WireMCP

WireMCP exposes several tools to MCP clients that bridge live network data with LLM reasoning. Key tools include: capture_packets, which returns raw packet data as JSON for packet-level analysis; get_summary_stats, which provides protocol hierarchy stats to show traffic composition (e.g., TCP vs UDP); get_conversations, delivering TCP/UDP conversation statistics to track endpoint communications; check_threats, which cross-references captured IPs against the URLhaus blacklist to surface potential threats; check_ip_threats, performing targeted threat intelligence lookups for specific IPs against multiple feeds to provide reputation data; analyze_pcap, which processes PCAP files to yield detailed JSON representations of traffic; and extract_credentials, scanning PCAPs for potential credentials from protocols like HTTP Basic Auth, FTP, and Telnet. These tools convert raw network data into structured outputs that LLMs can reason about, enabling threat detection, diagnostics, and narrative generation about network activity. To use them, run WireMCP through Node.js and invoke the desired tool via the MCP client, which will relay requests to index.js and return structured results for incorporation into prompts and analyses.

Prerequisites:

• Mac / Windows / Linux
• Wireshark with tshark installed and accessible in PATH
• Node.js v16+ (recommended)
• npm (for dependency installation)

Setup steps:

1. Clone the repository:

   git clone https://github.com/0xkoda/WireMCP.git
   cd WireMCP
   

2. Install dependencies:

   npm install
   

3. Run the MCP server:

   node index.js
   

Note: Ensure tshark is in your PATH. WireMCP will auto-detect tshark or fall back to common install locations (e.g., /Applications/Wireshark.app/Contents/MacOS/tshark on macOS).

Tips and common considerations:

• Tshark availability: WireMCP relies on tshark for live packet capture. Ensure tshark is installed and reachable from the environment running Node.js.
• Permissions: On some systems, capturing live traffic may require elevated permissions. Run with appropriate privileges or configure permissions as needed.
• Environment variables: If you need to customize the tshark path, you can modify PATH or set a Tshark path in a startup script that exports the correct environment before starting WireMCP.
• MCP compatibility: WireMCP is designed to work with any MCP-compliant client. In configurations, reference the server as node index.js and provide the absolute path when necessary.
• Performance: Live captures can be resource-intensive. For long captures or high-traffic networks, consider running captures in chunks and using analyze_pcap for post-capture analysis.
• Output formats: Outputs are structured JSON suitable for immediate ingestion by LLMs and downstream tooling.