← MCP catalog#030 · Digital Forensics
Wireshark MCP
PCAP analysis, tshark filters, TCP stream following
Reads .pcap files, applies tshark display filters, follows TCP/UDP streams, and exports structured JSON. The khuynh22 variant is recommended — cross-platform, typed, and tested.
MCP.md
---
name: wireshark-mcp
category: digital-forensics
cost: free
api_key_required: no
repo: https://github.com/khuynh22/mcp-wireshark
alternate_repos:
- https://github.com/A-G-U-P-T-A/wireshark-mcp
- https://github.com/0xKoda/WireMCP
- https://github.com/kriztalz/SharkMCP
paired_skills: ["pcap-and-network-forensics"]
capabilities: ["pcap-analysis", "network-forensics", "dfir"]
---
# Wireshark MCP — PCAP analysis, tshark filters, TCP stream following
Reads .pcap files, applies tshark display filters, follows TCP/UDP streams, and exports structured JSON. The khuynh22 variant is recommended — cross-platform, typed, and tested.
## Install
```
pip install mcp-wireshark
```
Requires `tshark` installed:
- **Windows:** Install Wireshark from wireshark.org (includes tshark)
- **Linux/macOS:** `apt install tshark` or `brew install wireshark`
## Configuration
```json
{
"mcpServers": {
"wireshark": {
"command": "mcp-wireshark"
}
}
}
```
## What it adds
Claude reads a PCAP file and answers natural-language questions about the traffic — "what DNS queries did this host make?", "show me all HTTP POST requests", "follow the TCP stream between these two IPs", "what credentials appear in cleartext?" Converts packet analysis from a manual tshark/Wireshark workflow into investigative Q&A.
## Pairs with skills
- 084 `pcap-and-network-forensics`
## Cost
Free. Requires tshark (included with Wireshark, free and open source).Pairs with skills
- #084pcap-and-network-forensics
This MCP gives your agent the tools to execute the workflow described by these skills — instead of just describing it.
Bundled in the Toolkit
This MCP is one of 36 pre-configured servers in the Investigator's MCP Toolkit. One-command installer, $149 one-time.
Pricing