mohitdabas/malshark

MalShark is a Python tool that helps security analysts investigate suspicious network traffic by letting an AI assistant run packet analysis commands on their behalf. It wraps tshark, which is the command-line version of Wireshark, a widely used network capture analysis program, and exposes its capabilities through the Model Context Protocol. MCP is a standard that lets AI coding assistants like Cursor or Claude Desktop call external tools during a conversation. The practical effect is that you can drop a network capture file into a folder, describe what you want to find in plain English, and the AI figures out which analysis steps to run and in what order. It can extract indicators of compromise such as malicious domain names and IP addresses, check whether a suspicious connection is regularly beaconing home at consistent intervals, look for file downloads or large data transfers that might indicate data theft, find cleartext passwords or authentication tokens sent over the network, and detect unusual DNS activity that might signal data smuggling through DNS queries. The tool runs multiple tshark analysis passes at the same time using Python's async capabilities, so what might take minutes if done one step at a time completes much faster. Detection rules were tuned against real malware captures from a public malware traffic research site rather than invented scenarios, and there is a whitelist of well-known services like content delivery networks and software update servers to keep false alarms low. Benchmark results against several real malware samples are included in the repository, showing detection rates in the 87 to 100 percent range on the tested cases. The project structure is clean and organized, with each analysis type in its own module and benchmark documentation alongside the code. Installation requires Python 3.11 or newer and tshark already installed on your system. The README gives step-by-step setup instructions for both Debian-based Linux and macOS.