NetForensicMCP

NetForensicMCP v2.1 – Advanced Offline Network Forensics & Threat Intelligence

NetForensicMCP addresses a critical gap for security teams that need to turn raw packet captures into actionable intelligence without the overhead of manual analysis. By exposing a Model Context Protocol interface, it lets large language models (LLMs) query deep network telemetry directly from a PCAP file. This eliminates the need for separate tooling or custom scripts, enabling AI assistants to surface insights such as credential leaks, command‑and‑control traffic, and protocol anomalies in natural language or structured reports.

The server’s core engine is built on Wireshark’s , which guarantees accurate packet parsing while the MCP layer adds intelligent chunking and token‑aware pagination. This means an LLM can request a specific conversation or protocol histogram without risking token exhaustion, even with gigabyte‑scale captures. The built‑in threat‑intelligence integration—querying URLhaus and other blacklists—allows the model to flag malicious domains in real time, correlating them with packet streams for a cohesive narrative.

Key capabilities include:

• Protocol hierarchy statistics () that give a high‑level traffic composition.
• Conversation extraction () to isolate TCP/UDP flows with stream indexing for context.
• Stream content and chunk extraction (, ) that support pagination, enabling LLMs to request just the parts of a payload they need.
• Credential detection () across common protocols such as HTTP, FTP, and SMB.
• Threat scanning () that batch‑processes IP addresses and correlates findings with captured streams.
• Live capture compatibility () for legacy workflows that still require real‑time data.

In practice, a threat hunter can ask the LLM to “identify all HTTP POST requests that contain passwords” and receive a concise list of IOCs, or an incident responder can request a “timeline of all outbound traffic to the suspect IP 192.0.2.15.” The model can then stitch together packet metadata, threat‑intel scores, and protocol details into a coherent report or a visual attack graph.

NetForensicMCP integrates seamlessly with existing AI workflows. Once the MCP server is running, any client that supports the protocol—such as Cursor IDE or custom scripts—can invoke these tools through simple JSON requests. The server handles heavy lifting, returning structured data that the LLM can immediately transform into natural‑language explanations or actionable recommendations. This tight coupling reduces analyst toil, speeds up investigations, and ensures that network evidence is leveraged to its fullest potential.