WireMCP

Features

• `capture_packets`: Captures live traffic and returns raw packet data as JSON, enabling LLMs to analyze packet-level details (e.g., IP addresses, ports, HTTP methods).

• `get_summary_stats`: Provides protocol hierarchy statistics, giving LLMs an overview of traffic composition (e.g., TCP vs. UDP usage).

• `get_conversations`: Delivers TCP/UDP conversation statistics, allowing LLMs to track communication flows between endpoints.

• `check_threats`: Captures IPs and checks them against the URLhaus blacklist, equipping LLMs with threat intelligence context for identifying malicious activity.

• `check_ip_threats`: Performs targeted threat intelligence lookups for specific IP addresses against multiple threat feeds, providing detailed reputation and threat data.

• `analyze_pcap`: Analyzes PCAP files to provide comprehensive packet data in JSON format, enabling detailed post-capture analysis of network traffic.

• `extract_credentials`: Scans PCAP files for potential credentials from various protocols (HTTP Basic Auth, FTP, Telnet), aiding in security audits and forensic analysis.

How It Helps LLMs

• Contextualizing Traffic: Converts live packet captures into structured outputs (JSON, stats) that LLMs can parse and reason about.

• Threat Detection: Integrates IOCs (currently URLhaus) to flag suspicious IPs, enhancing LLM-driven security analysis.

• Diagnostics: Offers detailed traffic insights, enabling LLMs to assist with troubleshooting or identifying anomalies.

• Narrative Generation: LLM's can Transform complex packet captures into coherent stories, making network analysis accessible to non-technical users.

Installation

Prerequisites

• Mac / Windows / Linux

• Wireshark (with tshark installed and accessible in PATH)

• Node.js (v16+ recommended)

• npm (for dependency installation)

Setup

1. Clone the repository:

2. Install dependencies:

3. Run the MCP server:

Note: Ensure tshark is in your PATH. WireMCP will auto-detect it or fall back to common install locations (e.g., /Applications/Wireshark.app/Contents/MacOS/tshark on macOS).

Usage with MCP Clients

Example 1: Cursor

Other Clients

Example Output

• Provide natural language explanations of network activity

• Identify patterns and potential security concerns

• Offer context-aware recommendations

• Generate human-readable reports

Roadmap

• Expand IOC Providers: Currently uses URLhaus for threat checks. Future updates will integrate additional sources (e.g., IPsum, Emerging Threats) for broader coverage.

Contributing

License

Acknowledgments

• Wireshark/tshark team for their excellent packet analysis tools

• Model Context Protocol community for the framework and specifications

• URLhaus for providing threat intelligence data

WireMCP

Features

• `capture_packets`: Captures live traffic and returns raw packet data as JSON, enabling LLMs to analyze packet-level details (e.g., IP addresses, ports, HTTP methods).

• `get_summary_stats`: Provides protocol hierarchy statistics, giving LLMs an overview of traffic composition (e.g., TCP vs. UDP usage).

• `get_conversations`: Delivers TCP/UDP conversation statistics, allowing LLMs to track communication flows between endpoints.

• `check_threats`: Captures IPs and checks them against the URLhaus blacklist, equipping LLMs with threat intelligence context for identifying malicious activity.

• `check_ip_threats`: Performs targeted threat intelligence lookups for specific IP addresses against multiple threat feeds, providing detailed reputation and threat data.

• `analyze_pcap`: Analyzes PCAP files to provide comprehensive packet data in JSON format, enabling detailed post-capture analysis of network traffic.

• `extract_credentials`: Scans PCAP files for potential credentials from various protocols (HTTP Basic Auth, FTP, Telnet), aiding in security audits and forensic analysis.

How It Helps LLMs

• Contextualizing Traffic: Converts live packet captures into structured outputs (JSON, stats) that LLMs can parse and reason about.

• Threat Detection: Integrates IOCs (currently URLhaus) to flag suspicious IPs, enhancing LLM-driven security analysis.

• Diagnostics: Offers detailed traffic insights, enabling LLMs to assist with troubleshooting or identifying anomalies.

• Narrative Generation: LLM's can Transform complex packet captures into coherent stories, making network analysis accessible to non-technical users.

Installation

Prerequisites

• Mac / Windows / Linux

• Wireshark (with tshark installed and accessible in PATH)

• Node.js (v16+ recommended)

• npm (for dependency installation)

Setup

1. Clone the repository:

2. Install dependencies:

3. Run the MCP server:

Note: Ensure tshark is in your PATH. WireMCP will auto-detect it or fall back to common install locations (e.g., /Applications/Wireshark.app/Contents/MacOS/tshark on macOS).

Usage with MCP Clients

Example 1: Cursor

Other Clients

Example Output

• Provide natural language explanations of network activity

• Identify patterns and potential security concerns

• Offer context-aware recommendations

• Generate human-readable reports

Roadmap

• Expand IOC Providers: Currently uses URLhaus for threat checks. Future updates will integrate additional sources (e.g., IPsum, Emerging Threats) for broader coverage.

Contributing

License

Acknowledgments

• Wireshark/tshark team for their excellent packet analysis tools

• Model Context Protocol community for the framework and specifications

• URLhaus for providing threat intelligence data