bx33661/Wireshark-MCP

MCP Security & Auth

An MCP server that wraps tshark to let AI assistants analyze packet captures and answer questions about network traffic.

Track releases GitHub

Python Latest v1.2.0 · 24d ago Security brief →

Features

Provides an MCP‑compatible API around `tshark` for programmatic packet analysis.
Offers over 40 built‑in tools covering security audits, data extraction, statistics, and protocol deep dives.
Works with Claude Desktop, Cursor, VS Code and many other AI clients via the Model Context Protocol.
Auto‑detects optional Wireshark utilities (e.g., `editcap`, `mergecap`) to enable extra features when available.

Recent releases

View all 13 releases →

v1.2.0 Breaking risk 24d

Notable features

QUIC/HTTP3 analysis tool extracting version, connection IDs, SNI, and HTTP/3 frames
WebSocket analysis reporting frame types, payload lengths, and masking
MQTT analysis extracting message types, topics, QoS, client IDs with frequency stats

Full changelog

1.2.0 — 2026-05-10

Performance, token optimization, and new protocol analysis tools.

Added

QUIC/HTTP3 analysis — wireshark_analyze_quic extracts QUIC version, connection IDs, SNI, and HTTP/3 frames
WebSocket analysis — wireshark_analyze_websocket reports frame types, payload lengths, and masking
MQTT analysis — wireshark_analyze_mqtt extracts message types, topics, QoS, and client IDs with frequency stats
gRPC analysis — wireshark_analyze_grpc with HTTP/2 content-type fallback detection
Result cache — LRU cache for tshark read-only commands (file mtime + size invalidation, 5-min TTL)
Token budget test — CI guard ensuring total tool docstring size stays under 8000 chars
Concurrency tests — verify agents and TCP health run phases in parallel
Protocol tool tests — coverage for all 4 new protocol tools

Changed

Concurrent security audit — 6 independent analysis phases now run via asyncio.gather (~3x faster)
Concurrent quick analysis — 7 data fetches run in parallel
Concurrent TCP health — 8 tshark checks run via asyncio.gather instead of sequential loop
Docstring optimization — all 51 tool descriptions slimmed to 4447 chars total (~1100 tokens)
Output format — emoji replaced with text tags ([!]/[W]/[i]/[OK]), ASCII box art removed
Stats truncation — expert_info and service_response_time now auto-truncate large results
Publish workflow — added contents: read permission and Homebrew tap notification step

Fixed

Version mismatch between pyproject.toml and server.json

View release on GitHub

v1.1.5 Bug fix 1mo

Notable features

Added Void client (config at ~/.config/void/mcp_servers.json)
Added BoltAI client for macOS (config at ~/.boltai/mcp.json)
Added Kiro client for macOS, Linux, and Windows (config at ~/.kiro/settings/mcp.json)

Full changelog

修复 / Fixes

TUI 箭头键修复（macOS Terminal、iTerm2、Claude Code 终端）— 同时处理 CSI（\x1b[A/B）和 SS3（\x1bOA/B）两种转义序列，彻底解决上下键误判为 ESC 导致安装菜单立即退出的问题
BufferedReader 缓冲竞争修复 — 将 sys.stdin.buffer.read(1) 替换为 os.read(fd, 1)，绕过 Python 内部缓冲层，确保 select.select() 能正确检测转义序列后续字节
select 超时提升 — 从 50ms 提高到 100ms，兼容字节到达有轻微延迟的终端

新增客户端 / New Clients

| 客户端 | 平台 | 配置路径 |
|--------|------|----------|
| Void | macOS / Linux / Windows | ~/.config/void/mcp_servers.json |
| BoltAI | macOS | ~/.boltai/mcp.json |
| Kiro | macOS / Linux / Windows | ~/.kiro/settings/mcp.json |

Full changelog: changelog/1.1.5.md

View release on GitHub

v1.1.0 New feature 1mo

⚠ Upgrade required

`CHANGELOG.md` now serves as a version index; full release notes are located in the per‑release Markdown files under `changelog/`
Update documentation (`AGENTS.md`, `docs/manual-configuration*`) reflects the new changelog directory structure and OpenCode configuration details

Notable features

OpenCode MCP client auto‑install and manual config for macOS, Linux, and Windows
Interactive TUI installer with arrow‑key + space checkbox selection (falls back to install‑all in non‑TTY)
Explicit `wireshark-mcp update` subcommand rewrites configs only for already‑installed clients

Full changelog

[1.1.0] - 2026-04-17

English

Added

OpenCode MCP client support — Auto-install and manual config for OpenCode on macOS, Linux, and Windows. OpenCode uses a flat "mcp" key with command as an array and env under "environment"; a dedicated config generator handles this correctly.
Interactive TUI installer — wireshark-mcp install now shows an arrow-key + space checkbox menu (pure stdlib, no external dependencies) instead of installing to all detected clients at once. Already-detected clients are pre-selected. Falls back to install-all in non-TTY environments (CI, pipes).
wireshark-mcp update subcommand — Explicitly re-writes the config only for clients that already have wireshark-mcp installed. Clients without an existing entry are skipped with [SKIP] not installed. Semantically distinct from install (which writes regardless).
changelog/ directory — Per-release Markdown files (bilingual EN/ZH) replacing the single CHANGELOG.md. The root CHANGELOG.md is now an index table pointing to each release file.

Changed

CHANGELOG.md restructured as a version index; full content moved to changelog/<version>.md.
AGENTS.md now documents the changelog/ convention so agents know where to record changes.
Manual configuration docs (docs/manual-configuration.md, docs/manual-configuration_zh.md) updated with an OpenCode section.

中文

新增

OpenCode MCP 客户端支持 — 支持在 macOS、Linux、Windows 上自动安装和手动配置 OpenCode。OpenCode 使用扁平 "mcp" 键、数组格式的 command 和 "environment" 环境变量，专用配置生成器正确处理这一差异。
交互式 TUI 安装器 — wireshark-mcp install 现在显示箭头键 + 空格勾选菜单（纯 stdlib，无外部依赖），不再一次性安装所有检测到的客户端。已检测到的客户端默认预选；非 TTY 环境（CI、管道）自动回退到全部安装。
wireshark-mcp update 子命令 — 只对已安装 wireshark-mcp 的客户端重新写入配置；未安装的客户端标注 [SKIP] not installed 跳过。语义上与 install（无论是否已安装都写入）明确区分。
changelog/ 目录 — 将原单文件 CHANGELOG.md 拆分为每版本独立的双语（中英）Markdown 文件；根目录 CHANGELOG.md 改为指向各版本文件的索引表。

变更

CHANGELOG.md 重构为版本索引，详细内容迁移至 changelog/<version>.md。
AGENTS.md 新增 changelog/ 目录规范说明。
手动配置文档（docs/manual-configuration.md、docs/manual-configuration_zh.md）新增 OpenCode 章节。

View release on GitHub

v1.0.0 Breaking risk 2mo

⚠ Upgrade required

Deprecation: `wireshark_read_packets` is deprecated; new workflows should use `wireshark_get_packet_list` plus `wireshark_get_packet_details`
Pinned the runtime `mcp` dependency to the 1.x line to reduce future compatibility drift

Breaking changes

Removed unused root `requirements.txt` file

Notable features

Suite capability reporting via `wireshark_get_capabilities` and `wireshark://capabilities` resource
Optional Wireshark suite tools for editcap-based trimming, splitting, time shifting, deduplication, and text2pcap import support
Machine-readable `--format json` output for `wireshark-mcp doctor` and `wireshark-mcp clients`

Full changelog

[1.0.0] - 2026-03-16

Added

Added suite capability reporting via wireshark_get_capabilities and the wireshark://capabilities resource.
Added optional Wireshark suite tools for editcap-based trimming, splitting, time shifting, and deduplication, plus text2pcap import support.
Added regression tests for startup-wide contextual tool registration, wireshark_open_file recommendations, capinfos-free open-file fallback, and deterministic URLhaus URL/domain matching.
Added machine-readable --format json output for wireshark-mcp doctor and wireshark-mcp clients.
Added focused docs/ guides for manual configuration and prompt engineering so the main README can stay closer to a landing page.

Changed

Promoted the project to a 1.0-stable release and pinned the runtime mcp dependency to the 1.x line to reduce future compatibility drift.
The MCP server now keeps a stable tool surface for the full session: contextual tools are registered at startup, and wireshark_open_file recommends the most relevant tools for a capture instead of mutating the tool catalog mid-session.
wireshark_open_file now degrades gracefully when capinfos is unavailable, so the recommended capture-opening workflow still works on minimal tshark-only installations.
wireshark_check_threats now matches captured HTTP URLs plus DNS/TLS hostnames against cached URLhaus data, replacing the earlier IP-oriented matching semantics with a more reproducible URL/domain workflow.
wireshark_security_audit, MCP prompts, MCP resources, and both READMEs were updated to align with the stable 1.0 workflow and the new threat-intelligence semantics.
The CLI documentation, CI smoke tests, and contribution docs now use the stable subcommand-oriented interface (install, doctor, config, clients) while still documenting legacy flag compatibility.
Live capture now prefers dumpcap when available while keeping tshark as the only required Wireshark dependency.
Installer diagnostics now classify Wireshark tools as required, recommended, or optional.
Release metadata and support-policy files now agree on the 1.0 version line across packaging, registry metadata, and security documentation.

Deprecated

wireshark_read_packets remains available for 1.x compatibility, but new workflows should use wireshark_get_packet_list plus wireshark_get_packet_details.

Removed

Removed the unused root requirements.txt file to avoid implying a second, undocumented installation path alongside the packaged release flow.

View release on GitHub

v0.6.5 New feature 2mo

Notable features

Optional Wireshark suite tooling added
Cursor one-click installation instructions included in READMEs

Full changelog

What's Changed

Add optional Wireshark suite tooling by @bx33661 in https://github.com/bx33661/Wireshark-MCP/pull/5
Codex/dev by @bx33661 in https://github.com/bx33661/Wireshark-MCP/pull/6
feat: Add Cursor one-click installation instructions to READMEs by @bx33661 in https://github.com/bx33661/Wireshark-MCP/pull/7
Release 0.6.5 by @bx33661 in https://github.com/bx33661/Wireshark-MCP/pull/8