Wireshark MCP Server

Automated network packet analysis, protocol inspection, and traffic forensics.

monitoringwiresharknetwork-securitypacket-analysisforensics
README.md

Wireshark MCP Server Container

A containerized Model Context Protocol (MCP) server that provides comprehensive network packet analysis using Wireshark/tshark. Connect it to any MCP-compatible AI client for automated network security analysis, protocol inspection, and traffic forensics.

How It Works: GitHub-Based PCAP Sync

This container does not store PCAP files. Instead, it uses a GitHub repository as the source of truth for your packet captures.

┌──────────────┐       ┌─────────────────────────┐       ┌──────────────────┐
│  Your GitHub │       │  Wireshark MCP Container │       │   AI Client      │
│  Repository  │◄─────►│                          │◄─────►│  (Cursor, etc.)  │
│              │  sync  │  tshark analysis engine  │  MCP  │                  │
│  pcaps/      │       │  /tmp/wireshark_workspace │       │                  │
└──────────────┘       └─────────────────────────┘       └──────────────────┘

The workflow:

  1. Store PCAPs in GitHub -- Push .pcap / .pcapng files to any GitHub repo (public or private).
  2. Configure credentials -- Provide your GitHub username, PAT, repo URL, and optional path/branch via environment variables or HTTP headers.
  3. Sync on demand -- Use wireshark_list_pcaps to see what's available, then wireshark_sync_pcap or wireshark_sync_all_pcaps to pull files into the container's temporary workspace.
  4. Analyze -- Run any of the 19 analysis tools against synced PCAPs.
  5. Clean up -- Use wireshark_clean_project or let the automatic TTL (default 24h) purge stale workspaces.

This design means the container stays stateless and ephemeral -- PCAP data lives in your GitHub repo, and the container only pulls what it needs for the current analysis session.

Quick Start

Pull from GHCR

docker pull ghcr.io/<your-org>/wireshark-mcp-container:latest

Run with Docker

docker run -d \
  -p 3020:3020 \
  -e DISABLE_JWT_AUTH=true \
  -e GITHUB_USERNAME=your-github-username \
  -e GITHUB_PAT=ghp_xxxxxxxxxxxxxxxxxxxx \
  -e GITHUB_REPO=https://github.com/your-org/your-pcap-repo \
  -e GITHUB_PATH=pcaps \
  -e GITHUB_BRANCH=main \
  --name wireshark-mcp \
  ghcr.io/<your-org>/wireshark-mcp-container:latest

Build Locally

docker build -t wireshark-mcp:latest -f dockerfile .

docker run -d \
  -p 3020:3020 \
  --env-file .env \
  --name wireshark-mcp \
  wireshark-mcp:latest

Configuration

All configuration is done through environment variables. See `.env.example` for a complete reference.

Required

Variable Description
GITHUB_USERNAME Your GitHub username
GITHUB_PAT GitHub Personal Access Token (needs repo scope for private repos)
GITHUB_REPO Full GitHub repo URL (e.g., https://github.com/org/pcap-repo)

Optional

Variable Default Description
GITHUB_PATH (root) Subdirectory in the repo where PCAPs are stored
GITHUB_BRANCH main Branch to sync from
PORT 3020 Server port
HOST 0.0.0.0 Bind address
TRANSPORT streamable-http MCP transport (streamable-http or stdio)
DISABLE_JWT_AUTH true Set to false to enable Azure AD JWT authentication
AZURE_AD_TENANT_ID Required when JWT auth is enabled
AZURE_AD_CLIENT_ID Optional audience validation when JWT auth is enabled
ENABLE_AUTH_LOGGING false Log user access to tools
WIRESHARK_PROJECT_TTL 86400 Seconds before stale project workspaces are auto-purged

Passing Credentials via HTTP Headers

Instead of environment variables, credentials can be passed per-request via HTTP headers. This is useful when multiple users share a single server instance:

Header Maps to
X-GitHub-Username GITHUB_USERNAME
X-GitHub-PAT GITHUB_PAT
X-GitHub-Repo GITHUB_REPO
X-GitHub-Path GITHUB_PATH
X-GitHub-Branch GITHUB_BRANCH

Headers take precedence over environment variables.

MCP Tools

PCAP Management

Tool Description
wireshark_list_pcaps List synced and available PCAPs (local + GitHub)
wireshark_sync_pcap Download a single PCAP from GitHub
wireshark_sync_all_pcaps Download all PCAPs from GitHub (skips already-synced)
wireshark_remove_pcap Remove a local PCAP copy
wireshark_clean_project Remove entire project workspace

Analysis

Tool Description
wireshark_pcap_triage Automated first-pass triage (start here)
wireshark_analyze_pcap Comprehensive packet analysis
wireshark_protocol_hierarchy Protocol distribution breakdown
wireshark_conversations TCP/UDP/IP conversation statistics
wireshark_display_filter Apply Wireshark display filters
wireshark_follow_stream Reconstruct TCP/UDP stream payloads
wireshark_top_talkers Identify hi

Tools 12

wireshark_list_pcapsList synced and available PCAPs (local + GitHub)
wireshark_sync_pcapDownload a single PCAP from GitHub
wireshark_sync_all_pcapsDownload all PCAPs from GitHub (skips already-synced)
wireshark_remove_pcapRemove a local PCAP copy
wireshark_clean_projectRemove entire project workspace
wireshark_pcap_triageAutomated first-pass triage
wireshark_analyze_pcapComprehensive packet analysis
wireshark_protocol_hierarchyProtocol distribution breakdown
wireshark_conversationsTCP/UDP/IP conversation statistics
wireshark_display_filterApply Wireshark display filters
wireshark_follow_streamReconstruct TCP/UDP stream payloads
wireshark_top_talkersIdentify high-volume network traffic sources

Environment Variables

GITHUB_USERNAMErequiredYour GitHub username
GITHUB_PATrequiredGitHub Personal Access Token
GITHUB_REPOrequiredFull GitHub repo URL
GITHUB_PATHSubdirectory in the repo where PCAPs are stored
GITHUB_BRANCHBranch to sync from

Try it

List all available PCAP files in my repository.
Perform an automated triage on the latest captured traffic file.
Show me the protocol hierarchy for the network capture named 'incident_001.pcap'.
Identify the top talkers in the network traffic from the last sync.
Apply a display filter to show only HTTP traffic in the current PCAP.

Frequently Asked Questions

What are the key features of Wireshark MCP Server?

Stateless and ephemeral architecture using GitHub as a PCAP source of truth. Automated network packet analysis and protocol inspection via tshark. Support for TCP/UDP stream reconstruction and conversation statistics. Flexible configuration via environment variables or per-request HTTP headers. Automatic workspace cleanup with configurable TTL.

What can I use Wireshark MCP Server for?

Security analysts performing automated forensic triage on network captures. Network engineers auditing protocol distribution and traffic volume. Incident responders reconstructing stream payloads from captured PCAP files. DevOps teams managing network traffic logs in version-controlled repositories.

How do I install Wireshark MCP Server?

Install Wireshark MCP Server by running: docker pull ghcr.io/<your-org>/wireshark-mcp-container:latest

What MCP clients work with Wireshark MCP Server?

Wireshark MCP Server works with any MCP-compatible client including Claude Desktop, Claude Code, Cursor, and other editors with MCP support.

Turn this server into reusable context

Keep Wireshark MCP Server docs, env vars, and workflow notes in Conare so your agent carries them across sessions.

Open Conare

Related MCP Servers

Skylos
Find dead code, secrets, and exploitable flows in Python, TypeScript, and Go.
monitoring344 stars
Linux MCP Server
Read-only Linux system administration and diagnostics on RHEL-based systems.
monitoring189 stars
Charles MCP Server
Integrates Charles Proxy with MCP clients for real-time network traffic analysis
monitoring118 stars
Android Proxy MCP
Capture and analyze HTTP/HTTPS traffic from Android devices with AI.
monitoring118 stars
Langfuse MCP
MCP server for Langfuse observability and LLM application management.
monitoring66 stars
HomeButler
All-in-one homelab management MCP server.
monitoring64 stars