← Back to Wireshark MCP Server

Install Wireshark MCP Server

Pick your client, copy the command, done.

monitoring
1

Add it to Claude Code

claude mcp add -e "GITHUB_USERNAME=${GITHUB_USERNAME}" -e "GITHUB_PAT=${GITHUB_PAT}" -e "GITHUB_REPO=${GITHUB_REPO}" wireshark-mcp -- docker run -i --rm -e GITHUB_USERNAME=your-user -e GITHUB_PAT=your-pat -e GITHUB_REPO=https://github.com/org/repo ghcr.io/presidio-federal/wireshark-mcp-container:latest
Required:GITHUB_USERNAMEGITHUB_PATGITHUB_REPO+ 2 optional

Environment Variables

Set these before running Wireshark MCP Server.

VariableDescriptionRequired
GITHUB_USERNAMEYour GitHub usernameYes
GITHUB_PATGitHub Personal Access TokenYes
GITHUB_REPOFull GitHub repo URLYes
GITHUB_PATHSubdirectory in the repo where PCAPs are storedNo
GITHUB_BRANCHBranch to sync fromNo

Available Tools (12)

Once configured, Wireshark MCP Server gives your AI agent access to:

wireshark_list_pcapsList synced and available PCAPs (local + GitHub)
wireshark_sync_pcapDownload a single PCAP from GitHub
pcap_name
wireshark_sync_all_pcapsDownload all PCAPs from GitHub (skips already-synced)
wireshark_remove_pcapRemove a local PCAP copy
pcap_name
wireshark_clean_projectRemove entire project workspace
wireshark_pcap_triageAutomated first-pass triage
pcap_name
wireshark_analyze_pcapComprehensive packet analysis
pcap_name
wireshark_protocol_hierarchyProtocol distribution breakdown
pcap_name
wireshark_conversationsTCP/UDP/IP conversation statistics
pcap_name
wireshark_display_filterApply Wireshark display filters
pcap_namefilter
wireshark_follow_streamReconstruct TCP/UDP stream payloads
pcap_namestream_index
wireshark_top_talkersIdentify high-volume network traffic sources
pcap_name

Try It Out

After setup, try these prompts with your AI agent:

List all available PCAP files in my repository.
Perform an automated triage on the latest captured traffic file.
Show me the protocol hierarchy for the network capture named 'incident_001.pcap'.
Identify the top talkers in the network traffic from the last sync.
Apply a display filter to show only HTTP traffic in the current PCAP.
Prerequisites & system requirements
  • An MCP-compatible client (Claude Code, Cursor, Windsurf, Claude Desktop, or Codex)
  • Docker installed and running
  • GITHUB_USERNAME — Your GitHub username
  • GITHUB_PAT — GitHub Personal Access Token
  • GITHUB_REPO — Full GitHub repo URL
Alternative installation methods

Docker Run

docker run -d -p 3020:3020 -e GITHUB_USERNAME=... -e GITHUB_PAT=... -e GITHUB_REPO=... ghcr.io/<your-org>/wireshark-mcp-container:latest

Keep this setup from going cold

Save the docs, env vars, and workflow around Wireshark MCP Server in Conare so Claude Code, Codex, and Cursor remember it next time.

Remember this setup
← Wireshark MCP Server overview Browse monitoring servers →