Professional Wireshark MCP server with 18 comprehensive network analysis tools for Claude Desktop integration.
- 18 Complete Network Analysis Tools - Comprehensive packet analysis suite
- Real-time JSON Streaming - Live packet capture in multiple formats
- Advanced PCAP Operations - Split, merge, time-slice, and convert files
- Security Analysis - Threat detection and anomaly analysis
- LLM-Powered Filter Generation - Natural language to Wireshark filters
- Enterprise-Ready - Production-grade error handling and logging
# Linux (Ubuntu/Debian)
sudo apt-get install wireshark tshark tcpdump python3-pip
# macOS
brew install wireshark tcpdump python3
# Windows
choco install wireshark python3git clone https://github.com/priestlypython/wireshark-mcp.git
cd wireshark-mcp
pip install -r requirements.txt
# Configure permissions (Linux)
sudo usermod -a -G wireshark $USER
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
newgrp wiresharkAdd to your claude_desktop_config.json:
{
"mcpServers": {
"wireshark-mcp": {
"command": "python",
"args": ["/path/to/wireshark-mcp/enhanced_server.py"],
"cwd": "/path/to/wireshark-mcp",
"env": {
"PYTHONPATH": "/path/to/wireshark-mcp",
"WIRESHARK_PATH": "/usr/bin",
"TSHARK_PATH": "/usr/bin/tshark",
"TCPDUMP_PATH": "/usr/sbin/tcpdump"
}
}
}
}| Tool | Purpose | Output |
|---|---|---|
wireshark_system_info |
System info & interfaces | JSON with capabilities |
wireshark_validate_setup |
Validate installation | Dependency status |
wireshark_generate_filter |
AI filter generation | Wireshark display filter |
wireshark_live_capture |
Live packet capture | Packet array |
wireshark_analyze_pcap |
PCAP analysis | Comprehensive stats |
wireshark_realtime_json_capture |
JSON streaming | Real-time packets |
wireshark_protocol_statistics |
Protocol analysis | Hierarchy & conversations |
wireshark_analyze_pcap_enhanced |
Advanced analysis | Security & performance |
| Tool | Purpose | Output |
|---|---|---|
wireshark_pcap_time_slice |
Extract time windows | Time-sliced PCAP |
wireshark_pcap_splitter |
Split PCAP files | Multiple split files |
wireshark_pcap_merger |
Merge PCAP files | Merged PCAP file |
wireshark_hex_to_pcap |
Convert hex to PCAP | PCAP file |
wireshark_http_analyzer |
HTTP traffic analysis | Transaction details |
wireshark_dns_analyzer |
DNS query analysis | Query patterns & anomalies |
wireshark_ssl_inspector |
SSL/TLS inspection | Certificate & cipher info |
wireshark_latency_profiler |
Performance analysis | Latency metrics |
wireshark_threat_detector |
Security analysis | Threat scores & indicators |
wireshark_remote_capture |
SSH remote capture | Remote packet data |
# Check system capabilities
wireshark_system_info(info_type="all")
# β Returns interfaces, capabilities, server status# Capture HTTP traffic for 30 seconds
wireshark_live_capture(
interface="eth0",
duration=30,
filter="tcp port 80",
max_packets=1000
)
# β Returns captured packets with analysis# Comprehensive PCAP analysis
wireshark_analyze_pcap(
filepath="/path/to/capture.pcap",
analysis_type="comprehensive"
)
# β File info, protocols, security analysis# Generate filter from natural language
wireshark_generate_filter(
description="Show all HTTP traffic from 192.168.1.0/24",
complexity="intermediate"
)
# β Returns optimized Wireshark filter# Split large PCAP by time
wireshark_pcap_time_slice(
input_file="/path/to/large.pcap",
start_time="2025-01-01T10:00:00",
end_time="2025-01-01T11:00:00"
)
# β Creates time-sliced PCAP file
# Merge multiple PCAPs
wireshark_pcap_merger(
input_files=["file1.pcap", "file2.pcap"],
output_file="merged.pcap",
sort_chronologically=true
)
# β Creates chronologically sorted merged file# Threat detection
wireshark_threat_detector(
input_file="/path/to/suspicious.pcap",
detection_mode="comprehensive",
sensitivity="high"
)
# β Threat scores, anomalies, behavioral analysis
# DNS tunneling detection
wireshark_dns_analyzer(
input_file="/path/to/capture.pcap",
analysis_type="comprehensive",
detect_tunneling=true
)
# β DNS patterns, suspicious domains, entropy analysisAll tools return well-structured JSON with:
- Status indicators (β Success, β Error)
- Rich metadata (file sizes, timestamps, statistics)
- Analysis results (protocols, conversations, threats)
- Recommendations (filter suggestions, security insights)
PCAP manipulation tools create properly formatted files:
- Time-sliced captures with precise timestamps
- Split files with organized naming conventions
- Merged files with chronological packet ordering
- Converted files maintaining packet integrity
Advanced analysis provides:
- Threat scores (0-100 risk assessment)
- Anomaly detection (statistical analysis)
- Pattern recognition (attack signatures)
- Behavioral analysis (network health indicators)
# Linux: Set capabilities
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
sudo usermod -a -G wireshark $USER
# macOS: Run Wireshark as admin once
sudo /Applications/Wireshark.app/Contents/MacOS/Wireshark
# Windows: Run as Administrator- Ensure Wireshark is installed and in PATH
- Check
wireshark_validate_setuptool for missing dependencies - Verify configuration paths in Claude Desktop config
- Check interface permissions with
wireshark_system_info - Verify network traffic exists on selected interface
- Try different interface (eth0, wlan0, any)
- Processing Rate: 10,000+ packets/second
- File Support: Multi-GB PCAP files with streaming
- Memory Efficient: Chunked processing for large files
- Real-time: Sub-second response times
- Concurrent: Multiple analysis operations supported
- Secure Permissions: Linux capabilities instead of root
- Process Isolation: Sandboxed subprocess execution
- Automatic Cleanup: Temporary files removed after use
- Audit Logging: Comprehensive operation logging
- Error Handling: Graceful failure with informative messages
MIT License - see LICENSE for details.
π¦ Professional network analysis powered by AI. Built for enterprise, designed for developers.