Wireshark
FreeNot checkedEnables AI assistants to analyze, filter, and capture network traffic using Wireshark/tshark, allowing natural language interaction with packet captures.
About
Enables AI assistants to analyze, filter, and capture network traffic using Wireshark/tshark, allowing natural language interaction with packet captures.
README
Community-maintained MCP server for Wireshark /
tshark. Not affiliated with Wireshark or Anthropic. Give your AI assistant direct access to packet captures. Ask Claude to summarize a.pcap, follow a TCP stream, filter for a specific protocol, or capture live traffic — all without leaving the chat.

PyPI version CI License: MIT Python 3.10+
Quick start with Claude Code
pip install mcp-wireshark
claude mcp add --transport stdio --scope user mcp-wireshark -- mcp-wireshark
That's it. Open Claude Code and try:
"Summarize ./capture.pcap and tell me which IPs talked the most."
--scope user makes the server available across every Claude Code project. Drop the flag to install it for the current project only. See claude mcp docs for more.
Verify the install
claude mcp list
You should see mcp-wireshark listed. Inside Claude Code, ask:
"Run check_installation."
If tshark is on your PATH, it returns the version. If not, see troubleshooting.
Tools
The server exposes 14 tools, split cleanly between read tools (safe, no side effects) and write tools (capture traffic or write files). Both groups are annotated with the standard MCP readOnlyHint so any compliant client can surface the distinction.
Read tools
Safe to call freely — they only inspect state.
| Tool | What it does |
|---|---|
check_installation |
Verify tshark is installed and show version |
list_interfaces |
List network interfaces available to capture from |
read_pcap |
Read packets from a .pcap / .pcapng file (preview + total count) |
display_filter |
Apply a Wireshark display filter to a pcap |
summarize_pcap |
High-level summary: I/O stats, protocol hierarchy, top talkers |
stats_by_proto |
Protocol hierarchy statistics |
follow_tcp |
Reassemble a TCP stream and return its payload |
follow_udp |
Reassemble a UDP stream and return its payload |
expert_info |
tshark expert analysis: warnings, errors, and notes grouped by severity |
decode_protocol |
Extract protocol fields as a TSV table. Curated defaults for HTTP, DNS, TLS, GOOSE, MMS, SV, SIP, ICMP; arbitrary fields for any other protocol |
protocol_stats |
Aggregate -z reports (protocol hierarchy, conversations, endpoints, HTTP/DNS/SMB stats) |
analyze_iec61850 |
Health triage for GOOSE/SV/MMS captures: per-source OK/WARN/FAIL with sqNum/stNum gaps, TTL violations, smpCnt discontinuities, lost sync, and MMS errors |
Write tools
These create files or capture live traffic. Compliant clients may prompt before invoking.
| Tool | What it does |
|---|---|
live_capture |
Capture live traffic from an interface (capped at 5 minutes / 10k packets) |
export_json |
Export packets from a pcap to a JSON file at a path you choose |
See it in action
These clips run the real tools against demo/demo.pcapng — a
short home-network capture. Regenerate them with python demo/render_gif.py <scene>.
summarize_pcap — characterize an unknown capture at a glance

decode_protocol — filter to a protocol and get a compact table (here: TLS SNI and DNS-over-HTTPS lookups)

expert_info — let tshark surface the warnings and anomalies for you

Example prompts
Drop these into Claude Code as-is:
List my network interfaces.
Summarize ./traffic.pcap.
From ./traffic.pcap, show me only HTTP requests.
Follow TCP stream 0 in ./traffic.pcap and tell me what protocol is in it.
Capture 30 seconds of traffic on Wi-Fi filtered to tcp.port == 443.
Export every DNS packet from ./traffic.pcap to ./dns.json.
Decode the GOOSE messages in ./substation.pcapng — only stNum >= 1.
Run expert analysis on ./traffic.pcap and group findings by severity.
Show me the IP conversations in ./traffic.pcap.
Useful display filters
| Filter | Matches |
|---|---|
tcp.port == 80 |
HTTP |
tcp.port == 443 |
HTTPS |
dns |
All DNS |
http.request |
HTTP requests only |
ip.addr == 10.0.0.1 |
Traffic to/from a specific host |
tcp.flags.syn == 1 && tcp.flags.ack == 0 |
TCP SYN packets only |
For substation engineers analyzing IEC 61850 traffic:
| Filter | Matches |
|---|---|
goose |
All GOOSE messages |
goose.stNum > 0 |
GOOSE messages with state changes |
mms |
All MMS traffic |
sv |
Sampled Values |
Other clients
Anything that speaks MCP works. The package installs an mcp-wireshark binary on PATH.
Claude Desktop
Edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):
{
"mcpServers": {
"wireshark": {
"command": "mcp-wireshark"
}
}
}
VS Code (Copilot / GitHub Copilot Chat)
Create .vscode/mcp.json in your workspace:
{
"servers": {
"wireshark": {
"command": "mcp-wireshark"
}
}
}
Cursor / Windsurf / others
Use the same stdio invocation: command: mcp-wireshark. No transport flags.
Prerequisites
- Python 3.10+
- Wireshark installed;
tsharkreachable onPATH
Install with pip or uv:
pip install mcp-wireshark
# or
uvx mcp-wireshark
Troubleshooting
tshark not found on Windows
Add Wireshark to your system PATH:
- Press
Win+R→ runsysdm.cpl→ Advanced → Environment Variables - Edit
Path→ addC:\Program Files\Wireshark - Restart your terminal and Claude Code, then re-run
check_installation
(Avoid passing PATH through claude mcp add --env — values are taken literally, no %PATH% expansion.)
Permission denied capturing on Linux
Add yourself to the wireshark group, then log out and back in:
sudo usermod -aG wireshark $USER
"No packets captured" from live_capture
- Confirm the interface name from
list_interfaces(Wireshark uses different names thanifconfig/ip) - On macOS, you may need to install ChmodBPF (ships with the Wireshark
.dmg) - Check that no display filter is excluding everything
Development
git clone https://github.com/khuynh22/mcp-wireshark.git
cd mcp-wireshark
python -m venv venv && source venv/bin/activate # Windows: venv\Scripts\activate
pip install -e ".[dev]"
pytest # tests
black src tests # format
ruff check src tests # lint
mypy src # type check
The codebase is organized so new tools land in one of two clearly-scoped files:
src/mcp_wireshark/read_tools.py— anything that just inspects statesrc/mcp_wireshark/write_tools.py— anything that captures traffic or writes files
server.py only contains routing. See CLAUDE.md and CONTRIBUTING.md.
Security
Every file path is validated (.. rejected, extension allow-listed). Every display filter is checked for shell metacharacters. tshark is always invoked via asyncio.create_subprocess_exec, never shell=True. Hard caps: 10k packets per call, 5 min per live capture. See SECURITY.md.
License
MIT — see LICENSE.
Install Wireshark in Claude Desktop, Claude Code & Cursor
unyly install mcp-wiresharkInstalls into Claude Desktop, Claude Code, Cursor & VS Code — handles npx, uvx and build-from-source repos for you.
First time? Get the CLI: curl -fsSL https://unyly.org/install | sh
Or configure manually
Run in your terminal:
claude mcp add mcp-wireshark -- uvx mcp-wiresharkFAQ
Is Wireshark MCP free?
Yes, Wireshark MCP is free — one-click install via Unyly at no cost.
Does Wireshark need an API key?
No, Wireshark runs without API keys or environment variables.
Is Wireshark hosted or self-hosted?
Self-hosted: the server runs locally on your machine via the install command above.
How do I install Wireshark in Claude Desktop, Claude Code or Cursor?
Open Wireshark on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
Fetch
Web content fetching and conversion for efficient LLM usage.
AWS KB Retrieval
Retrieval from AWS Knowledge Base using Bedrock Agent Runtime.
by modelcontextprotocolSpring AI MCP Server
Provides auto-configuration for setting up an MCP server in Spring Boot applications.
llm-analysis-assistant
A very streamlined mcp client that supports calling and monitoring stdio/sse/streamableHttp, and can also view request responses through the /logs page. It also
by xuzexin-hzCompare Wireshark with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All ai MCPs
