Network Traffic Analysis for LLMs

A stateless Python MCP server providing protocol-specific tools for analyzing PCAP files. Run it over stdio, expose it over HTTP, or start the published GHCR image with Docker Compose. Tools accept local file paths or remote URLs as parameters.

Get Started View on GitHub
6 Protocol Modules
Python 3.10+ Requirements
MIT License
mcpcap

Key Features

Modular Architecture

Easily extensible architecture allows adding new protocol analyzers without modifying core functionality.

Local & Remote PCAP

Analyze local capture files or remote HTTP URLs by passing the target PCAP directly to each tool call.

Scapy Integration

Leverages the powerful scapy library for comprehensive packet parsing and network analysis.

stdio or HTTP

Use the default stdio transport for local MCP apps or expose an HTTP endpoint for network-accessible MCP clients.

JSON Output

Structured JSON responses make analysis results easy for LLMs to understand and process.

Security Focus

Built with security analysis in mind, providing insights into network traffic patterns and anomalies.

Protocol Modules

DNS Module

Active

Comprehensive DNS packet analysis with query tracking, domain extraction, and response monitoring.

  • DNS query and response analysis
  • Domain and subdomain identification
  • Query type analysis (A, AAAA, MX, etc.)
  • DNS server identification

DHCP Module

Active

DHCP transaction monitoring with IP assignment tracking and configuration analysis.

  • DHCP transaction tracking
  • IP address lease monitoring
  • Client and server identification
  • Configuration option analysis

ICMP Module

Active

ICMP packet analysis for network diagnostics, connectivity testing, and error detection.

  • Ping request/reply analysis
  • Network connectivity testing
  • Traceroute path tracking
  • Error message detection

TCP Module

Active

Connection-centric TCP analysis for handshakes, resets, retransmissions, and bidirectional traffic flow.

  • Connection lifecycle analysis
  • Directional RST and retransmission tracking
  • Traffic flow asymmetry inspection
  • Server IP and port filtering

SIP Module

Active

SIP signaling analysis for VoIP registration, call setup, response codes, and endpoint tracing.

  • SIP request and response parsing
  • Call-ID and CSeq correlation
  • User-Agent and server banner extraction
  • UDP and TCP signaling visibility

CapInfos Module

Active

PCAP file metadata and statistics analysis, similar to Wireshark's capinfos utility.

  • File information and size analysis
  • Packet statistics and counts
  • Data throughput calculations
  • Link layer encapsulation detection

HTTP Module

Coming Soon

HTTP/HTTPS traffic analysis for web communication patterns and security assessment.

  • Request/response analysis
  • Header examination
  • Content type detection
  • Security header validation

Quick Start

1

Install mcpcap

Install with pip or uv, or pull the published container with Docker Compose

2

Start the Server

Run mcpcap over stdio, expose HTTP, or launch the GHCR image with Compose

3

Connect & Analyze

Provide file paths or URLs to analyze PCAP files (no uploads)

# Using pip
pip install mcpcap

# Using uv
uv add mcpcap

# One-time usage
uvx mcpcap
                        
# Start the published container over HTTP
docker compose up

# MCP endpoint
http://127.0.0.1:8080/mcp

# Mounted sample capture path inside the container
analyze_dns_packets("/pcaps/dns.pcap")
                        
# Start MCP server for Claude Desktop and similar clients
mcpcap

# Then use tools with local file PATHS (not uploads)
analyze_dns_packets("/path/to/capture.pcap")
analyze_dhcp_packets("/path/to/dhcp.pcap")
analyze_icmp_packets("/path/to/network.pcap")
analyze_tcp_connections("/path/to/tcp-session.pcap")
analyze_sip_packets("/path/to/voip-signaling.pcap")
analyze_capinfos("/path/to/capture.pcap")
                        
# Start MCP server with HTTP transport
mcpcap --transport http --host 127.0.0.1 --port 8080

# Connect your MCP client to:
http://127.0.0.1:8080/mcp

                        
# Start MCP server
mcpcap

# Then use tools with remote URLs (not uploads)
analyze_dns_packets("https://example.com/capture.pcap")
analyze_dhcp_packets("https://example.com/dhcp.pcap")
analyze_icmp_packets("https://example.com/network.pcap")
analyze_tcp_connections("https://example.com/tcp-session.pcap")
analyze_sip_packets("https://example.com/sip-signaling.pcap")
analyze_capinfos("https://example.com/capture.pcap")

Ready to analyze your network traffic?

Join developers using mcpcap to bring network analysis capabilities to their LLM applications.

Read Documentation Contribute on GitHub