If you’re like me, the idea of doing anything twice will make you break out in a cold shiver. For my Claude desktop, I often need network pcap (packet capture) to unpack something that I am doing. So the script below installs wireshark, and then the wireshark mcp and then configures Claude to use it. Then I got it to work with zscaler (note, I just did a process grep – you could also check utun/port 9000/9400).
I also added example scripts to test its working and so prompts to help you test in Claude.
cat > ~/setup_wiremcp_simple.sh << 'EOF'
#!/bin/bash
# Simplified WireMCP Setup with Zscaler Support
echo ""
echo "============================================"
echo " WireMCP Setup with Zscaler Support"
echo "============================================"
echo ""
# Detect Zscaler
echo "[INFO] Detecting Zscaler..."
ZSCALER_DETECTED=false
ZSCALER_INTERFACE=""
# Check for Zscaler process
if pgrep -f "Zscaler" >/dev/null 2>&1; then
ZSCALER_DETECTED=true
echo "[ZSCALER] ✓ Zscaler process is running"
fi
# Find Zscaler tunnel interface
UTUN_INTERFACES=$(ifconfig -l | grep -o 'utun[0-9]*')
for iface in $UTUN_INTERFACES; do
IP=$(ifconfig "$iface" 2>/dev/null | grep "inet " | awk '{print $2}')
if [[ "$IP" == 100.64.* ]]; then
ZSCALER_INTERFACE="$iface"
ZSCALER_DETECTED=true
echo "[ZSCALER] ✓ Zscaler tunnel found: $iface (IP: $IP)"
break
fi
done
if [[ "$ZSCALER_DETECTED" == "true" ]]; then
echo "[ZSCALER] ✓ Zscaler environment confirmed"
else
echo "[INFO] No Zscaler detected - standard network"
fi
echo ""
# Check existing installations
echo "[INFO] Checking installed software..."
if command -v tshark >/dev/null 2>&1; then
echo "[✓] Wireshark/tshark is installed"
else
echo "[!] Wireshark not found - install with: brew install --cask wireshark"
fi
if command -v node >/dev/null 2>&1; then
echo "[✓] Node.js is installed: $(node --version)"
else
echo "[!] Node.js not found - install with: brew install node"
fi
if [[ -d "$HOME/WireMCP" ]]; then
echo "[✓] WireMCP is installed at ~/WireMCP"
else
echo "[!] WireMCP not found"
fi
echo ""
# Configure SSL decryption for Zscaler
if [[ "$ZSCALER_DETECTED" == "true" ]]; then
echo "[INFO] Configuring SSL/TLS decryption..."
SSL_KEYLOG="$HOME/.wireshark-sslkeys.log"
touch "$SSL_KEYLOG"
chmod 600 "$SSL_KEYLOG"
if ! grep -q "SSLKEYLOGFILE" ~/.zshrc 2>/dev/null; then
echo "" >> ~/.zshrc
echo "# Wireshark SSL/TLS decryption for Zscaler" >> ~/.zshrc
echo "export SSLKEYLOGFILE=\"$SSL_KEYLOG\"" >> ~/.zshrc
echo "[✓] Added SSLKEYLOGFILE to ~/.zshrc"
else
echo "[✓] SSLKEYLOGFILE already in ~/.zshrc"
fi
echo "[✓] SSL key log file: $SSL_KEYLOG"
fi
echo ""
# Update WireMCP for Zscaler
if [[ -d "$HOME/WireMCP" ]]; then
if [[ "$ZSCALER_DETECTED" == "true" ]]; then
echo "[INFO] Creating Zscaler-aware wrapper..."
cat > "$HOME/WireMCP/start_zscaler.sh" << 'WRAPPER'
#!/bin/bash
echo "=== WireMCP (Zscaler Mode) ==="
# Set SSL decryption
export SSLKEYLOGFILE="$HOME/.wireshark-sslkeys.log"
# Find Zscaler interface
UTUN_LIST=$(ifconfig -l | grep -o 'utun[0-9]*')
for iface in $UTUN_LIST; do
IP=$(ifconfig "$iface" 2>/dev/null | grep "inet " | awk '{print $2}')
if [[ "$IP" == 100.64.* ]]; then
export CAPTURE_INTERFACE="$iface"
echo "✓ Zscaler tunnel: $iface ($IP)"
echo "✓ All proxied traffic flows through this interface"
break
fi
done
if [[ -z "$CAPTURE_INTERFACE" ]]; then
export CAPTURE_INTERFACE="en0"
echo "! Using default interface: en0"
fi
echo ""
echo "Configuration:"
echo " SSL Key Log: $SSLKEYLOGFILE"
echo " Capture Interface: $CAPTURE_INTERFACE"
echo ""
echo "To capture: sudo tshark -i $CAPTURE_INTERFACE -c 10"
echo "===============================\n"
cd "$(dirname "$0")"
node index.js
WRAPPER
chmod +x "$HOME/WireMCP/start_zscaler.sh"
echo "[✓] Created ~/WireMCP/start_zscaler.sh"
fi
# Create test script
cat > "$HOME/WireMCP/test_zscaler.sh" << 'TEST'
#!/bin/bash
echo "=== Zscaler & WireMCP Test ==="
echo ""
# Check Zscaler process
if pgrep -f "Zscaler" >/dev/null; then
echo "✓ Zscaler is running"
else
echo "✗ Zscaler not running"
fi
# Find tunnel
UTUN_LIST=$(ifconfig -l | grep -o 'utun[0-9]*')
for iface in $UTUN_LIST; do
IP=$(ifconfig "$iface" 2>/dev/null | grep "inet " | awk '{print $2}')
if [[ "$IP" == 100.64.* ]]; then
echo "✓ Zscaler tunnel: $iface ($IP)"
FOUND=true
break
fi
done
[[ "$FOUND" != "true" ]] && echo "✗ No Zscaler tunnel found"
echo ""
# Check SSL keylog
if [[ -f "$HOME/.wireshark-sslkeys.log" ]]; then
SIZE=$(wc -c < "$HOME/.wireshark-sslkeys.log")
echo "✓ SSL key log exists ($SIZE bytes)"
else
echo "✗ SSL key log not found"
fi
echo ""
echo "Network interfaces:"
tshark -D 2>/dev/null | head -5
echo ""
echo "To capture Zscaler traffic:"
echo " sudo tshark -i ${iface:-en0} -c 10"
TEST
chmod +x "$HOME/WireMCP/test_zscaler.sh"
echo "[✓] Created ~/WireMCP/test_zscaler.sh"
fi
echo ""
# Configure Claude Desktop
CLAUDE_CONFIG="$HOME/Library/Application Support/Claude/claude_desktop_config.json"
if [[ -d "$(dirname "$CLAUDE_CONFIG")" ]]; then
echo "[INFO] Configuring Claude Desktop..."
# Backup existing
if [[ -f "$CLAUDE_CONFIG" ]]; then
BACKUP_FILE="${CLAUDE_CONFIG}.backup.$(date +%Y%m%d_%H%M%S)"
cp "$CLAUDE_CONFIG" "$BACKUP_FILE"
echo "[✓] Backup created: $BACKUP_FILE"
fi
# Check if jq is installed
if ! command -v jq >/dev/null 2>&1; then
echo "[INFO] Installing jq for JSON manipulation..."
brew install jq
fi
# Create temp capture directory
TEMP_CAPTURE_DIR="$HOME/.wiremcp/captures"
mkdir -p "$TEMP_CAPTURE_DIR"
echo "[✓] Capture directory: $TEMP_CAPTURE_DIR"
# Prepare environment variables
if [[ "$ZSCALER_DETECTED" == "true" ]]; then
ENV_JSON=$(jq -n \
--arg ssllog "$HOME/.wireshark-sslkeys.log" \
--arg iface "${ZSCALER_INTERFACE:-en0}" \
--arg capdir "$TEMP_CAPTURE_DIR" \
'{"SSLKEYLOGFILE": $ssllog, "CAPTURE_INTERFACE": $iface, "ZSCALER_MODE": "true", "CAPTURE_DIR": $capdir}')
else
ENV_JSON=$(jq -n \
--arg capdir "$TEMP_CAPTURE_DIR" \
'{"CAPTURE_DIR": $capdir}')
fi
# Add or update wiremcp in config, preserving existing servers
if [[ -f "$CLAUDE_CONFIG" ]] && [[ -s "$CLAUDE_CONFIG" ]]; then
echo "[INFO] Merging WireMCP into existing config..."
jq --arg home "$HOME" \
--argjson env "$ENV_JSON" \
'.mcpServers.wiremcp = {"command": "node", "args": [$home + "/WireMCP/index.js"], "env": $env}' \
"$CLAUDE_CONFIG" > "${CLAUDE_CONFIG}.tmp" && mv "${CLAUDE_CONFIG}.tmp" "$CLAUDE_CONFIG"
else
echo "[INFO] Creating new Claude config..."
jq -n --arg home "$HOME" \
--argjson env "$ENV_JSON" \
'{"mcpServers": {"wiremcp": {"command": "node", "args": [$home + "/WireMCP/index.js"], "env": $env}}}' \
> "$CLAUDE_CONFIG"
fi
if [[ "$ZSCALER_DETECTED" == "true" ]]; then
echo "[✓] Claude configured with Zscaler mode"
else
echo "[✓] Claude configured"
fi
echo "[✓] Existing MCP servers preserved"
fi
echo ""
echo "============================================"
echo " Summary"
echo "============================================"
echo ""
if [[ "$ZSCALER_DETECTED" == "true" ]]; then
echo "Zscaler Environment:"
echo " ✓ Detected and configured"
[[ -n "$ZSCALER_INTERFACE" ]] && echo " ✓ Tunnel interface: $ZSCALER_INTERFACE"
echo " ✓ SSL decryption ready"
echo ""
echo "Next steps:"
echo " 1. Restart terminal: source ~/.zshrc"
echo " 2. Restart browsers for HTTPS decryption"
else
echo "Standard Network:"
echo " • No Zscaler detected"
echo " • Standard configuration applied"
fi
echo ""
echo "For Claude Desktop:"
echo " 1. Restart Claude Desktop app"
echo " 2. Ask Claude to analyze network traffic"
echo ""
echo "============================================"
exit 0
EOF
chmod +x ~/setup_wiremcp_simple.shTo test if the script worked:
cat > ~/test_wiremcp_claude.sh << 'EOF'
#!/bin/bash
# WireMCP Claude Desktop Interactive Test Script
echo "╔════════════════════════════════════════════════════════╗"
echo "║ WireMCP + Claude Desktop Testing Tool ║"
echo "╚════════════════════════════════════════════════════════╝"
echo ""
# Colors
GREEN='\033[0;32m'
BLUE='\033[0;34m'
YELLOW='\033[1;33m'
NC='\033[0m'
# Check prerequisites
echo -e "${BLUE}[1/4]${NC} Checking prerequisites..."
if ! command -v tshark >/dev/null 2>&1; then
echo " ✗ tshark not found"
exit 1
fi
if [[ ! -d "$HOME/WireMCP" ]]; then
echo " ✗ WireMCP not found at ~/WireMCP"
exit 1
fi
if [[ ! -f "$HOME/Library/Application Support/Claude/claude_desktop_config.json" ]]; then
echo " ⚠ Claude Desktop config not found"
fi
echo -e " ${GREEN}✓${NC} All prerequisites met"
echo ""
# Detect Zscaler
echo -e "${BLUE}[2/4]${NC} Detecting network configuration..."
ZSCALER_IF=""
for iface in $(ifconfig -l | grep -o 'utun[0-9]*'); do
IP=$(ifconfig "$iface" 2>/dev/null | grep "inet " | awk '{print $2}')
if [[ "$IP" == 100.64.* ]]; then
ZSCALER_IF="$iface"
echo -e " ${GREEN}✓${NC} Zscaler tunnel: $iface ($IP)"
break
fi
done
if [[ -z "$ZSCALER_IF" ]]; then
echo " ⚠ No Zscaler tunnel detected (will use en0)"
ZSCALER_IF="en0"
fi
echo ""
# Generate test traffic
echo -e "${BLUE}[3/4]${NC} Generating test network traffic..."
# Background network requests
(curl -s https://api.github.com/zen > /dev/null 2>&1) &
(curl -s https://httpbin.org/get > /dev/null 2>&1) &
(curl -s https://www.google.com > /dev/null 2>&1) &
(ping -c 3 8.8.8.8 > /dev/null 2>&1) &
sleep 2
echo -e " ${GREEN}✓${NC} Test traffic generated (GitHub, httpbin, Google, DNS)"
echo ""
# Show test prompts
echo -e "${BLUE}[4/4]${NC} Test prompts for Claude Desktop"
echo "════════════════════════════════════════════════════════"
echo ""
echo -e "${YELLOW}📋 Copy these prompts into Claude Desktop:${NC}"
echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "TEST 1: Basic Connection Test"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
cat << 'EOF'
Can you see the WireMCP tools? List all available network analysis capabilities you have access to.
EOF
echo ""
echo "Expected: Claude should list 7 tools (capture_packets, get_summary_stats, etc.)"
echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "TEST 2: Simple Packet Capture"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
cat << 'EOF'
Capture 20 network packets and show me a summary including:
- Source and destination IPs
- Protocols used
- Port numbers
- Any interesting patterns
EOF
echo ""
echo "Expected: Packets from $ZSCALER_IF with IPs in 100.64.x.x range"
echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "TEST 3: Protocol Analysis"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
cat << 'EOF'
Capture 50 packets and show me:
1. Protocol breakdown (TCP, UDP, DNS, HTTP, TLS)
2. Which protocol is most common
3. Protocol hierarchy statistics
EOF
echo ""
echo "Expected: Protocol percentages and hierarchy tree"
echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "TEST 4: Connection Analysis"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
cat << 'EOF'
Capture 100 packets and show me network conversations:
- Top 5 source/destination pairs
- Number of packets per conversation
- Bytes transferred
EOF
echo ""
echo "Expected: Conversation statistics with packet/byte counts"
echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "TEST 5: Threat Detection"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
cat << 'EOF'
Capture traffic for 30 seconds and check all destination IPs against threat databases. Tell me if any malicious IPs are detected.
EOF
echo ""
echo "Expected: List of IPs and threat check results (should show 'No threats')"
echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "TEST 6: HTTPS Decryption (Advanced)"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "⚠️ First: Restart your browser after running this:"
echo " source ~/.zshrc && echo \$SSLKEYLOGFILE"
echo ""
cat << 'EOF'
Capture 30 packets while I browse some HTTPS websites. Can you see any HTTP hostnames or request URIs from the HTTPS traffic?
EOF
echo ""
echo "Expected: If SSL keys are logged, Claude sees decrypted HTTP data"
echo ""
echo "════════════════════════════════════════════════════════"
echo ""
echo -e "${YELLOW}🔧 Manual Verification Commands:${NC}"
echo ""
echo " # Test manual capture:"
echo " sudo tshark -i $ZSCALER_IF -c 10"
echo ""
echo " # Check SSL keylog:"
echo " ls -lh ~/.wireshark-sslkeys.log"
echo ""
echo " # Test WireMCP server:"
echo " cd ~/WireMCP && timeout 3 node index.js"
echo ""
echo " # Check Claude config:"
echo " cat \"\$HOME/Library/Application Support/Claude/claude_desktop_config.json\""
echo ""
echo "════════════════════════════════════════════════════════"
echo ""
echo -e "${GREEN}✅ Test setup complete!${NC}"
echo ""
echo "Next steps:"
echo " 1. Open Claude Desktop"
echo " 2. Copy/paste the test prompts above"
echo " 3. Verify Claude can access WireMCP tools"
echo " 4. Check ~/WIREMCP_TESTING_EXAMPLES.md for more examples"
echo ""
# Keep generating traffic in background
echo "Keeping test traffic active for 2 minutes..."
echo "(You can Ctrl+C to stop)"
echo ""
# Generate continuous light traffic
for i in {1..24}; do
(curl -s https://httpbin.org/delay/1 > /dev/null 2>&1) &
sleep 5
done
echo ""
echo "Traffic generation complete!"
echo ""
EOF
chmod +x ~/test_wiremcp_claude.shNow that you have tested everything is fine… the below just gives you a few example tests to carry out.
# Try WireMCP Right Now! 🚀
## 🎯 3-Minute Quick Start
### Step 1: Restart Claude Desktop (30 seconds)
```bash
# Kill and restart Claude
killall Claude
sleep 2
open -a Claude
```
### Step 2: Create a script to Generate Some Traffic (30 seconds)
cat > ~/network_activity_loop.sh << 'EOF'
#!/bin/bash
# Script to generate network activity for 30 seconds
# Useful for testing network capture tools
echo "Starting network activity generation for 30 seconds..."
echo "Press Ctrl+C to stop early if needed"
# Record start time
start_time=$(date +%s)
end_time=$((start_time + 30))
# Counter for requests
request_count=0
# Loop for 30 seconds
while [ $(date +%s) -lt $end_time ]; do
# Create network activity to capture
echo -n "Request set #$((++request_count)) at $(date +%T): "
# GitHub API call
curl -s https://api.github.com/users/octocat > /dev/null 2>&1 &
# HTTPBin JSON endpoint
curl -s https://httpbin.org/json > /dev/null 2>&1 &
# IP address check
curl -s https://ifconfig.me > /dev/null 2>&1 &
# Wait for background jobs to complete
wait
echo "completed"
# Small delay to avoid overwhelming the servers
sleep 0.5
done
echo ""
echo "Network activity generation completed!"
echo "Total request sets sent: $request_count"
echo "Duration: 30 seconds"
EOF
chmod +x ~/network_activity_loop.sh
# Call the script
./network_activity_loop.sh
Time to play!
Now open Claude Desktop and we can run a few tests…
- Ask Claude:
Can you see the WireMCP tools? List all available network analysis capabilities.
Claude should list 7 tools:
– capture_packets
– get_summary_stats
– get_conversations
– check_threats
– check_ip_threats
– analyze_pcap
– extract_credentials
2. Ask Claude:
Capture 20 network packets and tell me:
– What IPs am I talking to?
– What protocols are being used?
– Anything interesting?
3. In terminal run:
```bash
curl -v https://api.github.com/users/octocat
```Ask Claude:
I just called api.github.com. Can you capture my network traffic
for 10 seconds and tell me:
1. What IP did GitHub resolve to?
2. How long did the connection take?
3. Were there any errors?
4. Ask Claude:
Monitor my network for 30 seconds and show me:
– Top 5 destinations by packet count
– What services/companies am I connecting to?
– Any unexpected connections?
5. Developer Debugging Examples – Debug Slow API. Ask Claude:
I’m calling myapi.company.com and it feels slow.
Capture traffic for 30 seconds while I make a request and tell me:
– Where is the latency coming from?
– DNS, TCP handshake, TLS, or server response?
– Any retransmissions?
6. Developer Debugging Examples – Debug Connection Timeout. Ask Claude:
I’m getting timeouts to db.example.com:5432.
Capture for 30 seconds and tell me:
1. Is DNS resolving?
2. Are SYN packets being sent?
3. Do I get SYN-ACK back?
4. Any firewall blocking?
7. TLS Handshake failures (often happen with zero trust networks and cert pinning). Ask Claude:
Monitor my network for 2 mins and look for abnormal TLS handshakes, in particular shortlived TLS handshakes, which can occur due to cert pinning issues.
8. Check for Threats. Ask Claude:
Monitor my network for 60 seconds and check all destination
IPs against threat databases. Tell me if anything suspicious.
9. Monitor Background Apps. Ask Claude:
Capture traffic for 30 seconds while I’m idle.
What apps are calling home without me knowing? Only get conversation statistics to show the key connections and the amount of traffic through each. Show any failed traffic or unusual traffic patterns
10. VPN Testing. Ask Claude:
Capture packets for 60 seconds, during which time i will enable my VPN. Compare the difference and see if you can see exactly when my VPN was enabled.
11. Audit traffic. Ask Claude:
Monitor for 5 minutes and tell me:
– Which service used most bandwidth?
– Any large file transfers?
– Unexpected data usage?
12. Looking for specific protocols. Ask Claude:
Monitor my traffic for 30 seconds and see if you can spot any traffic using QUIC and give me statistics on it.
(then go open a youtube website)
13. DNS Queries. Ask Claude:
As a network troubleshooter, analyze all DNS queries for 30 seconds and provide potential causes for any errors. Show me detailed metrics on any calls, especially failed calls or unusual DNS patterns (like NXDOMAIN, PTR or TXT calls)
14. Certificate Issues. Ask Claude:
Capture TLS handshakes for the next minute and show me the certificate chain. Look out for failed/short live TLS sessions
What Makes This Powerful?
The tradition way used to be:
“`bash
sudo tcpdump -i utun5 -w capture.pcap
# Wait…
# Stop capture
# Open Wireshark
# Apply filters
# Analyze packets manually
# Figure out what it means
“`
Time: 10-30 minutes!
With WireMCP + Claude:
“Capture my network traffic and tell me
what’s happening in plain English”
Time: 30 seconds
Claude automatically:
– Captures on correct interface (utun5)
– Filters relevant packets
– Analyzes protocols
– Identifies issues
– Explains in human language
– Provides recommendations