Wireshark Network Analysis MCP server

SharkMCP is a Model Context Protocol (MCP) server that enables network packet capture and analysis through Wireshark/tshark integration. It allows AI assistants to perform network security analysis, troubleshooting, and packet inspection by starting packet recording, executing requests, then stopping and analyzing the captured traffic.

Prerequisites

System Requirements

• Wireshark/tshark: Must be installed and accessible
• Node.js: Version 18+
• pnpm: Package manager (recommended)

Installing Wireshark/tshark

macOS (using Homebrew):

brew install wireshark

Ubuntu/Debian:

sudo apt update
sudo apt install tshark wireshark-common

Windows: Download from wireshark.org

Installation

1. Clone the repository:

git clone https://github.com/kriztalz/SharkMCP.git
cd SharkMCP

2. Install dependencies:

pnpm install

3. Build the project:

pnpm run build

4. Run the server:

pnpm start

Configuration

MCP Client Setup

{
  "mcpServers": {
    "sharkmcp": {
      "command": "node",
      "args": ["/path/to/SharkMCP/dist/index.js"],
    }
  }
}

SSL/TLS Decryption (Optional)

To decrypt HTTPS traffic, export the SSLKEYLOGFILE environment variable:

export SSLKEYLOGFILE=/path/to/sslkeylog.log

Then configure your applications to log SSL keys to this file. Many applications support this automatically when the environment variable is set.

Then pass the log file pathname to the MCP server in the stop_capture_session tool.

Usage

Available Tools

1. start_capture_session: Start background packet capture
2. stop_capture_session: Stop capture and analyze results
3. analyze_pcap_file: Analyze existing PCAP files
4. manage_config: Save/load reusable configurations

Basic Examples

Start a capture session:

Interface: en0
Capture Filter: port 443
Timeout: 30 seconds

Analyze captured traffic:

Display Filter: tls.handshake.type == 1
Output Format: json

Save a configuration:

{
  "name": "https-monitoring",
  "description": "Monitor HTTPS traffic",
  "captureFilter": "port 443",
  "displayFilter": "tls.handshake.type == 1",
  "outputFormat": "json",
  "timeout": 60,
  "interface": "en0"
}

Troubleshooting

Common Issues

"tshark not found":

• Ensure Wireshark is installed and tshark is in PATH
• Check installation with: tshark -v

Permission denied for packet capture:

• On Linux: Add user to wireshark group or run with sudo
• On macOS: Grant Terminal network access in System Preferences
• On Windows: Run as Administrator

No packets captured:

• Verify network interface name (ip link on Linux, ifconfig on macOS)
• Check capture filter syntax
• Ensure traffic is present on the interface

How to add this MCP server to Cursor

There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.

If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.

Adding an MCP server to Cursor globally

To add a global MCP server go to Cursor Settings > MCP and click "Add new global MCP server".

When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:

{
    "mcpServers": {
        "cursor-rules-mcp": {
            "command": "npx",
            "args": [
                "-y",
                "cursor-rules-mcp"
            ]
        }
    }
}

Adding an MCP server to a project

To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.

How to use the MCP server

Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.

The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.

You can also explictly ask the agent to use the tool by mentioning the tool name and describing what the function does.