MCP server for Wireshark/tshark integration with AI tools
Project description
MCP Wireshark
An MCP (Model Context Protocol) server that integrates Wireshark/tshark with AI tools and IDEs. Capture live network traffic, parse .pcap files, apply display filters, follow TCP streams, and export to JSON—all accessible through Claude Desktop, VS Code, or the command-line interface.
� New to this project? Start here: Getting Started Guide - Complete setup, publishing, and contribution guide!
📚 Quick Start | 📖 API Docs | 🤝 Contributing | 🚀 Publishing | 💻 Dev Setup
Features
- 🔍 List Network Interfaces: Discover all available network interfaces for packet capture
- 📡 Live Capture: Capture real-time network traffic from any interface
- 📂 Read PCAP Files: Analyze existing .pcap and .pcapng files
- 🔎 Display Filters: Apply Wireshark's powerful display filters
- 📊 Protocol Statistics: Generate detailed protocol statistics
- 🔗 Follow TCP Streams: Extract and analyze TCP stream payloads
- 💾 Export to JSON: Export packet data in JSON format for further analysis
Prerequisites
- Python 3.10 or higher
- Wireshark/tshark installed on your system
Installing Wireshark/tshark
macOS (using Homebrew):
brew install wireshark
Ubuntu/Debian:
sudo apt-get update
sudo apt-get install tshark
Windows: Download and install from Wireshark Downloads
Note: On Linux, you may need to add your user to the wireshark group to capture packets without root:
sudo usermod -aG wireshark $USER
sudo chmod +x /usr/bin/dumpcap
Installation
Install from PyPI:
pip install mcp-wireshark
Or install from source:
git clone https://github.com/khuynh22/mcp-wireshark.git
cd mcp-wireshark
pip install -e .
Usage
As an MCP Server
Claude Desktop
Add to your Claude Desktop configuration file:
macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
Linux: ~/.config/Claude/claude_desktop_config.json
{
"mcpServers": {
"wireshark": {
"command": "mcp-wireshark",
"args": [],
"env": {}
}
}
}
VS Code
Add to your VS Code settings.json:
{
"mcp.servers": {
"wireshark": {
"command": "mcp-wireshark",
"args": [],
"env": {}
}
}
}
Command Line
Run the MCP server:
mcp-wireshark
The server will communicate using stdio (standard input/output) following the MCP protocol.
Available Tools
1. list_interfaces
List all available network interfaces for packet capture.
Example:
Use the list_interfaces tool to see available network interfaces
2. live_capture
Capture live network traffic from a specified interface.
Parameters:
interface(required): Network interface name (e.g., "eth0", "Wi-Fi")duration(optional): Capture duration in seconds (default: 10)packet_count(optional): Maximum number of packets to capturedisplay_filter(optional): Wireshark display filter to apply
Example:
Capture packets from eth0 for 30 seconds with filter "tcp.port == 80"
3. read_pcap
Read and analyze packets from a .pcap or .pcapng file.
Parameters:
file_path(required): Path to the .pcap or .pcapng filepacket_count(optional): Maximum number of packets to read (default: 100)display_filter(optional): Wireshark display filter to apply
Example:
Read the first 50 packets from capture.pcap
4. display_filter
Apply a Wireshark display filter to a pcap file.
Parameters:
file_path(required): Path to the .pcap or .pcapng filefilter(required): Wireshark display filter expressionpacket_count(optional): Maximum number of packets to return (default: 100)
Example:
Filter packets from capture.pcap where tcp.port == 443
5. stats_by_proto
Generate protocol statistics from a pcap file.
Parameters:
file_path(required): Path to the .pcap or .pcapng file
Example:
Generate protocol statistics for capture.pcap
6. follow_tcp
Follow a TCP stream and extract payload data.
Parameters:
file_path(required): Path to the .pcap or .pcapng filestream_id(optional): TCP stream ID to follow (default: 0)
Example:
Follow TCP stream 0 from capture.pcap
7. export_json
Export packets from a pcap file to JSON format.
Parameters:
file_path(required): Path to the .pcap or .pcapng fileoutput_path(required): Path to save the JSON outputpacket_count(optional): Maximum number of packets to export (default: 1000)display_filter(optional): Wireshark display filter to apply
Example:
Export first 500 HTTP packets from capture.pcap to output.json
Common Display Filters
Here are some useful Wireshark display filters:
tcp.port == 80- HTTP traffictcp.port == 443- HTTPS traffichttp- All HTTP packetsdns- DNS queries and responsesip.addr == 192.168.1.1- Traffic to/from specific IPtcp.flags.syn == 1- TCP SYN packetshttp.request.method == "GET"- HTTP GET requeststcp.stream eq 0- Packets from TCP stream 0
For more filters, see the Wireshark Display Filter Reference.
Cross-Platform Support
mcp-wireshark is designed to work across multiple platforms:
- macOS: Full support with Homebrew-installed Wireshark
- Linux: Full support with apt/yum-installed tshark
- Windows: Full support with official Wireshark installer
The tool uses dumpcap when available (recommended for non-root captures) and falls back to tshark when needed.
Development
Want to contribute? See our comprehensive guides:
- Development Setup Guide - Complete environment setup for contributors
- Publishing Guide - How to publish to PyPI
- Contributing Guide - Contribution guidelines and workflow
Quick Start for Developers
# Clone and setup
git clone https://github.com/khuynh22/mcp-wireshark.git
cd mcp-wireshark
python -m venv venv
source venv/bin/activate # Windows: venv\Scripts\activate
pip install -e ".[dev]"
# Run quality checks
pytest # Run tests
black src tests # Format code
ruff check src tests # Lint
mypy src # Type check
Examples
See the examples directory for sample scripts and usage patterns.
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
License
This project is licensed under the MIT License - see the LICENSE file for details.
Acknowledgments
- Built on top of Wireshark/tshark
- Uses pyshark for Python integration
- Implements the Model Context Protocol
Support
For issues, questions, or contributions, please visit the GitHub repository.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file mcp_wireshark-0.1.0.tar.gz.
File metadata
- Download URL: mcp_wireshark-0.1.0.tar.gz
- Upload date:
- Size: 27.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
51eb940b4b99653a2fab878c54b88f20660a03099b393da3d1fbce474f0340c3
|
|
| MD5 |
3030b4ee52d0ab1d8350fc5fd48c0052
|
|
| BLAKE2b-256 |
0db5b2f63dc8edd5cc50aad648fb29217a9902c53b5c30257f0eb90f604917ad
|
File details
Details for the file mcp_wireshark-0.1.0-py3-none-any.whl.
File metadata
- Download URL: mcp_wireshark-0.1.0-py3-none-any.whl
- Upload date:
- Size: 11.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4b420832aed8b8d14b6bce971b015c6e3aa6db5ca88ff730cbfe3eedf54cda15
|
|
| MD5 |
6dce52565192b687e4b0f0f9515cebc2
|
|
| BLAKE2b-256 |
b1b2426cd9dd33f5163f1d2c667079466a8a38ad100c9354c432ebc3a9f57593
|
