mcpcap is a modular Python MCP server designed to analyze network PCAP files using protocol-specific tools. It exposes analysis modules for DNS, DHCP, ICMP, TCP, and CapInfos, each capable of consuming a PCAP file via a local path or a remote URL without any file upload steps. You can start the server and connect an MCP client (e.g., Claude Desktop) to issue analysis requests and receive structured JSON results suitable for downstream reasoning and summarization. The tooling emphasizes stateless analyses and leverages Scapy under the hood for packet parsing, providing prompts focused on security, troubleshooting, and forensic analysis.

To use mcpcap, start the server with the default module set (DNS, DHCP, ICMP, TCP, and CapInfos) or specify a subset of modules. Once running, configure your MCP client to point at the mcpcap server and invoke the available analysis functions, such as analyze_dns_packets or analyze_tcp_connections, passing a path or URL to the PCAP you want to analyze. Results will be returned in a structured JSON format that is easy to feed into LLM workflows for interpretation and reporting.

Prerequisites:

• Python 3.10 or greater
• Network access to install Python packages

Step-by-step installation:

1. Create a virtual environment (optional but recommended): python -m venv venv source venv/bin/activate # On Windows use: venv\Scripts\activate

2. Install mcpcap from PyPI: pip install mcpcap

3. Verify installation by listing the CLI (if available) or starting the server: mcpcap --help # If the executable is exposed in PATH

   Or run directly via Python module:

   python -m mcpcap --help

4. Start the MCP server (default modules): mcpcap

5. Connect your MCP client to the running server (default endpoint): Ensure your client points to the mcpcap server as shown in the README example.

Optional:

• If you need custom environment configuration, set MCPCAP_LOG_LEVEL or MCPCAP_CONFIG_PATH before starting the server.

Tips and common considerations:

• PCAP inputs: Always provide a local file path or a remote URL to the PCAP; mcpcap does not upload files.
• Module selection: Use --modules to load only the needed analysis modules to optimize performance (e.g., mcpcap --modules dns,tcp).
• Analysis limits: For large PCAPs, consider using --max-packets to constrain processing load (e.g., mcpcap --max-packets 1000).
• Output: Expect JSON-structured results tailored for LLM consumption, with prompts organized by protocol (DNS, DHCP, ICMP, TCP, CapInfos).
• Environment variables: MCPCAP_LOG_LEVEL can help with debugging; MCPCAP_CONFIG_PATH can point to a config file if supported.
• Networking considerations: If running inside containers or restricted environments, ensure network access for fetching remote PCAPs if URLs are used.
• Extensibility: The architecture is modular; new protocol modules can be added to extend analysis capabilities without modifying core server logic.