Give your AI assistant a packet analyzer.
Wireshark MCP
Give your AI assistant a packet analyzer.
Drop a .pcap file, ask questions in plain English — get answers backed by real tshark data.
English · 中文 · Changelog · Contributing
What is this?
Wireshark MCP is an MCP Server that turns tshark into a structured analysis interface, then layers in optional Wireshark suite utilities such as capinfos, mergecap, editcap, dumpcap, and text2pcap when they are available. The result is a packet-analysis server that still works with only tshark, but gets stronger automatically on hosts with more of the Wireshark toolchain installed.
You: "Find all DNS queries going to suspicious domains in this capture."
Claude: [calls wireshark_extract_dns_queries → wireshark_check_threats]
"Found 3 queries to domains flagged by URLhaus: ..."
Prerequisites
- Python 3.10+
- Wireshark installed with
tshark tsharkis the only required Wireshark CLI dependency- Optional suite tools such as
capinfos,mergecap,editcap,dumpcap, andtext2pcapare auto-detected and enable extra MCP features when present - Live capture prefers
dumpcapwhen available, but falls back totsharkso a minimal installation still works tsharkon yourPATHis recommended, butwireshark-mcp installalso records detected absolute Wireshark tool paths for GUI clients- Any MCP-compatible client: Claude Desktop, Claude Code, Cursor, VS Code, etc.
1.0 Support Matrix
For v1.0, "stable" means the project commits to the following baseline:
| Area | v1.0 baseline |
|---|---|
| Operating systems | Windows, Linux, and macOS |
| CI validation | Test suite runs on all three platforms; packaged CLI smoke tests run on all three platforms; real tshark integration smoke runs on Linux |
| Python versions | 3.10, 3.11, 3.12, 3.13 |
| Required Wireshark dependency | tshark |
| Optional Wireshark suite tools | capinfos, mergecap, editcap, dumpcap, text2pcap auto-detected when present |
| Supported install paths | pip install wireshark-mcp, source install, and manual MCP config snippets |
| User-facing verification | wireshark-mcp doctor, wireshark-mcp clients, and wireshark-mcp config |
If one of these baseline items stops working, that is a 1.0.x bug, not a "future enhancement".
Demo Videos
Install Demo
Play or download the install demo video
Analysis Demo
Play or download the analysis demo video
Installation
Option 1 — One-click install in Cursor (no pre-install needed)
Requires uv and Wireshark to be installed on your system.
Option 2 — pip install + auto-configure
pip install wireshark-mcp
Then auto-configure all your MCP clients in one command:
wireshark-mcp install
That's it — restart your AI client and you're ready to go. 🎉
If anything still looks off, run:
wireshark-mcp doctor
What does
installdo? It scans your system for known MCP client config files (Claude, Cursor, VS Code, etc.) and injects thewireshark-mcpserver entry. Existing settings are preserved. See Supported Clients for the full list.
Install from source
pip install git+https://githu
Tools (2)
wireshark_extract_dns_queriesExtracts DNS queries from a pcap file.wireshark_check_threatsChecks captured network traffic against threat intelligence sources.Configuration
{"mcpServers": {"wireshark": {"command": "uvx", "args": ["wireshark-mcp"]}}}