home / mcp / wireshark mcp server
Provides a Python-based MCP server to analyze and visualize Wireshark captures via MCP clients.
Configuration
View docs{
"mcpServers": {
"bx33661-wireshark-mcp": {
"command": "npx",
"args": [
"-y",
"@modelcontextprotocol/inspector",
"uv",
"run",
"wireshark-mcp"
]
}
}
}Wireshark MCP provides a simple server to enable WHIreshark-based vibe packet analysis through MCP clients. It lets you dissect and inspect network captures by exposing a set of tools that analyze pcap data, extract useful information, and visualize traffic, all via MCP-enabled interfaces so you can work with your preferred client.
You use this server by launching it as an MCP stdio server and then connecting from an MCP client to run analysis tools on your packet captures. Start the server with the MCP command shown in the Development section, then configure your MCP client to point to this local server and invoke the available tools as needed. For example, you can list packets in a capture, inspect details for specific frames, follow streams, extract HTTP requests or DNS queries, and generate summaries or visualizations.
Prerequisites you need before installing this MCP server:
Install the latest version of the Wireshark MCP package or install directly from source.
pip install wireshark-mcpTo connect a client, you can also run the server directly if it is installed in your environment. The recommendation is to use the explicit MCP command shown below in the Development section to test against a real client.
Get a summary list of packets from a pcap file with optional limits and custom columns to tailor the view.
Fetch full JSON details for a specific packet frame with optional layer filtering to reduce output.
Retrieve the raw hex/ASCII dump for a given packet frame.
View surrounding packets around a specific frame to understand context.
Reassemble and view an entire TCP/HTTP stream with support for pagination and search.
Find packets by pattern with options to search in raw bytes or decoded fields (Regex supported).
Deprecated: use get_packet_details instead.
Extract specific fields from a capture into tabular data.
Convenience tool to extract HTTP method, URI, and host information.
Convenience tool to extract DNS query names and related data.
List unique IP addresses appearing in the capture (source, destination, or both).
Extract embedded files from traffic (e.g., HTTP, SMB) into a destination directory.
Verify TLS decryption using a keylog file.
Decode common payload encodings with smart auto-detection (Base64, Hex, URL, etc.).
Generate an ASCII visualization of traffic over time.
Display an ASCII tree view of the protocol hierarchy in the capture.
Produce Protocol Hierarchy Statistics from the capture.
List endpoints and their traffic statistics.
Show communication pairs and their statistics.
Provide I/O graph data for traffic over time.
Retrieve expert information including anomalies and warnings.
Compute service response time statistics for a protocol like HTTP.
Get detailed metadata about a capture file (capinfos).
Merge multiple capture files into a single output file.
List available network interfaces for live capture.
Capture live traffic from a specified interface into a file.
Filter packets from a capture and save to a new file.
Check captured IPs against threat intelligence sources.
Scan for plaintext credentials within the capture data.
Decode common payload encodings with auto-detection.