A comprehensive network packet analyzer that provides both a native CLI tool and a Model Context Protocol (MCP) server for deep analysis of PcapNG and PCAP network capture files.
β
Dual Interface - Native CLI tool + MCP server for AI integration
β
Complete Packet Analysis - Deep protocol parsing with headers, payloads, and metadata
β
Network Flow Analysis - Track conversations, bandwidth usage, and connection patterns
β
Protocol Intelligence - Ethernet, IPv4, TCP/UDP parsing with application layer detection
β
Advanced Analytics - Timing analysis, protocol distribution, and traffic statistics
β
Multiple Formats - PcapNG, PCAP support with human-readable, JSON, and table outputs
β
Real-time Insights - Payload previews, packet flags, MAC addresses, and port analysis
β
Production Ready - High-performance Rust implementation with comprehensive error handling
# Build CLI tool
cargo build --features cli --release
# Parse detailed packets with protocol analysis
./target/release/pcapng-cli packets capture.pcapng --limit 10 --payload
# Analyze network flows and conversations
./target/release/pcapng-cli flows capture.pcapng --sort-by-count
# Generate comprehensive traffic analysis
./target/release/pcapng-cli analyze capture.pcapng --protocols --timing
# Get file information
./target/release/pcapng-cli info capture.pcapng
# Multiple output formats
./target/release/pcapng-cli packets capture.pcapng --format json
./target/release/pcapng-cli flows capture.pcapng --format table# Build advanced analyzer
cargo build --features cli --release
# Batch analysis of multiple files
./target/release/pcapng-analyzer batch --dir ./captures --summary
# Compare two capture files
./target/release/pcapng-analyzer compare file1.pcapng file2.pcapng --packets --timing
# Generate detailed statistics
./target/release/pcapng-analyzer stats capture.pcapng --protocols --detailed# Build MCP server
cargo build --features mcp-server --release
# Start MCP server (connects via stdio)
./target/release/pcapng-mcp-server
# Test MCP server manually
echo '{"jsonrpc": "2.0", "id": 1, "method": "tools/list"}' | ./target/release/pcapng-mcp-server// Initialize MCP server
{"jsonrpc": "2.0", "id": 1, "method": "initialize", "params": {}}
// List all available analysis tools
{"jsonrpc": "2.0", "id": 2, "method": "tools/list"}
// Parse detailed packets with protocol analysis
{"jsonrpc": "2.0", "id": 3, "method": "tools/call", "params": {
"name": "parse_detailed_packets",
"arguments": {"file_path": "/path/to/capture.pcapng", "limit": 10}
}}
// Analyze network flows
{"jsonrpc": "2.0", "id": 4, "method": "tools/call", "params": {
"name": "analyze_packet_flows",
"arguments": {"file_path": "/path/to/capture.pcapng"}
}}| Command | Description | Example |
|---|---|---|
packets |
Deep packet analysis with protocol headers, payloads, and metadata | pcapng-cli packets file.pcap --limit 5 --payload |
flows |
Network flow analysis tracking conversations and bandwidth | pcapng-cli flows file.pcap --sort-by-count |
analyze |
Comprehensive traffic analytics with protocol distribution and timing | pcapng-cli analyze file.pcap --protocols --timing |
info |
Basic file information and metadata | pcapng-cli info file.pcap |
interfaces |
Network interface details | pcapng-cli interfaces file.pcap |
timing |
Packet timing analysis | pcapng-cli timing file.pcap |
| Command | Description | Example |
|---|---|---|
batch |
Multi-file analysis with summary reports | pcapng-analyzer batch --dir ./captures --summary |
compare |
File comparison with detailed diff analysis | pcapng-analyzer compare file1.pcap file2.pcap --packets |
stats |
Advanced statistics with protocol breakdown | pcapng-analyzer stats file.pcap --protocols --detailed |
validate |
File integrity and format validation | pcapng-analyzer validate file.pcap |
export |
Export to different formats (CSV, JSON, etc.) | pcapng-analyzer export file.pcap --format csv |
| Tool | Description | Capabilities |
|---|---|---|
parse_detailed_packets |
Advanced packet parsing | Ethernet/IP/TCP headers, payload preview, protocol stack |
analyze_packet_flows |
Flow analysis and tracking | Conversations, bandwidth, duration, connection patterns |
generate_packet_analysis |
Comprehensive analytics | Protocol distribution, timing analysis, packet statistics |
parse_pcapng_file |
Basic file parsing | File info, packet counts, interfaces |
get_pcapng_metadata |
File metadata extraction | Structure details, capture info |
list_pcapng_interfaces |
Interface enumeration | Network interface details |
$ ./target/release/pcapng-cli packets capture.pcapng --limit 3 --payload
π¦ Detailed Packet Analysis
===========================
π File: capture.pcapng
π Total packets parsed: 3
π¦ Packet #1
π Timestamp: 2025-08-01 11:40:21.351025 UTC
π Size: 42 bytes (captured: 42)
π Protocols: Ethernet
π§ Ethernet: 00:ae:c8:9c:93:6b β ea:03:a2:68:0f:96
π Payload: Hex: 00 01 08 00 06 04 00 01... | ASCII: ................
π¦ Packet #2
π Timestamp: 2025-08-01 11:40:21.337661 UTC
π Size: 345 bytes (captured: 345)
π Protocols: Ethernet β IPv4 β TCP
π§ Ethernet: bc:24:11:c8:7d:65 β c2:06:cc:7f:3f:fe
π IP: 62.24.65.220 β 77.48.2.30 (TTL: 128, Protocol: TCP)
π TCP: 3389 β 54591
π TCP Flags: ---PA---
π Payload: Hex: 17 03 03 01 1e 00 00... | ASCII: ...............{
"packet_count": 1,
"packets": [{
"packet_number": 1,
"timestamp": "2025-08-01T11:40:21.351025Z",
"captured_length": 345,
"original_length": 345,
"protocols": ["Ethernet", "IPv4", "TCP"],
"ethernet_header": {
"source_mac": "bc:24:11:c8:7d:65",
"destination_mac": "c2:06:cc:7f:3f:fe",
"ethertype": 2048,
"ethertype_name": "IPv4"
},
"ip_header": {
"version": 4,
"source_ip": "62.24.65.220",
"destination_ip": "77.48.2.30",
"protocol": 6,
"protocol_name": "TCP",
"ttl": 128,
"header_length": 20
},
"transport_header": {
"protocol": "TCP",
"source_port": 3389,
"destination_port": 54591,
"tcp_flags": {
"syn": false,
"ack": true,
"psh": true,
"fin": false,
"rst": false,
"urg": false
}
},
"payload_preview": "Hex: 17 03 03 01 1e 00... | ASCII: ..............."
}]
}$ ./target/release/pcapng-cli flows capture.pcapng --sort-by-count
π Network Flow Analysis
========================
π File: capture.pcapng
π Total flows: 65
π Flow: 62.24.65.220:3389 β 77.48.2.30:54591 (TCP)
π¦ Packets: 541
π Bytes: 299,347
β±οΈ Duration: 15.345s
π First seen: 2025-08-01 11:40:21.337661 UTC
π Last seen: 2025-08-01 11:40:36.682810 UTC
π Flow: 77.48.2.3:51875 β 62.24.65.220:443 (TCP)
π¦ Packets: 121
π Bytes: 45,876
β±οΈ Duration: 7.473s$ ./target/release/pcapng-cli analyze capture.pcapng --protocols --timing
π Comprehensive Packet Analysis
================================
π¦ Total packets: 2189
π Protocol Distribution:
Ethernet 2189 (100.0%)
TCP 1568 (71.6%)
IPv4 1620 (74.0%)
UDP 52 (2.4%)
π Packet Size Statistics:
Min size: 42 bytes
Max size: 1514 bytes
Average size: 262.3 bytes
β±οΈ Timing Analysis:
Total duration: 15.438s
Average PPS: 141.8
Peak PPS: 892.5
π¬ Top Conversations:
62.24.65.220 β 77.48.2.30 1020 packets, 341,053 bytes
77.48.2.3 β 62.24.65.220 282 packets, 99,745 bytesThe PcapNG Analyzer employs a modular architecture designed for both standalone operation and MCP integration:
pcapng-analyzer/
βββ src/
β βββ lib.rs # Core library exports
β βββ pcapng/
β β βββ mod.rs # PcapNG module root
β β βββ parser.rs # Basic file parsing
β β βββ packet_parser.rs # Detailed packet analysis
β β βββ flow_analyzer.rs # Network flow tracking
β β βββ types.rs # Common data structures
β βββ mcp/
β β βββ mod.rs # MCP module root
β β βββ server.rs # JSON-RPC 2.0 server
β β βββ client.rs # MCP client utilities
β βββ bin/
β βββ cli.rs # Native CLI application
β βββ mcp_server.rs # MCP server binary
βββ Cargo.toml # Multi-binary configuration
βββ README.md
π§ Core Parser (src/pcapng/)
- Standards-compliant PcapNG file parsing
- Protocol-aware packet dissection (Ethernet, IP, TCP, UDP)
- Network flow reconstruction and analysis
- Performance optimized for large captures
π₯οΈ CLI Interface (src/bin/cli.rs)
- Direct command-line access to all analysis features
- Multiple output formats (human-readable, JSON)
- Batch processing capabilities
- Real-time analysis feedback
π MCP Server (src/mcp/server.rs)
- JSON-RPC 2.0 compliant implementation
- Six specialized analysis tools
- Seamless integration with MCP-compatible clients
- Structured data output for programmatic access
βοΈ Build System
- Feature-gated compilation (
cli,mcp-server) - Conditional dependencies for optimized builds
- Release builds for production deployment
# Clone and build
git clone https://github.com/your-org/pcapng-analyzer
cd pcapng-analyzer
cargo build --release --features cli
# Analyze a capture file
./target/release/pcapng-cli analyze demo.pcapng --protocols --timing
# Extract detailed packets
./target/release/pcapng-cli packets demo.pcapng --limit 10 --payload# Start MCP server
./target/release/pcapng-mcp-server
# In MCP client, available tools:
# - parse_pcapng_file
# - get_pcapng_metadata
# - list_pcapng_interfaces
# - parse_detailed_packets
# - analyze_packet_flows
# - generate_packet_analysisSuccessfully tested with multiple real-world PcapNG files:
- β 974 packets (19 second capture, 211KB file)
- β 2189 packets (15 second capture, 647KB file, 2 interfaces)
- β 282 packets (8 second capture, 109KB file, 2 interfaces)
- β Various network protocols and interface configurations
- Rust - Async/await, error handling, performance
- rmcp - Model Context Protocol implementation
- pcap-parser - Low-level packet parsing
- serde - JSON serialization
- tokio - Async runtime
We welcome contributions! Whether you're fixing bugs, adding features, or improving documentation:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
git clone https://github.com/your-org/pcapng-analyzer
cd pcapng-analyzer
cargo build --all-features
cargo testThis project is licensed under the MIT License - see the LICENSE file for details.
- pcap-parser - Robust PcapNG parsing foundation
- rmcp - Model Context Protocol implementation
- The network analysis community for inspiration and standards
Built with β€οΈ for network analysis and automation
β Star this repo β’ π Report Issues β’ π‘ Request Features