
Network Monitor MCP Server
โ 1from skapa-xyz
A server for real-time network packet monitoring and security analysis.
Network Monitor MCP Server
A Model Context Protocol (MCP) server for real-time network packet monitoring and security analysis. This tool enables Claude to inspect network traffic and identify potential security threats.
Features
- Real-time packet capture from WiFi interfaces
- Protocol analysis (TCP, UDP, DNS, HTTP/HTTPS)
- Security threat detection:
- Port scanning detection
- Malicious DNS queries
- Data exfiltration patterns
- Anomaly detection
- MCP tools for Claude integration:
capture_start- Start packet capturecapture_stop- Stop captureget_packets- Retrieve and filter packetsanalyze_traffic- Traffic statisticsget_suspicious- Security threat analysis
Security Considerations
- This tool requires root access to capture packets
- Only use on networks you own or have permission to monitor
- Captured data may contain sensitive information
- The tool is designed for legitimate security monitoring in enterprise environments
Architecture
network-monitor-mcp/
โโโ main.go # Entry point
โโโ mcp/ # MCP protocol implementation
โ โโโ server.go # MCP server core
โ โโโ handlers.go # Tool handlers
โโโ capture/ # Packet capture functionality
โ โโโ sniffer.go # Packet capture engine
โ โโโ analyzer.go # Traffic analysis
โโโ security/ # Security detection
โโโ detector.go # Threat detection algorithmsDevelopment
To contribute or modify:
- Follow Go best practices
- Add tests for new features
- Update documentation
- Test with Claude Desktop before submitting
brew install libpcapPrerequisites
- Go 1.21 or higher
- libpcap development files
- Root/sudo access for packet capture
Installing libpcap
macOS:
brew install libpcapLinux:
# Ubuntu/Debian
sudo apt-get install libpcap-dev
# RHEL/CentOS
sudo yum install libpcap-develInstallation
- Clone the repository:
git clone https://github.com/skapa-xyz/network-monitor-mcp.git
cd network-monitor-mcp- Install dependencies:
go mod download- Build the server:
go build -o network-monitor-mcpUsage
Running the MCP Server
The server requires root privileges for packet capture:
sudo ./network-monitor-mcpConfiguring Claude Desktop
โ ๏ธ IMPORTANT SECURITY WARNING:
Claude Desktop cannot directly execute commands with sudo. To use this MCP server with Claude Desktop, you have two options:
Option 1: Sudoers Configuration (NOT RECOMMENDED for production)
You can configure sudo to allow the network-monitor-mcp binary to run without a password prompt. This has SIGNIFICANT SECURITY IMPLICATIONS and should only be done in isolated development environments where security is not a concern.
-
Edit the sudoers file:
sudo visudo -
Add the following line (replace username and path):
username ALL=(ALL) NOPASSWD: /path/to/network-monitor-mcp -
Update Claude Desktop configuration (
~/Library/Application Support/Claude/claude_desktop_config.jsonon macOS):{ "mcpServers": { "network-monitor": { "command": "/path/to/network-monitor-mcp" } } }
โ ๏ธ SECURITY RISKS:
- This grants passwordless root access to the binary
- If the binary is compromised, an attacker gains root access
- Network packet capture can expose sensitive data
- Only use this in isolated development/testing environments
- Never use this configuration on production systems or machines with sensitive data
Option 2: Run Claude Desktop with elevated privileges (ALSO NOT RECOMMENDED)
You could run Claude Desktop itself with sudo, but this gives the entire application root access, which poses even greater security risks.
Recommended Approach
For production use, consider:
- Running the MCP server as a system service with proper permissions
- Using a dedicated monitoring system with appropriate access controls
- Implementing proper authentication and authorization mechanisms
Example Claude Commands
-
Start monitoring your WiFi interface:
Use the capture_start tool to monitor interface "en0" with a filter for TCP traffic -
Check for suspicious activity:
Use get_suspicious to show any detected security threats -
Analyze traffic patterns:
Use analyze_traffic to show network statistics and connection patterns -
Filter specific packets:
Use get_packets to show all DNS queries or traffic to port 443
Troubleshooting
-
Permission denied errors:
- Ensure you're running with sudo
- Check libpcap installation
-
Interface not found:
- List available interfaces:
ifconfigorip link - Common WiFi interfaces:
en0(macOS),wlan0(Linux)
- List available interfaces:
-
No packets captured:
- Verify the interface is active
- Check your BPF filter syntax
- Ensure there's network traffic to capture
License
This project is for authorized security monitoring only. Use responsibly and in compliance with all applicable laws and regulations.