1.2.0 — 2026-05-10

Performance, token optimization, and new protocol analysis tools.

Added

• QUIC/HTTP3 analysis — wireshark_analyze_quic extracts QUIC version, connection IDs, SNI, and HTTP/3 frames
• WebSocket analysis — wireshark_analyze_websocket reports frame types, payload lengths, and masking
• MQTT analysis — wireshark_analyze_mqtt extracts message types, topics, QoS, and client IDs with frequency stats
• gRPC analysis — wireshark_analyze_grpc with HTTP/2 content-type fallback detection
• Result cache — LRU cache for tshark read-only commands (file mtime + size invalidation, 5-min TTL)
• Token budget test — CI guard ensuring total tool docstring size stays under 8000 chars
• Concurrency tests — verify agents and TCP health run phases in parallel
• Protocol tool tests — coverage for all 4 new protocol tools

Changed

• Concurrent security audit — 6 independent analysis phases now run via asyncio.gather (~3x faster)
• Concurrent quick analysis — 7 data fetches run in parallel
• Concurrent TCP health — 8 tshark checks run via asyncio.gather instead of sequential loop
• Docstring optimization — all 51 tool descriptions slimmed to 4447 chars total (~1100 tokens)
• Output format — emoji replaced with text tags ([!]/[W]/[i]/[OK]), ASCII box art removed
• Stats truncation — expert_info and service_response_time now auto-truncate large results
• Publish workflow — added contents: read permission and Homebrew tap notification step

Fixed

• Version mismatch between pyproject.toml and server.json

修复 / Fixes

• TUI 箭头键修复（macOS Terminal、iTerm2、Claude Code 终端）— 同时处理 CSI（\x1b[A/B）和 SS3（\x1bOA/B）两种转义序列，彻底解决上下键误判为 ESC 导致安装菜单立即退出的问题
• BufferedReader 缓冲竞争修复 — 将 sys.stdin.buffer.read(1) 替换为 os.read(fd, 1)，绕过 Python 内部缓冲层，确保 select.select() 能正确检测转义序列后续字节
• select 超时提升 — 从 50ms 提高到 100ms，兼容字节到达有轻微延迟的终端

新增客户端 / New Clients

| 客户端 | 平台 | 配置路径 |
|--------|------|----------|
| Void | macOS / Linux / Windows | ~/.config/void/mcp_servers.json |
| BoltAI | macOS | ~/.boltai/mcp.json |
| Kiro | macOS / Linux / Windows | ~/.kiro/settings/mcp.json |

Full changelog: changelog/1.1.5.md

[1.1.0] - 2026-04-17

English

Added

• OpenCode MCP client support — Auto-install and manual config for OpenCode on macOS, Linux, and Windows. OpenCode uses a flat "mcp" key with command as an array and env under "environment"; a dedicated config generator handles this correctly.
• Interactive TUI installer — wireshark-mcp install now shows an arrow-key + space checkbox menu (pure stdlib, no external dependencies) instead of installing to all detected clients at once. Already-detected clients are pre-selected. Falls back to install-all in non-TTY environments (CI, pipes).
• wireshark-mcp update subcommand — Explicitly re-writes the config only for clients that already have wireshark-mcp installed. Clients without an existing entry are skipped with [SKIP] not installed. Semantically distinct from install (which writes regardless).
• changelog/ directory — Per-release Markdown files (bilingual EN/ZH) replacing the single CHANGELOG.md. The root CHANGELOG.md is now an index table pointing to each release file.

Changed

• CHANGELOG.md restructured as a version index; full content moved to changelog/<version>.md.
• AGENTS.md now documents the changelog/ convention so agents know where to record changes.
• Manual configuration docs (docs/manual-configuration.md, docs/manual-configuration_zh.md) updated with an OpenCode section.

中文

新增

• OpenCode MCP 客户端支持 — 支持在 macOS、Linux、Windows 上自动安装和手动配置 OpenCode。OpenCode 使用扁平 "mcp" 键、数组格式的 command 和 "environment" 环境变量，专用配置生成器正确处理这一差异。
• 交互式 TUI 安装器 — wireshark-mcp install 现在显示箭头键 + 空格勾选菜单（纯 stdlib，无外部依赖），不再一次性安装所有检测到的客户端。已检测到的客户端默认预选；非 TTY 环境（CI、管道）自动回退到全部安装。
• wireshark-mcp update 子命令 — 只对已安装 wireshark-mcp 的客户端重新写入配置；未安装的客户端标注 [SKIP] not installed 跳过。语义上与 install（无论是否已安装都写入）明确区分。
• changelog/ 目录 — 将原单文件 CHANGELOG.md 拆分为每版本独立的双语（中英）Markdown 文件；根目录 CHANGELOG.md 改为指向各版本文件的索引表。

变更

• CHANGELOG.md 重构为版本索引，详细内容迁移至 changelog/<version>.md。
• AGENTS.md 新增 changelog/ 目录规范说明。
• 手动配置文档（docs/manual-configuration.md、docs/manual-configuration_zh.md）新增 OpenCode 章节。

[1.0.0] - 2026-03-16

Added

• Added suite capability reporting via wireshark_get_capabilities and the wireshark://capabilities resource.
• Added optional Wireshark suite tools for editcap-based trimming, splitting, time shifting, and deduplication, plus text2pcap import support.
• Added regression tests for startup-wide contextual tool registration, wireshark_open_file recommendations, capinfos-free open-file fallback, and deterministic URLhaus URL/domain matching.
• Added machine-readable --format json output for wireshark-mcp doctor and wireshark-mcp clients.
• Added focused docs/ guides for manual configuration and prompt engineering so the main README can stay closer to a landing page.

Changed

• Promoted the project to a 1.0-stable release and pinned the runtime mcp dependency to the 1.x line to reduce future compatibility drift.
• The MCP server now keeps a stable tool surface for the full session: contextual tools are registered at startup, and wireshark_open_file recommends the most relevant tools for a capture instead of mutating the tool catalog mid-session.
• wireshark_open_file now degrades gracefully when capinfos is unavailable, so the recommended capture-opening workflow still works on minimal tshark-only installations.
• wireshark_check_threats now matches captured HTTP URLs plus DNS/TLS hostnames against cached URLhaus data, replacing the earlier IP-oriented matching semantics with a more reproducible URL/domain workflow.
• wireshark_security_audit, MCP prompts, MCP resources, and both READMEs were updated to align with the stable 1.0 workflow and the new threat-intelligence semantics.
• The CLI documentation, CI smoke tests, and contribution docs now use the stable subcommand-oriented interface (install, doctor, config, clients) while still documenting legacy flag compatibility.
• Live capture now prefers dumpcap when available while keeping tshark as the only required Wireshark dependency.
• Installer diagnostics now classify Wireshark tools as required, recommended, or optional.
• Release metadata and support-policy files now agree on the 1.0 version line across packaging, registry metadata, and security documentation.

Deprecated

• wireshark_read_packets remains available for 1.x compatibility, but new workflows should use wireshark_get_packet_list plus wireshark_get_packet_details.

Removed

• Removed the unused root requirements.txt file to avoid implying a second, undocumented installation path alongside the packaged release flow.

What's Changed

• Add optional Wireshark suite tooling by @bx33661 in https://github.com/bx33661/Wireshark-MCP/pull/5
• Codex/dev by @bx33661 in https://github.com/bx33661/Wireshark-MCP/pull/6
• feat: Add Cursor one-click installation instructions to READMEs by @bx33661 in https://github.com/bx33661/Wireshark-MCP/pull/7
• Release 0.6.5 by @bx33661 in https://github.com/bx33661/Wireshark-MCP/pull/8

New Contributors

• @bx33661 made their first contribution in https://github.com/bx33661/Wireshark-MCP/pull/5

Full Changelog: https://github.com/bx33661/Wireshark-MCP/compare/v0.6.4...v0.6.5

Highlights

• Follow-up patch release to keep the new cross-client skill discovery work aligned with a green CI state.
• Fixed the lint issue in the new skill distribution test.

Verification

• uv run ruff check .
• uv run pytest -q
• uv run python -m build

Highlights

• Expanded the Wireshark traffic-analysis skill for broader AI-client discovery with AGENTS.md, CLAUDE.md, GEMINI.md, GitHub Copilot instructions, and mirrored skill folders.
• Added a machine-readable skill catalog plus a sync script so canonical skills can be mirrored into app-specific locations without drift.
• Tightened the reporting style to be more professional, with clearer confidence, severity, and reproducibility guidance.

Verification

• Skill validation passed.
• uv run pytest -q
• uv run python -m build

Highlights

• Added a bundled Codex skill for Wireshark traffic analysis with triage, security, incident-response, troubleshooting, and CTF playbooks.
• Grounded the skill in official Wireshark documentation for protocol hierarchy, endpoints, conversations, expert info, display filters, and follow-stream behavior.
• Updated wheel packaging so the bundled skill ships inside release artifacts under wireshark_mcp/skills.

Verification

• Skill validation passed.
• uv run pytest -q
• uv run python -m build

Fixed

• Auto-install now works more reliably across macOS, Linux, and Windows by using platform-correct client config paths and a stable Python module entrypoint.
• GUI MCP clients now receive forwarded runtime environment variables plus detected absolute Wireshark tool paths, reducing failures caused by missing PATH state.
• Added wireshark-mcp --doctor to diagnose Python resolution, Wireshark CLI discovery, and detected MCP client configs.
• TShark command validation now accepts Windows-style executable paths consistently.

Changed

• GitHub Actions CI now uses current actions/checkout and actions/setup-python major versions.
• The CI type-check step now runs with a package-based mypy invocation that works with the repository's src/ layout.
• The CI test job installs tshark non-interactively and no longer assumes a pre-existing wireshark Unix group on GitHub-hosted runners.

Added

🚀 Agentic Workflows — Server-side Orchestrated Analysis

• wireshark_security_audit: One-call comprehensive security audit (8 analysis phases, risk scoring 0-100, structured report with findings and recommendations)
• wireshark_quick_analysis: One-call traffic overview (file info, protocol distribution, top talkers, conversations, hostnames, anomaly summary)

🔍 Progressive Discovery — Dynamic Tool Registration

• wireshark_open_file: New entry-point tool that analyzes pcap content and dynamically activates protocol-specific tools
• ToolRegistry system: Server starts with ~17 core tools; protocol-specific tools activate on demand when matching protocols are detected
• PROTOCOL_TOOL_MAP: Configurable mapping from protocols (HTTP, DNS, TLS, etc.) to relevant tool sets

Changed

• Security tools (wireshark_check_threats, wireshark_extract_credentials) are now contextual — activated via wireshark_open_file
• Protocol tools (wireshark_extract_tls_handshakes, wireshark_analyze_tcp_health, wireshark_detect_arp_spoofing, wireshark_extract_smtp_emails, wireshark_extract_dhcp_info) are now contextual
• Threat detection tools (wireshark_detect_port_scan, wireshark_detect_dns_tunnel, wireshark_detect_dos_attack, wireshark_analyze_suspicious_traffic) are now contextual
• Extract tools (wireshark_extract_http_requests, wireshark_extract_dns_queries, wireshark_export_objects, wireshark_verify_ssl_decryption) are now contextual

🚀 What's New in v0.5.0

MCP Resources (3) — First Wireshark MCP to implement

• wireshark://reference/display-filters — Display filter cheatsheet
• wireshark://reference/protocol-fields — Protocol field reference
• wireshark://guide/usage — Analysis workflow guide

MCP Prompts (5) — First Wireshark MCP to implement

• security_audit — Full security audit workflow
• performance_analysis — Network performance analysis
• ctf_solve — CTF challenge solver
• incident_response — Incident response workflow
• traffic_overview — Quick traffic summary

Deep Protocol Analysis (5 new tools)

• wireshark_extract_tls_handshakes — TLS version/cipher/SNI
• wireshark_analyze_tcp_health — Retransmissions/resets/zero window
• wireshark_detect_arp_spoofing — IP-MAC conflict detection
• wireshark_extract_smtp_emails — SMTP metadata extraction
• wireshark_extract_dhcp_info — DHCP lease information

Advanced Security Suite (4 new tools)

• wireshark_detect_port_scan — SYN/FIN/NULL/Xmas scan detection
• wireshark_detect_dns_tunnel — DNS tunneling detection
• wireshark_detect_dos_attack — DoS/DDoS pattern detection
• wireshark_analyze_suspicious_traffic — Comprehensive anomaly analysis

Engineering Quality

• Path sandbox (WIRESHARK_MCP_ALLOWED_DIRS)
• Binary execution whitelist
• Structured logging
• CLI: --version, --transport sse, --port, --log-level
• Docker support (Dockerfile + docker-compose)
• 91 tests (up from 15)
• CI: ruff + mypy + coverage + Python 3.10-3.13 matrix

Full Changelog: https://github.com/bx33661/Wireshark-MCP/compare/v0.4.0...v0.5.0

🚀 Major Features

• Unified Search Interface (wireshark_search_packets):

  • One tool to rule them all! Support for:
    • scope="bytes": Raw payload search (grep-style).
    • scope="details": Decoded field search (regex supported).
    • scope="filter": Native Wireshark display filter syntax (e.g., http.response.code == 200).

• Packet Context (wireshark_get_packet_context):

  • View the "before and after" of any packet. Perfect for understanding the sequence of events leading up to an error.

• Hex View (wireshark_get_packet_bytes):

  • Inspect raw packet data in standard Hex + ASCII format, completing the "Three Pane" Wireshark experience (List, Details, Bytes).

✨ Improvements

• Performance: Optimized wireshark_get_packet_details with layer filtering (-j) to significantly reduce token usage.
• Documentation: Added CLAUDE.md for developer guidance and updated README.md / README_zh.md.
• Stability: Fixed connection issues and verified with a comprehensive test suite (27 tests passed).