### WireMCP Installation Steps Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/README.md Provides the necessary commands to clone the WireMCP repository and install its dependencies using npm. ```bash git clone https://github.com/0xkoda/WireMCP.git cd WireMCP npm install ``` -------------------------------- ### Verification Commands for WireMCP Setup Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/QUICK_REFERENCE.md Commands to verify the installation and versions of Node.js, npm, and tshark. Also includes commands to list network interfaces and test basic packet capture. ```bash # Check Node.js node --version # Check npm npm --version # Check tshark tshark -v # List network interfaces tshark -D # Test packet capture tshark -i en0 -c 10 # Capture 10 packets on en0 ``` -------------------------------- ### Consult Quick Reference Guide Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/00_START_HERE.md Use the QUICK_REFERENCE.md file for fast answers and common commands. ```bash cat QUICK_REFERENCE.md ``` -------------------------------- ### Run WireMCP Server Source: https://github.com/0xkoda/wiremcp/blob/main/README.md Start the WireMCP MCP server using Node.js. ```bash node index.js ``` -------------------------------- ### Install Dependencies Source: https://github.com/0xkoda/wiremcp/blob/main/README.md Install the necessary Node.js dependencies for WireMCP. ```bash npm install ``` -------------------------------- ### Server Startup with Custom Node Options Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/configuration.md Starts the WireMCP server with increased memory allocation for the Node.js process. ```bash node --max-old-space-size=4096 index.js ``` -------------------------------- ### Install wireshark-cli on RedHat/CentOS Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/configuration.md Installs the wireshark-cli package using yum and verifies the installation. ```bash sudo yum install wireshark-cli # Verify installation which tshark ``` -------------------------------- ### Enabling and Starting WireMCP Systemd Service Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/configuration.md Commands to enable the WireMCP service to start on boot and to start it immediately. ```bash sudo systemctl enable wiremcp sudo systemctl start wiremcp ``` -------------------------------- ### Development Server Startup with Debug Logging Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/configuration.md Starts the WireMCP server in development mode, enabling debug logging for all modules. ```bash DEBUG=* node index.js ``` -------------------------------- ### Install Wireshark via Homebrew and Link tshark Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/configuration.md Installs Wireshark using Homebrew and creates a symbolic link for tshark in the PATH. ```bash # Install Wireshark via Homebrew brew install wireshark # Link tshark to PATH sudo ln -s /usr/local/bin/tshark /usr/local/bin/tshark ``` -------------------------------- ### MCP Configuration Example for Claude/Cursor Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/QUICK_REFERENCE.md An example JSON configuration for integrating WireMCP with MCP servers, specifically for use with Claude or Cursor. Ensure the absolute path to the WireMCP index.js file is provided. ```json { "mcpServers": { "wiremcp": { "command": "node", "args": ["/absolute/path/to/wiremcp/index.js"] } } } ``` -------------------------------- ### Install tshark on Debian/Ubuntu Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/configuration.md Installs the tshark package using apt-get and verifies the installation. ```bash sudo apt-get install tshark # Verify installation which tshark ``` -------------------------------- ### Basic WireMCP Tool Call Example Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/README.md Demonstrates how to call the 'capture_packets' tool to capture network traffic for a specified duration on a given interface. ```javascript // Capture 10 seconds of traffic on wlan0 const result = await client.callTool('capture_packets', { interface: 'wlan0', duration: 10 }); console.log(result.content[0].text); ``` -------------------------------- ### Example Output for check_threats Source: https://github.com/0xkoda/wiremcp/blob/main/README.md Illustrates the output when running the `check_threats` command, showing captured IPs and threat detection results against the URLhaus blacklist. ```text Captured IPs: 174.67.0.227 52.196.136.253 Threat check against URLhaus blacklist: No threats detected in URLhaus blacklist. ``` -------------------------------- ### File Not Found (PCAP) Example Usage Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/errors.md Demonstrates the correct and incorrect way to call a tool that requires a PCAP file path, highlighting the importance of providing a valid path. ```javascript // Wrong const result = await client.callTool('analyze_pcap', { pcapPath: 'missing.pcap' }); // Correct const result = await client.callTool('analyze_pcap', { pcapPath: './capture.pcap' }); ``` -------------------------------- ### Required Node.js Packages Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/configuration.md List of npm packages required for the WireMCP server. Install these using npm. ```json { "@modelcontextprotocol/sdk": "^1.8.0", "axios": "^1.8.4", "child_process": "^1.0.2", "util": "^0.12.5", "which": "^5.0.0", "zod": "^3.24.2" } ``` -------------------------------- ### Define and Use 'check_ip_threats_prompt' Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/api-reference/prompts.md This snippet shows the server-side signature for the 'check_ip_threats_prompt' and a client-side example of how to retrieve and use it. The prompt analyzes an IP address for security threats. ```javascript server.prompt( 'check_ip_threats_prompt', { ip: z.string(), }, ({ ip }) => ({ messages: [{ role: 'user', content: { type: 'text', text: string } }] }) ) ``` ```javascript const prompt = await client.getPrompt('check_ip_threats_prompt', { ip: '192.168.1.100' }); ``` -------------------------------- ### Define and Use 'extract_credentials_prompt' Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/api-reference/prompts.md This snippet shows the server-side signature for 'extract_credentials_prompt' and a client-side example for retrieving it. The prompt is designed to extract and analyze credentials from PCAP files. ```javascript server.prompt( 'extract_credentials_prompt', { pcapPath: z.string(), }, ({ pcapPath }) => ({ messages: [{ role: 'user', content: { type: 'text', text: string } }] }) ) ``` ```javascript const prompt = await client.getPrompt('extract_credentials_prompt', { pcapPath: '/tmp/suspicious_traffic.pcap' }); ``` -------------------------------- ### Prompt Response Structure Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/api-reference/prompts.md This example illustrates the standard response structure for all prompts. The 'messages' array contains a 'user' role with 'content' that includes the formatted prompt template. ```javascript { messages: [{ role: 'user', content: { type: 'text', text: string // Formatted prompt template with parameters substituted } }] } ``` -------------------------------- ### Example Output for analyze_pcap Source: https://github.com/0xkoda/wiremcp/blob/main/README.md Shows the JSON output from analyzing a PCAP file using the `analyze_pcap` command, including unique IPs, protocols, and packet data. ```json { "content": [{ "type": "text", "text": "Analyzed PCAP: ./capture.pcap Unique IPs: 192.168.0.2 192.168.0.1 Protocols: eth:ethertype:ip:tcp eth:ethertype:ip:tcp:telnet Packet Data: [{"layers":{"frame.number":[\"1\"],"ip.src":[\"192.168.0.2\"],"ip.dst":[\"192.168.0.1\"],"tcp.srcport":[\"1550\"],"tcp.dstport":[\"23\"]}}]]" }] } ``` -------------------------------- ### WireMCP Error Handling Example Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/README.md Illustrates how to handle potential errors when calling a WireMCP tool, such as 'check_ip_threats'. It checks the 'isError' property of the result. ```javascript const result = await client.callTool('check_ip_threats', { ip: '192.168.1.1' }); if (result.isError) { console.error('Tool failed:', result.content[0].text); } else { console.log('Threat analysis:', result.content[0].text); } ``` -------------------------------- ### Systemd Service Configuration for WireMCP Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/configuration.md Configuration file for running WireMCP as a systemd service on Linux. Ensure the WorkingDirectory and ExecStart paths are correct for your installation. ```ini [Unit] Description=WireMCP Network Analysis Server After=network.target [Service] Type=simple User=wiremcp WorkingDirectory=/opt/wiremcp ExecStart=/usr/bin/node /opt/wiremcp/index.js Restart=on-failure RestartSec=10 [Install] WantedBy=multi-user.target ``` -------------------------------- ### WireMCP Prompt Signatures Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/README.md Lists the signatures for all 7 MCP prompt templates used by WireMCP to guide LLM analysis. ```text capture_packets_prompt(interface?, duration?) → PromptMessage summary_stats_prompt(interface?, duration?) → PromptMessage conversations_prompt(interface?, duration?) → PromptMessage check_threats_prompt(interface?, duration?) → PromptMessage check_ip_threats_prompt(ip) → PromptMessage analyze_pcap_prompt(pcapPath) → PromptMessage extract_credentials_prompt(pcapPath) → PromptMessage ``` -------------------------------- ### capture_packets_prompt Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/api-reference/prompts.md A prompt template that guides LLM analysis of captured network traffic focusing on traffic types, patterns, and security concerns. ```APIDOC ## capture_packets_prompt ### Description A prompt template that guides LLM analysis of captured network traffic focusing on traffic types, patterns, and security concerns. ### Parameters #### Path Parameters - **interface** (string) - Optional - Network interface name. Defaults to `en0`. - **duration** (number) - Optional - Capture duration in seconds. Defaults to `5`. ### Request Example ```javascript const prompt = await client.getPrompt('capture_packets_prompt', { interface: 'eth0', duration: 10 }); ``` ### Response #### Success Response - **messages** (array) - Contains a list of messages, each with a role and content. - **role** (string) - The role of the message sender (e.g., 'user'). - **content** (object) - The content of the message. - **type** (string) - The type of content (e.g., 'text'). - **text** (string) - The actual text content of the prompt. ### Prompt Template ``` Please analyze the network traffic on interface {interface} for {duration} seconds and provide insights about: 1. The types of traffic observed 2. Any notable patterns or anomalies 3. Key IP addresses and ports involved 4. Potential security concerns ``` ``` -------------------------------- ### Get Protocol Hierarchy Statistics Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/api-reference/tools.md Captures live traffic and provides protocol hierarchy statistics showing the distribution of protocols. Useful for understanding traffic composition. ```javascript server.tool( 'get_summary_stats', 'Capture live traffic and provide protocol hierarchy statistics for LLM analysis', { interface: z.string().optional().default('en0'), duration: z.number().optional().default(5), }, async (args) => { ... } ) ``` ```javascript const result = await client.callTool('get_summary_stats', { interface: 'en0', duration: 5 }); ``` -------------------------------- ### Summary Statistics Prompt Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/api-reference/prompts.md Use this prompt to analyze protocol hierarchy statistics from network traffic. Specify the network interface and capture duration to get a summary of traffic statistics. ```javascript server.prompt( 'summary_stats_prompt', { interface: z.string().optional(), duration: z.number().optional(), }, ({ interface = 'en0', duration = 5 }) => ({ messages: [{ role: 'user', content: { type: 'text', text: string } }] }) ) ``` ```javascript const prompt = await client.getPrompt('summary_stats_prompt', { interface: 'wlan0', duration: 15 }); ``` -------------------------------- ### Get Conversations Tool Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/api-reference/tools.md Captures live network traffic to provide TCP/UDP conversation statistics. Use this tool for analyzing network communication patterns. ```javascript server.tool( 'get_conversations', 'Capture live traffic and provide TCP/UDP conversation statistics for LLM analysis', { interface: z.string().optional().default('en0'), duration: z.number().optional().default(5), }, async (args) => { ... } ) ``` ```javascript const result = await client.callTool('get_conversations', { interface: 'wlan0', duration: 10 }); ``` -------------------------------- ### Add Wireshark to PATH on macOS (GUI Installation) Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/configuration.md Appends the Wireshark application's MacOS directory to the system's PATH environment variable in shell configuration files. ```bash export PATH="/Applications/Wireshark.app/Contents/MacOS:$PATH" ``` -------------------------------- ### Capture Network Packets Prompt Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/api-reference/prompts.md Use this prompt to guide LLM analysis of captured network traffic. It focuses on traffic types, patterns, and security concerns. Specify the network interface and capture duration. ```javascript server.prompt( 'capture_packets_prompt', { interface: z.string().optional(), duration: z.number().optional(), }, ({ interface = 'en0', duration = 5 }) => ({ messages: [{ role: 'user', content: { type: 'text', text: string } }] }) ) ``` ```javascript const prompt = await client.getPrompt('capture_packets_prompt', { interface: 'eth0', duration: 10 }); ``` -------------------------------- ### Extract Credentials Tool Usage Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/api-reference/tools.md Example of how to use the extract_credentials tool to find sensitive information within a pcap file. This is useful for security audits and forensic analysis. ```javascript const result = await client.callTool('extract_credentials', { pcapPath: './suspicious_traffic.pcap' }); ``` ```javascript // Useful for security audits and forensic analysis const result = await client.callTool('extract_credentials', { pcapPath: '/tmp/network_capture.pcap' }); ``` -------------------------------- ### Read Project README Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/00_START_HERE.md Read the main README file for a high-level overview of the project. ```bash cat README.md ``` -------------------------------- ### Initialize MCP Server Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/configuration.md Initializes the WireMCP server as an MCP server with a specified name and version. ```javascript const server = new McpServer({ name: 'wiremcp', version: '1.0.0', }); ``` -------------------------------- ### View API Reference, Configuration, or Errors Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/00_START_HERE.md Use the 'cat' command to view specific documentation files related to tools, configuration, or errors within the WireMCP project. ```bash # For specific tools cat api-reference/tools.md # For configuration cat configuration.md # For troubleshooting cat errors.md ``` -------------------------------- ### List Network Interfaces Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/README.md Use this command to find available network interfaces on your system. This is often a prerequisite for network capture. ```bash tshark -D ``` -------------------------------- ### Parameter Defaults for WireMCP Tools Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/QUICK_REFERENCE.md Defines default parameters for live capture tools, file-based tools, and IP threat checks. Adjust 'interface' for Linux and ensure 'pcapPath' and 'ip' are correctly formatted. ```javascript // Live capture tools default to: { interface: 'en0', // Change to 'eth0' on Linux duration: 5 // Seconds } // File-based tools require: { pcapPath: 'file.pcap' // Absolute or relative path } // IP threat check requires: { ip: '192.168.1.1' // IPv4 format only } ``` -------------------------------- ### summary_stats_prompt Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/api-reference/prompts.md A prompt template for analyzing protocol hierarchy statistics from network traffic. ```APIDOC ## summary_stats_prompt ### Description A prompt template for analyzing protocol hierarchy statistics from network traffic. ### Parameters #### Path Parameters - **interface** (string) - Optional - Network interface name. Defaults to `en0`. - **duration** (number) - Optional - Capture duration in seconds. Defaults to `5`. ### Request Example ```javascript const prompt = await client.getPrompt('summary_stats_prompt', { interface: 'wlan0', duration: 15 }); ``` ### Prompt Template ``` Please provide a summary of network traffic statistics from interface {interface} over {duration} seconds, focusing on: 1. Protocol distribution 2. Traffic volume by protocol 3. Notable patterns in protocol usage 4. Potential network health indicators ``` ``` -------------------------------- ### Clone WireMCP Repository Source: https://github.com/0xkoda/wiremcp/blob/main/README.md Clone the WireMCP repository to your local machine. ```bash git clone https://github.com/0xkoda/WireMCP.git cd WireMCP ``` -------------------------------- ### Connect Server with Stdio Transport Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/configuration.md Connects the initialized MCP server using stdio transport and handles startup success or failure. ```javascript server.connect(new StdioServerTransport()) .then(() => console.error('WireMCP Server is running...')) .catch(err => { console.error('Failed to start WireMCP:', err); process.exit(1); }) ``` -------------------------------- ### Define and Use 'analyze_pcap_prompt' Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/api-reference/prompts.md This snippet defines the server-side signature for 'analyze_pcap_prompt' and demonstrates client-side usage for retrieving the prompt. This prompt is used for comprehensive PCAP file analysis. ```javascript server.prompt( 'analyze_pcap_prompt', { pcapPath: z.string(), }, ({ pcapPath }) => ({ messages: [{ role: 'user', content: { type: 'text', text: string } }] }) ) ``` ```javascript const prompt = await client.getPrompt('analyze_pcap_prompt', { pcapPath: './capture.pcap' }); ``` -------------------------------- ### WireMCP Data Flow Overview Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/README.md Illustrates the sequence of operations from a Tool Call by an MCP Client to the final Tool Response. ```text Tool Call (MCP Client) ↓ [Parameter Validation via Zod] ↓ [findTshark() locates tshark executable] ↓ [Execute tshark command] ↓ [Parse output (JSON or text)] ↓ [For threat tools: fetch URLhaus data if needed] ↓ [Trim data if needed (720k char limit)] ↓ Tool Response (JSON wrapped in MCP format) ``` -------------------------------- ### Configure Cursor MCP Server Source: https://github.com/0xkoda/wiremcp/blob/main/README.md Configure the WireMCP server in Cursor's MCP settings by editing the mcp.json file. ```json { "mcpServers": { "wiremcp": { "command": "node", "args": [ "/ABSOLUTE_PATH_TO/WireMCP/index.js" ] } } } ``` -------------------------------- ### Extended PATH Environment for Command Execution Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/configuration.md Configures the environment for executing commands by extending the PATH variable to include common binary directories. ```javascript { env: { ...process.env, PATH: `${process.env.PATH}:/usr/bin:/usr/local/bin:/opt/homebrew/bin` } } ``` -------------------------------- ### Configure MCP Server for WireMCP Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/README.md Shows the JSON configuration required for an MCP client, like Claude via Cursor, to connect to the WireMCP server. ```json { "mcpServers": { "wiremcp": { "command": "node", "args": ["/path/to/WireMCP/index.js"] } } } ``` -------------------------------- ### Check Live Traffic for Threats Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/QUICK_REFERENCE.md Use the `check_threats` tool to scan live network traffic for known IP threats. Specify the network interface and duration. ```javascript await client.callTool('check_threats', { interface: 'eth0', duration: 5 }); ``` -------------------------------- ### Retry Network Operations with Axios Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/errors.md Demonstrates a try-catch block for handling potential network errors when making requests with Axios. It shows how to gracefully fail and continue execution if a network request fails. ```javascript try { const response = await axios.get(urlhausUrl); } catch (e) { // Fails gracefully, continues with empty threat list } ``` -------------------------------- ### Check Threats Tool Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/api-reference/tools.md Captures live traffic, extracts IP addresses, and checks them against the URLhaus threat intelligence blacklist. Use this for real-time threat detection in network traffic. ```javascript server.tool( 'check_threats', 'Capture live traffic and check IPs against URLhaus blacklist', { interface: z.string().optional().default('en0'), duration: z.number().optional().default(5), }, async (args) => { ... } ) ``` ```javascript const result = await client.callTool('check_threats', { interface: 'eth0', duration: 5 }); // Result might be: // Captured IPs: // 192.168.1.1 // 8.8.8.8 // // Threat check against URLhaus blacklist: // No threats detected in URLhaus blacklist. ``` -------------------------------- ### check_ip_threats_prompt Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/api-reference/prompts.md A prompt template for analyzing a single IP address for security threats. ```APIDOC ## check_ip_threats_prompt ### Description A prompt template for analyzing a single IP address for security threats. ### Parameters #### Path Parameters - **interface** (string) - Optional - Network interface name. Defaults to `en0`. - **duration** (number) - Optional - Capture duration in seconds. Defaults to `5`. ### Prompt Template ``` Please analyze traffic on interface {interface} for {duration} seconds and check for security threats: 1. Compare captured IPs against URLhaus blacklist 2. Identify potential malicious activity 3. Highlight any concerning patterns 4. Provide security recommendations ``` ``` -------------------------------- ### WireMCP Tool Signatures Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/README.md Lists the signatures for all 7 MCP tools provided by WireMCP, including parameters and return types. ```text capture_packets(interface?, duration?) → PacketJSON[] get_summary_stats(interface?, duration?) → StatisticsText get_conversations(interface?, duration?) → ConversationStatsText check_threats(interface?, duration?) → ThreatsReport check_ip_threats(ip) → IPThreatStatus analyze_pcap(pcapPath) → PCAPAnalysisReport extract_credentials(pcapPath) → CredentialExtractionReport ``` -------------------------------- ### conversations_prompt Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/api-reference/prompts.md A prompt template for analyzing TCP/UDP conversation flows and patterns. ```APIDOC ## conversations_prompt ### Description A prompt template for analyzing TCP/UDP conversation flows and patterns. ### Parameters #### Path Parameters - **interface** (string) - Optional - Network interface name. Defaults to `en0`. - **duration** (number) - Optional - Capture duration in seconds. Defaults to `5`. ### Request Example ```javascript const prompt = await client.getPrompt('conversations_prompt', { interface: 'eth0', duration: 20 }); ``` ### Prompt Template ``` Please analyze network conversations on interface {interface} for {duration} seconds and identify: 1. Most active IP pairs 2. Conversation durations and data volumes 3. Unusual communication patterns 4. Potential indicators of network issues ``` ``` -------------------------------- ### check_threats_prompt Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/api-reference/prompts.md A prompt template for analyzing traffic against threat intelligence feeds. ```APIDOC ## check_threats_prompt ### Description A prompt template for analyzing traffic against threat intelligence feeds. ### Parameters #### Path Parameters - **interface** (string) - Optional - Network interface name. Defaults to `en0`. - **duration** (number) - Optional - Capture duration in seconds. Defaults to `5`. ### Request Example ```javascript const prompt = await client.getPrompt('check_threats_prompt', { interface: 'eth0', duration: 10 }); ``` ### Prompt Template ``` Please analyze traffic on interface {interface} for {duration} seconds and check for security threats: 1. Compare captured IPs against URLhaus blacklist 2. Identify potential malicious activity 3. Highlight any concerning patterns 4. Provide security recommendations ``` ``` -------------------------------- ### Check Threats Prompt Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/api-reference/prompts.md Use this prompt to analyze network traffic against threat intelligence feeds. Specify the network interface and capture duration to check for malicious activity and receive security recommendations. ```javascript server.prompt( 'check_threats_prompt', { interface: z.string().optional(), duration: z.number().optional(), }, ({ interface = 'en0', duration = 5 }) => ({ messages: [{ role: 'user', content: { type: 'text', text: string } }] }) ) ``` ```javascript const prompt = await client.getPrompt('check_threats_prompt', { interface: 'eth0', duration: 10 }); ``` -------------------------------- ### Permission Denied Resolution Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/errors.md Provides bash commands to resolve 'Permission denied' errors for PCAP files by adjusting file read permissions. ```bash # Make file readable chmod +r capture.pcap # Or grant to user group sudo chmod g+r capture.pcap ``` -------------------------------- ### Default Parameters for Capture Tools Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/configuration.md Specifies default network interface and capture duration for packet capture and analysis tools. ```javascript { interface: 'en0', // Default network interface duration: 5 // Capture duration in seconds } ``` -------------------------------- ### Capture Live Network Traffic Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/QUICK_REFERENCE.md Use the `capture_packets` tool to capture live network traffic. Specify the network interface and duration in seconds. ```javascript await client.callTool('capture_packets', { interface: 'eth0', duration: 10 }); ``` -------------------------------- ### get_summary_stats Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/api-reference/tools.md Captures live traffic and provides protocol hierarchy statistics showing the distribution of protocols in the captured traffic. It allows specifying the network interface and capture duration. ```APIDOC ## get_summary_stats ### Description Captures live traffic and provides protocol hierarchy statistics showing the distribution of protocols in the captured traffic. ### Parameters #### Path Parameters - None #### Query Parameters - **interface** (string) - Optional - Default: `en0` - Network interface to capture from - **duration** (number) - Optional - Default: `5` - Capture duration in seconds ### Request Body - None ### Request Example ```json { "interface": "en0", "duration": 5 } ``` ### Response #### Success Response (200) - **content** (array) - Array of content objects. - **type** (string) - Type of content, expected to be 'text'. - **text** (string) - Protocol hierarchy statistics for LLM analysis. - **isError** (boolean) - Optional - Indicates if an error occurred. #### Response Example ```json { "content": [ { "type": "text", "text": "Protocol hierarchy statistics for LLM analysis:\n=================================================================== Protocol Hierarchy Statistics =================================================================== protocol frames bytes mps bps eth 1234 567890 12.34 5678.90" } ], "isError": false } ``` ### Errors - **tshark not found**: tshark executable not found. - **Command execution**: Failed to execute tshark command. ``` -------------------------------- ### check_ip_threats_prompt Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/api-reference/prompts.md Analyzes a given IPv4 address for potential security threats by checking against blacklists, evaluating reputation, and identifying malicious activity. ```APIDOC ## check_ip_threats_prompt ### Description Analyzes a given IPv4 address for potential security threats by checking against blacklists, evaluating reputation, and identifying malicious activity. ### Signature ```javascript server.prompt( 'check_ip_threats_prompt', { ip: z.string(), }, ({ ip }) => ({ messages: [{ role: 'user', content: { type: 'text', text: string } }] }) ) ``` ### Parameters #### Path Parameters - **ip** (string) - Required - IPv4 address to analyze ### Prompt Template ``` Please analyze the following IP address ({ip}) for potential security threats: 1. Check against URLhaus blacklist 2. Evaluate the IP's reputation 3. Identify any known malicious activity 4. Provide security recommendations ``` ### Usage ```javascript const prompt = await client.getPrompt('check_ip_threats_prompt', { ip: '192.168.1.100' }); ``` ``` -------------------------------- ### Permission Denied Error Return Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/errors.md Illustrates the tool's response when tshark encounters a 'Permission denied' error while trying to read a PCAP file. The error message is specific to tshark's file access issues. ```javascript { content: [{ type: 'text', text: 'Error: tshark: An error occurred while opening the file...' }], isError: true } ``` -------------------------------- ### extract_credentials_prompt Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/api-reference/prompts.md Extracts and analyzes potential credential exposure from PCAP files, identifying plaintext credentials, Kerberos attempts, and hashed credentials. ```APIDOC ## extract_credentials_prompt ### Description Extracts and analyzes potential credential exposure from PCAP files, identifying plaintext credentials, Kerberos attempts, and hashed credentials. ### Signature ```javascript server.prompt( 'extract_credentials_prompt', { pcapPath: z.string(), }, ({ pcapPath }) => ({ messages: [{ role: 'user', content: { type: 'text', text: string } }] }) ) ``` ### Parameters #### Path Parameters - **pcapPath** (string) - Required - Path to PCAP file to analyze ### Prompt Template ``` Please analyze the PCAP file at {pcapPath} for potential credential exposure: 1. Look for plaintext credentials (HTTP Basic Auth, FTP, Telnet) 2. Identify Kerberos authentication attempts 3. Extract any hashed credentials 4. Provide security recommendations for credential handling ``` ### Usage ```javascript const prompt = await client.getPrompt('extract_credentials_prompt', { pcapPath: '/tmp/suspicious_traffic.pcap' }); ``` ``` -------------------------------- ### check_ip_threats Parameters Schema Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/types.md Defines the parameters for the check_ip_threats tool using Zod. Requires an IP address string validated by a regex pattern. ```javascript { ip: z.string().regex(/\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/) } ``` -------------------------------- ### Tool Response Structure Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/types.md Defines the standard response structure for all WireMCP tools. Includes content and an optional error flag. ```javascript { content: [{ type: 'text', text: string }], isError?: boolean } ``` -------------------------------- ### Check a Single IP Address for Threats Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/QUICK_REFERENCE.md Use the `check_ip_threats` tool to check a specific IP address for known threats. Ensure the IP address is in valid IPv4 format. ```javascript await client.callTool('check_ip_threats', { ip: '8.8.8.8' }); ``` -------------------------------- ### Conversations Prompt Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/api-reference/prompts.md Use this prompt to analyze TCP/UDP conversation flows and patterns. Specify the network interface and capture duration to identify active IP pairs, conversation details, and communication patterns. ```javascript server.prompt( 'conversations_prompt', { interface: z.string().optional(), duration: z.number().optional(), }, ({ interface = 'en0', duration = 5 }) => ({ messages: [{ role: 'user', content: { type: 'text', text: string } }] }) ) ``` ```javascript const prompt = await client.getPrompt('conversations_prompt', { interface: 'eth0', duration: 20 }); ``` -------------------------------- ### Protocol Hierarchy Statistics Format Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/types.md This is the text format output from the get_summary_stats tool, detailing protocol hierarchy statistics. It includes columns for protocol name, frames, bytes, megabytes per second, and bits per second. ```text =================================================================== Protocol Hierarchy Statistics =================================================================== protocol frames bytes mps bps eth 1234 567890 12.34 5678.90 ip 1000 456789 10.00 4567.89 tcp 800 345678 8.00 3456.78 http 200 123456 2.00 1234.56 udp 200 111111 2.00 1111.11 dns 100 50000 1.00 500.00 ``` -------------------------------- ### Implement Custom Retry Logic for Tool Calls Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/errors.md Provides a function to automatically retry tool calls that fail, up to a specified maximum number of retries. It includes a delay between retries to avoid overwhelming the system. Throws an error if all retries fail. ```javascript async function callWithRetry(toolName, args, maxRetries = 3) { for (let i = 0; i < maxRetries; i++) { const result = await client.callTool(toolName, args); if (!result.isError) return result; if (i < maxRetries - 1) await new Promise(r => setTimeout(r, 1000)); } throw new Error(`Failed after ${maxRetries} retries`); } ``` -------------------------------- ### EncryptedCredential Data Structure (Kerberos) Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/types.md Represents encrypted credentials, specifically for Kerberos. Includes a hashcat-compatible hash string, username, realm, and frame number. Provides recommended cracking mode for hashcat. ```javascript { type: 'Kerberos', hash: string, username: string, realm: string, frame: string, crackingMode: string } ``` -------------------------------- ### analyze_pcap Parameters Schema Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/types.md Defines the parameters for the analyze_pcap tool using Zod. Requires a pcapPath string. ```javascript { pcapPath: z.string() } ``` -------------------------------- ### Check PCAP File Permissions Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/configuration.md Checks the read and write permissions of a PCAP file. Ensures that Wiremcp has the necessary access to read the file. ```bash ls -l capture.pcap ``` -------------------------------- ### capture_packets Parameters Schema Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/types.md Defines the parameters for the capture_packets tool using Zod. Includes optional interface and duration with default values. ```javascript { interface: z.string().optional().default('en0'), duration: z.number().optional().default(5) } ``` -------------------------------- ### Correct IP Format for Tool Call Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/errors.md Ensures the IP address parameter adheres to the IPv4 format before calling a tool. Use this when validating user input or data before passing it to network-related tools. ```javascript // Wrong await client.callTool('check_ip_threats', { ip: '192.168.1' }); // Correct await client.callTool('check_ip_threats', { ip: '192.168.1.1' }); ``` -------------------------------- ### Check IP Threats Tool Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/api-reference/tools.md Checks a single IP address against the URLhaus threat intelligence blacklist. Use this for quick validation of a specific IP address. ```javascript server.tool( 'check_ip_threats', 'Check a given IP address against URLhaus blacklist for IOCs', { ip: z.string().regex(/\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/), }, async (args) => { ... } ) ``` -------------------------------- ### Find tshark using 'which' command Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/configuration.md Asynchronously finds the path to the tshark executable using the system's 'which' command. ```javascript const tsharkPath = await which('tshark'); ``` -------------------------------- ### Capture Network Packets Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/api-reference/tools.md Captures live network traffic from a specified interface and returns raw packet data as JSON. The data is automatically trimmed to fit LLM context limits. ```javascript server.tool( 'capture_packets', 'Capture live traffic and provide raw packet data as JSON for LLM analysis', { interface: z.string().optional().default('en0'), duration: z.number().optional().default(5), }, async (args) => { ... } ) ``` ```javascript // Capture packets on the default interface for 5 seconds const result = await client.callTool('capture_packets', {}); // Capture packets on a specific interface for 10 seconds const result = await client.callTool('capture_packets', { interface: 'eth0', duration: 10 }); ``` -------------------------------- ### check_threats Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/README.md Compares captured IP addresses against the URLhaus blacklist to identify potential threats. ```APIDOC ## check_threats ### Description Compares captured IP addresses against the URLhaus blacklist to identify potential threats. ### Method MCP Tool Call ### Parameters #### Tool Parameters - **interface** (string) - Optional - The network interface to capture packets from. - **duration** (number) - Optional - The duration in seconds to capture packets. ### Response #### Success Response - **ThreatsReport** - A report detailing identified threats. ``` -------------------------------- ### get_conversations Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/api-reference/tools.md Captures live traffic and provides TCP/UDP conversation statistics for LLM analysis. It allows specifying the network interface and capture duration. ```APIDOC ## get_conversations ### Description Captures live traffic and provides TCP/UDP conversation statistics for LLM analysis. It allows specifying the network interface and capture duration. ### Method server.tool ### Parameters #### Arguments - **interface** (string) - Optional - Default: `en0` - Network interface to capture from - **duration** (number) - Optional - Default: `5` - Capture duration in seconds ### Return Type ```json { content: [ { type: 'text', text: string } ], isError?: boolean } ``` The `text` field contains: `TCP/UDP conversation statistics for LLM analysis:\n${stdout}` ### Output Format Conversation statistics showing TCP endpoint pairs and their communication metrics. Example: ``` TCP Conversations Address A Address B Frames Bytes Packets 192.168.1.1:8080 192.168.1.100:5000 456 234567 200 192.168.1.1:443 8.8.8.8:443 234 123456 100 ``` ### Errors - **tshark not found**: tshark executable not found - **Command execution**: Failed to execute tshark command ### Example Usage ```javascript const result = await client.callTool('get_conversations', { interface: 'wlan0', duration: 10 }); ``` ``` -------------------------------- ### File Not Found (PCAP) Error Return Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/errors.md Shows the typical return object when a specified PCAP file is not found. The error message includes the 'ENOENT' code. ```javascript { content: [{ type: 'text', text: 'Error: ENOENT: no such file or directory, access \'./missing.pcap\'' }], isError: true } ``` -------------------------------- ### check_ip_threats Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/README.md Checks a single IP address against the URLhaus blacklist for known threats. ```APIDOC ## check_ip_threats ### Description Checks a single IP address against the URLhaus blacklist for known threats. ### Method MCP Tool Call ### Parameters #### Tool Parameters - **ip** (string) - Required - The IP address to check for threats. ``` -------------------------------- ### Standard WireMCP Error Handling Pattern Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/errors.md Illustrates the typical try-catch block used in WireMCP tools. Errors are returned as MCP responses with an optional 'isError' flag set to true, rather than being thrown. ```javascript try { // Tool implementation return { content: [{ type: 'text', text: outputText }], isError?: boolean // Omitted on success }; } catch (error) { console.error(`Error in tool_name: ${error.message}`); return { content: [{ type: 'text', text: `Error: ${error.message}` }], isError: true }; } ``` -------------------------------- ### Extract Credentials from a PCAP File Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/QUICK_REFERENCE.md Use the `extract_credentials` tool to extract credentials from a PCAP file. Specify the path to the PCAP file. ```javascript await client.callTool('extract_credentials', { pcapPath: './capture.pcap' }); ``` -------------------------------- ### Analyze a PCAP File Source: https://github.com/0xkoda/wiremcp/blob/main/_autodocs/QUICK_REFERENCE.md Use the `analyze_pcap` tool to analyze a saved packet capture file (PCAP). Provide the path to the PCAP file. ```javascript await client.callTool('analyze_pcap', { pcapPath: './capture.pcap' }); ```