Wireshark MCP Server

Wireshark MCP Server

A containerized server that enables AI clients to perform automated network packet analysis, protocol inspection, and traffic forensics using Wireshark/tshark. It features a stateless design that synchronizes PCAP files directly from GitHub for secure and ephemeral analysis sessions.

Category
访问服务器

README

Wireshark MCP Server Container

A containerized Model Context Protocol (MCP) server that provides comprehensive network packet analysis using Wireshark/tshark. Connect it to any MCP-compatible AI client for automated network security analysis, protocol inspection, and traffic forensics.

How It Works: GitHub-Based PCAP Sync

This container does not store PCAP files. Instead, it uses a GitHub repository as the source of truth for your packet captures.

┌──────────────┐       ┌─────────────────────────┐       ┌──────────────────┐
│  Your GitHub │       │  Wireshark MCP Container │       │   AI Client      │
│  Repository  │◄─────►│                          │◄─────►│  (Cursor, etc.)  │
│              │  sync  │  tshark analysis engine  │  MCP  │                  │
│  pcaps/      │       │  /tmp/wireshark_workspace │       │                  │
└──────────────┘       └─────────────────────────┘       └──────────────────┘

The workflow:

  1. Store PCAPs in GitHub -- Push .pcap / .pcapng files to any GitHub repo (public or private).
  2. Configure credentials -- Provide your GitHub username, PAT, repo URL, and optional path/branch via environment variables or HTTP headers.
  3. Sync on demand -- Use wireshark_list_pcaps to see what's available, then wireshark_sync_pcap or wireshark_sync_all_pcaps to pull files into the container's temporary workspace.
  4. Analyze -- Run any of the 19 analysis tools against synced PCAPs.
  5. Clean up -- Use wireshark_clean_project or let the automatic TTL (default 24h) purge stale workspaces.

This design means the container stays stateless and ephemeral -- PCAP data lives in your GitHub repo, and the container only pulls what it needs for the current analysis session.

Quick Start

Pull from GHCR

docker pull ghcr.io/<your-org>/wireshark-mcp-container:latest

Run with Docker

docker run -d \
  -p 3020:3020 \
  -e DISABLE_JWT_AUTH=true \
  -e GITHUB_USERNAME=your-github-username \
  -e GITHUB_PAT=ghp_xxxxxxxxxxxxxxxxxxxx \
  -e GITHUB_REPO=https://github.com/your-org/your-pcap-repo \
  -e GITHUB_PATH=pcaps \
  -e GITHUB_BRANCH=main \
  --name wireshark-mcp \
  ghcr.io/<your-org>/wireshark-mcp-container:latest

Build Locally

docker build -t wireshark-mcp:latest -f dockerfile .

docker run -d \
  -p 3020:3020 \
  --env-file .env \
  --name wireshark-mcp \
  wireshark-mcp:latest

Configuration

All configuration is done through environment variables. See .env.example for a complete reference.

Required

Variable Description
GITHUB_USERNAME Your GitHub username
GITHUB_PAT GitHub Personal Access Token (needs repo scope for private repos)
GITHUB_REPO Full GitHub repo URL (e.g., https://github.com/org/pcap-repo)

Optional

Variable Default Description
GITHUB_PATH (root) Subdirectory in the repo where PCAPs are stored
GITHUB_BRANCH main Branch to sync from
PORT 3020 Server port
HOST 0.0.0.0 Bind address
TRANSPORT streamable-http MCP transport (streamable-http or stdio)
DISABLE_JWT_AUTH true Set to false to enable Azure AD JWT authentication
AZURE_AD_TENANT_ID Required when JWT auth is enabled
AZURE_AD_CLIENT_ID Optional audience validation when JWT auth is enabled
ENABLE_AUTH_LOGGING false Log user access to tools
WIRESHARK_PROJECT_TTL 86400 Seconds before stale project workspaces are auto-purged

Passing Credentials via HTTP Headers

Instead of environment variables, credentials can be passed per-request via HTTP headers. This is useful when multiple users share a single server instance:

Header Maps to
X-GitHub-Username GITHUB_USERNAME
X-GitHub-PAT GITHUB_PAT
X-GitHub-Repo GITHUB_REPO
X-GitHub-Path GITHUB_PATH
X-GitHub-Branch GITHUB_BRANCH

Headers take precedence over environment variables.

MCP Tools

PCAP Management

Tool Description
wireshark_list_pcaps List synced and available PCAPs (local + GitHub)
wireshark_sync_pcap Download a single PCAP from GitHub
wireshark_sync_all_pcaps Download all PCAPs from GitHub (skips already-synced)
wireshark_remove_pcap Remove a local PCAP copy
wireshark_clean_project Remove entire project workspace

Analysis

Tool Description
wireshark_pcap_triage Automated first-pass triage (start here)
wireshark_analyze_pcap Comprehensive packet analysis
wireshark_protocol_hierarchy Protocol distribution breakdown
wireshark_conversations TCP/UDP/IP conversation statistics
wireshark_display_filter Apply Wireshark display filters
wireshark_follow_stream Reconstruct TCP/UDP stream payloads
wireshark_top_talkers Identify highest-volume traffic sources

Protocol Deep-Dives

Tool Description
wireshark_tcp_health TCP retransmissions, dup ACKs, health scoring
wireshark_dns_analysis DNS queries, NXDOMAIN, tunneling detection
wireshark_http_summary HTTP methods, status codes, response times
wireshark_tls_analysis TLS versions, ciphers, certificate info

Security

Tool Description
wireshark_extract_credentials Extract plaintext credentials from traffic
wireshark_check_threats Check PCAP IPs against threat intelligence
wireshark_check_ip_threat Check a single IP against threat feeds

Typical Analysis Workflow

1. wireshark_list_pcaps          → See what's in your GitHub repo
2. wireshark_sync_pcap           → Pull a capture file into the container
3. wireshark_pcap_triage         → Get an overview and recommendations
4. wireshark_tcp_health          → Drill into TCP issues (if flagged)
5. wireshark_display_filter      → Filter to specific traffic patterns
6. wireshark_follow_stream       → Reconstruct an application conversation
7. wireshark_check_threats       → Check IPs against threat intelligence
8. wireshark_clean_project       → Clean up when done

GitHub Repository Setup for PCAPs

  1. Create a GitHub repository (private recommended for sensitive captures).
  2. Create a directory for your PCAP files (e.g., pcaps/).
  3. Push your .pcap or .pcapng files to that directory.
  4. Create a Personal Access Token with repo scope (for private repos) or public_repo scope (for public repos).
  5. Configure the container with your repo URL, path, and token.
# Example repo structure
your-pcap-repo/
├── pcaps/
│   ├── incident-2025-01-15.pcap
│   ├── baseline-traffic.pcapng
│   └── suspicious-dns.pcap
└── README.md

Local Development

Prerequisites

  • Python 3.11+
  • tshark / Wireshark installed
  • pip

Setup

pip install -r requirements.txt

# Copy and configure environment
cp .env.example .env
# Edit .env with your GitHub credentials

# Run the server
python server.py

Install tshark

macOS:

brew install wireshark

Ubuntu/Debian:

sudo apt-get install tshark

License

ISC

推荐服务器

Baidu Map

Baidu Map

百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。

官方
精选
JavaScript
Playwright MCP Server

Playwright MCP Server

一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。

官方
精选
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。

官方
精选
本地
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。

官方
精选
本地
TypeScript
VeyraX

VeyraX

一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。

官方
精选
本地
graphlit-mcp-server

graphlit-mcp-server

模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。

官方
精选
TypeScript
Kagi MCP Server

Kagi MCP Server

一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。

官方
精选
Python
e2b-mcp-server

e2b-mcp-server

使用 MCP 通过 e2b 运行代码。

官方
精选
Neon MCP Server

Neon MCP Server

用于与 Neon 管理 API 和数据库交互的 MCP 服务器

官方
精选
Exa MCP Server

Exa MCP Server

模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。

官方
精选