MCP Wireshark
An MCP server that integrates Wireshark/tshark with AI tools and IDEs. Capture live traffic, parse .pcap files, apply display filters, follow streams, and export JSON - all via Claude Desktop, VS Code, or CLI. Cross‑platform, typed, tested, and pip‑i
What is MCP Wireshark?
MCP Wireshark is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to mcp server that integrates wireshark/tshark with ai tools and ides. capture live traffic, parse .pcap files, apply display filters, follow streams, and export json - all via claude desktop, vs code, o...
An MCP server that integrates Wireshark/tshark with AI tools and IDEs. Capture live traffic, parse .pcap files, apply display filters, follow streams, and export JSON - all via Claude Desktop, VS Code, or CLI. Cross‑platform, typed, tested, and pip‑i
This server falls under the Monitoring & Observability and Security categories on MCPgee, the world's largest MCP server directory with 33,000+ servers.
Features
- An MCP server that integrates Wireshark/tshark with AI tools
Use Cases
Maintainer
Works with
Installation
Manual Installation
npx mcp-wiresharkConfiguration
Configuration Details
claude_desktop_config.json
Performance
Response Metrics
Resource Usage
How to Set Up and Use MCP Wireshark
MCP Wireshark is a community-maintained MCP server that gives AI assistants direct access to Wireshark's packet analysis engine (tshark) for network traffic inspection. It exposes 13 tools covering live packet capture, PCAP file reading, display filter application, TCP/UDP stream reassembly, protocol decoding, expert analysis, and JSON export. Network engineers, security analysts, and ICS/SCADA specialists use it to ask Claude natural-language questions about network traffic without switching between tools.
Prerequisites
- Python 3.10 or higher
- Wireshark installed with tshark accessible on your system PATH (download from wireshark.org)
- An MCP-compatible client: Claude Desktop, Claude Code, VS Code, Cursor, or Windsurf
- pip or uv for package installation
- Administrator/sudo privileges may be required for live packet capture
Install Wireshark and verify tshark
Install Wireshark for your platform. On macOS, use Homebrew; on Linux, use your package manager. Verify tshark is on your PATH after installation.
# macOS
brew install --cask wireshark
# Ubuntu/Debian
sudo apt-get install tshark
# Verify
tshark --versionInstall the mcp-wireshark Python package
Install via pip or uv. This places the mcp-wireshark binary on your PATH.
pip install mcp-wireshark
# or using uv:
uv pip install mcp-wiresharkAdd to Claude Code (quickest path)
For Claude Code users, one command installs the server for all projects.
claude mcp add --transport stdio --scope user mcp-wireshark -- mcp-wiresharkConfigure Claude Desktop
Edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows).
{
"mcpServers": {
"wireshark": {
"command": "mcp-wireshark"
}
}
}Verify the installation
After restarting your MCP client, ask Claude to run the check_installation tool to confirm tshark is detected.
MCP Wireshark Examples
Client configuration (Claude Desktop)
Minimal Claude Desktop configuration — no environment variables or API keys required.
{
"mcpServers": {
"wireshark": {
"command": "mcp-wireshark"
}
}
}Prompts to try
Drop these prompts into Claude to analyze network traffic with tshark.
- "Summarize ./capture.pcap and tell me which IPs talked the most."
- "From ./traffic.pcap, show me only HTTP requests."
- "Follow TCP stream 0 in ./traffic.pcap and tell me what protocol is inside."
- "Capture 30 seconds of traffic on en0 filtered to tcp.port == 443."
- "Run expert analysis on ./traffic.pcap and group findings by severity."
- "Decode all DNS packets in ./traffic.pcap and show me the queried hostnames."
- "Export every TLS packet from ./capture.pcap to ./tls.json."Troubleshooting MCP Wireshark
tshark not found on Windows after installing Wireshark
Add the Wireshark installation directory (usually C:\Program Files\Wireshark) to your system PATH environment variable, not just the user PATH. Restart your terminal and MCP client after making the change.
Live capture fails with 'permission denied' or 'no interfaces found'
On Linux, add your user to the wireshark group: 'sudo usermod -aG wireshark $USER' and log out/in. On macOS, run Claude with sudo or adjust tshark permissions. On Windows, ensure Npcap is installed (it comes with Wireshark) and run as Administrator.
read_pcap returns an empty result or errors on a valid .pcap file
Confirm the file path is absolute (not relative) and that the file is a valid pcap or pcapng format. Use the display_filter tool with an empty filter string first to confirm tshark can open the file. Large captures may need the max_packets parameter to avoid timeouts.
Frequently Asked Questions about MCP Wireshark
What is MCP Wireshark?
MCP Wireshark is a Model Context Protocol (MCP) server that mcp server that integrates wireshark/tshark with ai tools and ides. capture live traffic, parse .pcap files, apply display filters, follow streams, and export json - all via claude desktop, vs code, or cli. cross‑platform, typed, tested, and pip‑i It connects AI assistants to external tools and data sources through a standardized interface.
How do I install MCP Wireshark?
Follow the installation instructions on the MCP Wireshark GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.
Which AI clients work with MCP Wireshark?
MCP Wireshark works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.
Is MCP Wireshark free to use?
Yes, MCP Wireshark is open source and available under the MIT license. You can use it freely in both personal and commercial projects.
MCP Wireshark Alternatives — Similar Monitoring & Observability Servers
Looking for alternatives to MCP Wireshark? Here are other popular monitoring & observability servers you can use with Claude, Cursor, and VS Code.
Netdata
★ 78.9kReal-time infrastructure monitoring with metrics, logs, alerts, and ML-based anomaly detection.
Kubeshark
★ 11.9keBPF-powered network observability for Kubernetes. Indexes L4/L7 traffic with full K8s context, decrypts TLS without keys. Queryable by AI agents via MCP and humans via dashboard.
Mission Control
★ 4.9kSelf-hosted AI agent orchestration platform: dispatch tasks, run multi-agent workflows, monitor spend, and govern operations from one mission control dashboard.
Grafana
★ 3.0kThis MCP server enables natural-language querying of Grafana logs by automatically detecting log sources and service labels. It provides read-only access to log data with intelligent caching for efficient repeat queries.
Sentrux
★ 2.4kReal-time architectural sensor that helps AI agents close the feedback loop, enabling recursive self-improvement of code quality. Pure Rust.
OpenInference
★ 986OpenTelemetry Instrumentation for AI Observability
Browse More Monitoring & Observability MCP Servers
Explore all monitoring & observability servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.
Set Up MCP Wireshark in Your Editor
Choose your AI client for step-by-step setup instructions.
Quick Config Preview
Add this to your claude_desktop_config.json or .cursor/mcp.json
Ready to use MCP Wireshark?
Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.