WiresharkMCP

ADourou/WiresharkMCP

3.2

If you are the rightful owner of WiresharkMCP and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to dayong@mcphub.com.

The WiresharkMCP project is an MCP server designed to analyze pcap files using tshark, enabling AI-driven dynamic network queries.

Tools
1
Resources
0
Prompts
0

WiresharkMCP

Status

Thesis Project: An MCP server that analyzes pcap files using tshark, allowing an AI to dynamically define analysis fields for smart network queries.

This is an active thesis project, and its functionality is currently under development. The goal is to create a robust and intelligent network analysis tool.

💡 Project Motivation

This thesis began by evaluating existing tools, such as WireMCP, which provide a solid foundation for MCP based pcap analysis.

While tools like WireMCP are effective for basic 5-tuple analysis (e.g., ip.src, ip.dst, tcp.srcport), the requirements for analyzing the (Jim Kurose) Wireshark Labs are more demanding. These labs require querying a wide variety of specific protocol fields (e.g., http.host, dns.cname, tcp.flags.syn).

This project was created to bridge that gap. It implements an MCP tool that is not limited to a fixed set of fields. Instead, it empowers the AI client to dynamically define the exact display filters and fields required for any given query.

✨ Our Solution

This server implements an "AI-driven" workflow:

  1. An AI model receives a high-level question (e.g., "Find all CNAMEs for www.mit.edu").
  2. The AI determines it needs the dns.cname field with a dns.qry.name == "www.mit.edu" filter.
  3. The AI (via an MCP client) calls the analyze_pcap_details tool with these specific parameters.
  4. The server runs a lightweight, highly targeted tshark command.
  5. Only the precise data requested is returned to the AI for its final answer.

🌟 Features

  • Dynamic Field Selection: Allows the client to specify any tshark display filters (-Y) and fields (-e).
  • Flexible Tshark Path: The client can optionally provide a custom path to the tshark executable, making the server portable.
  • Optimized Data Transfer: Returns only the necessary JSON data, minimizing overhead.

🛠️ Setup & Installation

  1. Prerequisites:

    • Node.js (v18.x or newer recommended)
    • Tshark (Must be installed. The server can find it in PATH or be given a direct path at runtime).

  2. Clone the Repository:

    git clone https://github.com/ADourou/WiresharkMCP.git

  3. Install Dependencies:

    npm install

🚀 Usage

  1. Run the MCP Server:

    node server.js

  2. Example Client Request: The server listens for MCP tool calls. A client (e.g., your AI script) would send a JSON request like the following over stdio:

    {
  "tool_name": "analyze_pcap_details",
  "pcap_file": "path/to/dns-ethereal-lab-1.pcap",
  // --- All parameters below are optional ---
  "display_filter": "dns.qry.name == \"www.mit.edu\"",
  "fields": ["frame.number", "dns.qry.name", "dns.cname"],
  "tsharkpath": "C:\\Program Files\\Wireshark\\tshark.exe"
}

🎓 Academic Info

  • Institution: University of Crete
  • Department: Computer Science Department
  • Author: Anastasia Dourou
  • Supervisor: Xenofontas Dimitropoulos