WireMCP
Empowers LLMs with real-time network traffic analysis using tshark. Requires Wireshark's tshark to be installed.
WireMCP
WireMCP is a Model Context Protocol (MCP) server designed to empower Large Language Models (LLMs) with real-time network traffic analysis capabilities. By leveraging tools built on top of Wireshark's tshark, WireMCP captures and processes live network data, providing LLMs with structured context to assist in tasks like threat hunting, network diagnostics, and anomaly detection.
Features
WireMCP exposes the following tools to MCP clients, enhancing LLM understanding of network activity:
capture_packets: Captures live traffic and returns raw packet data as JSON, enabling LLMs to analyze packet-level details (e.g., IP addresses, ports, HTTP methods).get_summary_stats: Provides protocol hierarchy statistics, giving LLMs an overview of traffic composition (e.g., TCP vs. UDP usage).get_conversations: Delivers TCP/UDP conversation statistics, allowing LLMs to track communication flows between endpoints.check_threats: Captures IPs and checks them against the URLhaus blacklist, equipping LLMs with threat intelligence context for identifying malicious activity.check_ip_threats: Performs targeted threat intelligence lookups for specific IP addresses against multiple threat feeds, providing detailed reputation and threat data.analyze_pcap: Analyzes PCAP files to provide comprehensive packet data in JSON format, enabling detailed post-capture analysis of network traffic.extract_credentials: Scans PCAP files for potential credentials from various protocols (HTTP Basic Auth, FTP, Telnet), aiding in security audits and forensic analysis.
How It Helps LLMs
WireMCP bridges the gap between raw network data and LLM comprehension by:
- Contextualizing Traffic: Converts live packet captures into structured outputs (JSON, stats) that LLMs can parse and reason about.
- Threat Detection: Integrates IOCs (currently URLhaus) to flag suspicious IPs, enhancing LLM-driven security analysis.
- Diagnostics: Offers detailed traffic insights, enabling LLMs to assist with troubleshooting or identifying anomalies.
- Narrative Generation: LLM's can Transform complex packet captures into coherent stories, making network analysis accessible to non-technical users.
Installation
Prerequisites
- Mac / Windows / Linux
- Wireshark (with
tsharkinstalled and accessible in PATH) - Node.js (v16+ recommended)
- npm (for dependency installation)
Setup
-
Clone the repository:
git clone https://github.com/0xkoda/WireMCP.git cd WireMCP -
Install dependencies:
npm install -
Run the MCP server:
node index.js
Note: Ensure
tsharkis in your PATH. WireMCP will auto-detect it or fall back to common install locations (e.g.,/Applications/Wireshark.app/Contents/MacOS/tsharkon macOS).
Usage with MCP Clients
WireMCP works with any MCP-compliant client. Below are examples for popular clients:
Example 1: Cursor
Edit mcp.json in Cursor -> Settings -> MCP :
{
"mcpServers": {
"wiremcp": {
"command": "node",
"args": [
"/ABSOLUTE_PATH_TO/WireMCP/index.js"
]
}
}
}
Location (macOS): /Users/YOUR_USER/Library/Application Support/Claude/claude_desktop_config.json
Other Clients
This MCP will work well with any client. Use the command node /path/to/WireMCP/index.js in their MCP server settings.
Example Output
Running check_threats might yield:
Captured IPs:
174.67.0.227
52.196.136.253
Threat check against URLhaus blacklist:
No threats detected in URLhaus blacklist.
Running analyze_pcap on a capture file:
{
"content": [{
"type": "text",
"text": "Analyzed PCAP: ./capture.pcap\n\nUnique IPs:\n192.168.0.2\n192.168.0.1\n\nProtocols:\neth:ethertype:ip:tcp\neth:ethertype:ip:tcp:telnet\n\nPacket Data:\n[{\"layers\":{\"frame.number\":[\"1\"],\"ip.src\":[\"192.168.0.2\"],\"ip.dst\":[\"192.168.0.1\"],\"tcp.srcport\":[\"1550\"],\"tcp.dstport\":[\"23\"]}}]"
}]
}
LLMs can use these outputs to:
- Provide natural language explanations of network activity
- Identify patterns and potential security concerns
- Offer context-aware recommendations
- Generate human-readable reports
Roadmap
- Expand IOC Providers: Currently uses URLhaus for threat checks. Future updates will integrate additional sources (e.g., IPsum, Emerging Threats) for broader coverage.
Contributing
Contributions are welcome! Please feel free to submit a Pull Request. For major changes, please open an issue first to discuss what you would like to change.
License
Acknowledgments
- Wireshark/tshark team for their excellent packet analysis tools
- Model Context Protocol community for the framework and specifications
- URLhaus for providing threat intelligence data
Похожие серверы
Alpha Vantage MCP Server
спонсорAccess financial market data: realtime & historical stock, ETF, options, forex, crypto, commodities, fundamentals, technical indicators, & more
LetzAI
An MCP server for image generation using the LetzAI API.
MCP Jenkins Intelligence
AI-powered Jenkins pipeline intelligence platform with natural language interface. Provides comprehensive pipeline analysis, failure prediction, optimization suggestions, and automated Jenkinsfile reconstruction using Model Context Protocol (MCP) integration.
Kestra Python MCP Server
A Python implementation of a Model Context Protocol server for interacting with Kestra.
Image Tools MCP
Retrieve image dimensions and compress images from URLs or local files using Tinify and Figma APIs.
gopls-mcp
The essential MCP server for Go language: Exposing compiler-grade semantics to AI Agents and LLM for deterministic code analysis and minimal token usage.
Octomind
Create and manage end-to-end tests using the Octomind platform.
MCP Mermaid Server
Generate and analyze Mermaid diagrams.
Headless Terminal (ht) MCP
A high-performance MCP server for the headless terminal (ht), implemented in Rust.
Arch Tools
53 production-ready AI tools via MCP with x402 USDC payments on Base L2 — web scraping, crypto data, AI generation, OCR, and more.
MCP Tool Poisoning Attacks
A Node.js project demonstrating MCP client and server interactions for tool poisoning attacks, requiring an Anthropic API key.