README.md
May 21, 2026 · View on GitHub
Wireshark MCP
Give your AI assistant a packet analyzer.
Drop a .pcap file, ask questions in plain English — get answers backed by real tshark data.
English • 中文 • Changelog • Contributing
What is this?
An MCP server that wraps tshark (and optional Wireshark suite tools) into a structured analysis interface. Works with Claude Desktop, Claude Code, Cursor, VS Code, and 18+ other MCP clients.
You: "Find all DNS queries going to suspicious domains in this capture."
Claude: [calls wireshark_extract_dns_queries → wireshark_check_threats]
"Found 3 queries to domains flagged by URLhaus: ..."
Install
Prerequisites: Python 3.10+ and Wireshark with tshark on PATH.
pip install wireshark-mcp
wireshark-mcp install # auto-configures all detected MCP clients
Restart your AI client — done.
Run wireshark-mcp doctor if anything looks off. See docs/manual-configuration.md for manual setup or platform-specific notes.
Quick Start
Point your AI client at a .pcap file and try:
Analyze capture.pcap using the Wireshark MCP tools.
Start with wireshark_open_file, then run wireshark_security_audit.
Write findings to report.md.
Tools
40+ tools organized into categories:
| Category | Highlights | Count |
|---|---|---|
| Agentic Workflows | wireshark_security_audit, wireshark_quick_analysis, wireshark_open_file | 4 |
| Packet Analysis | Packet list, details, bytes, context, stream follow, search | 7 |
| Data Extraction | HTTP requests, DNS queries, TLS handshakes, field extraction | 6 |
| Statistics | Protocol hierarchy, endpoints, conversations, I/O graph, expert info | 6 |
| Security | Threat intel, credential scan, port scan, DNS tunnel, DoS detection | 6 |
| Protocol Deep Dive | TCP health, ARP spoofing, SMTP, DHCP | 5 |
| File Ops & Capture | Live capture, merge, filter-save, file info | 5 |
| Suite Utilities | editcap trim/split/dedup, text2pcap import | 5 |
| Decode & Visualize | Payload decode, traffic plot, protocol tree | 3 |
The server starts with only tshark required. Optional tools (capinfos, mergecap, editcap, dumpcap, text2pcap) are auto-detected and enable extra features when present.
Documentation
| Topic | Link |
|---|---|
| Platform setup (macOS/Linux/Windows) | docs/platform-validation.md |
| Manual client configuration | docs/manual-configuration.md |
| Prompt templates | docs/prompt-engineering.md |
| Release checklist | docs/release-checklist.md |
| Contributing | CONTRIBUTING.md |
| Changelog | CHANGELOG.md |
| Security policy | SECURITY.md |
Development
pip install -e ".[dev]"
pytest tests/ -v
ruff check src/ tests/
See CONTRIBUTING.md for the full guide.