default limit for ranked results |
Token Optimization
All tools return structured JSON, never raw tshark text. Outputs are aggregated summaries capped at ~4000 tokens. Use wireshark_extract_fields for targeted deep dives when you need specific packet data.
Security
No shell=True — All tshark commands use
subprocesswith argument listsInput sanitization — Display filters and parameters are validated against injection characters
Capture files only — The server reads/writes pcap files, never executes arbitrary commands
Testing
# Basic tests (no capture file needed)
python test_quick.py
# Full tests with a capture file
python test_quick.py path/to/capture.pcapng
# Workflow tests
python test_workflows.py path/to/capture.pcapng [target_ip]License
MIT
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/wgthomas/wireshark-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server