mcpcap 0.5.5__tar.gz → 0.5.6__tar.gz

{mcpcap-0.5.5 → mcpcap-0.5.6}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mcpcap
-Version: 0.5.5
+Version: 0.5.6
 Summary: A modular Python MCP Server for analyzing PCAP files
 Author: mcpcap contributors
 License: MIT License

{mcpcap-0.5.5 → mcpcap-0.5.6}/docs/source/index.rst

@@ -9,8 +9,8 @@ mcpcap Documentation
    :target: https://pypi.org/project/mcpcap/
    :alt: Python versions
 
-.. image:: https://github.com/danohn/mcpcap/workflows/Test/badge.svg
-   :target: https://github.com/danohn/mcpcap/actions
+.. image:: https://github.com/mcpcap/mcpcap/workflows/Test/badge.svg
+   :target: https://github.com/mcpcap/mcpcap/actions
    :alt: Test status
 
 A modular Python MCP (Model Context Protocol) Server for analyzing PCAP files. mcpcap provides stateless analysis tools that accept local files or remote URLs as parameters, making it perfect for Claude Desktop and other MCP client integration.
@@ -20,7 +20,7 @@ Features
 
 ✅ **Stateless MCP Tools**: Each analysis tool accepts PCAP file paths or URLs as parameters
 
-✅ **Protocol Support**: DNS and DHCP analysis with easy extensibility for new protocols
+✅ **Protocol Support**: DNS, DHCP, and ICMP analysis with easy extensibility for new protocols
 
 ✅ **Local & Remote Files**: Analyze files from local storage or HTTP URLs
 
@@ -51,6 +51,7 @@ Then use analysis tools with any PCAP file:
 
    analyze_dns_packets("/path/to/dns.pcap")
    analyze_dhcp_packets("https://example.com/dhcp.pcap")
+   analyze_icmp_packets("/path/to/network.pcap")
 
 .. toctree::
    :maxdepth: 2

{mcpcap-0.5.5 → mcpcap-0.5.6}/docs/source/user-guide/analysis-guides.md

@@ -281,4 +281,70 @@ Look for domains with these characteristics:
 - Include both technical details and executive summaries
 - Provide actionable recommendations
 - Document confidence levels in findings
-- Maintain professional presentation standards
+- Maintain professional presentation standards
+
+## DHCP Analysis Fundamentals
+
+### Understanding DHCP Packet Structure
+
+DHCP packets contain several key components:
+
+- **Header**: Message type, transaction ID, flags
+- **Client/Server Addresses**: IP address assignments
+- **Options**: Network configuration parameters
+- **Message Types**: DISCOVER, OFFER, REQUEST, ACK, NAK, RELEASE
+
+### Key Metrics to Monitor
+
+**DHCP Transaction Flow**
+- Normal: Complete 4-way handshake (DISCOVER→OFFER→REQUEST→ACK)
+- Problem: Incomplete transactions or excessive retries
+- Security: Unexpected message types or timing
+
+**IP Address Management**
+- Normal: Organized lease allocation and renewal
+- Problem: Address pool exhaustion or conflicts
+- Security: Unauthorized DHCP servers or spoofing
+
+### Security Indicators
+
+**Rogue DHCP Servers**
+- Multiple DHCP servers responding
+- Unexpected server IP addresses
+- Suspicious network configuration options
+
+**DHCP Attacks**
+- DHCP starvation (excessive DISCOVER requests)
+- Malicious DHCP options (DNS poisoning)
+- MAC address spoofing patterns
+
+## ICMP Analysis Fundamentals
+
+### Understanding ICMP Packet Structure
+
+ICMP packets provide network diagnostics:
+
+- **Type/Code**: Message type and sub-type
+- **Echo Request/Reply**: Ping functionality
+- **Error Messages**: Network unreachable, TTL exceeded
+- **Timestamp**: Round-trip time analysis
+
+### Key Metrics to Monitor
+
+**Ping Analysis**
+- Normal: Regular echo request/reply pairs
+- Problem: High packet loss or excessive latency
+- Security: ICMP tunneling or covert channels
+
+**Network Diagnostics**
+- Normal: Occasional error messages
+- Problem: Excessive unreachable messages
+- Security: Network reconnaissance patterns
+
+### Security Indicators
+
+**ICMP-based Attacks**
+- ICMP flood attacks
+- ICMP tunneling for data exfiltration
+- Network reconnaissance and scanning
+- Covert channel communication

{mcpcap-0.5.5 → mcpcap-0.5.6}/docs/source/user-guide/installation.md

@@ -34,7 +34,7 @@ If you want to contribute to mcpcap or modify it:
 
 ```bash
 # Clone the repository
-git clone https://github.com/danohn/mcpcap.git
+git clone https://github.com/mcpcap/mcpcap.git
 cd mcpcap
 
 # Install in development mode with all dependencies

{mcpcap-0.5.5 → mcpcap-0.5.6}/docs/source/user-guide/quickstart.md

@@ -13,7 +13,7 @@ pip install mcpcap
 Start mcpcap as a stateless MCP server:
 
 ```bash
-# Start with both DNS and DHCP modules (default)
+# Start with all modules (default: dns,dhcp,icmp)
 mcpcap
 
 # Start with specific modules only
@@ -121,6 +121,35 @@ analyze_dhcp_packets("https://example.com/network-capture.pcap")
 }
 ```
 
+### ICMP Analysis
+
+Use the `analyze_icmp_packets` tool with any PCAP file containing ICMP traffic:
+
+```javascript
+analyze_icmp_packets("/path/to/network.pcap")
+analyze_icmp_packets("https://example.com/ping-capture.pcap")
+```
+
+**Example response:**
+```json
+{
+  "file": "/path/to/network.pcap", 
+  "total_packets": 100,
+  "icmp_packets_found": 12,
+  "icmp_packets_analyzed": 12,
+  "statistics": {
+    "icmp_type_counts": {
+      "Echo Request": 6,
+      "Echo Reply": 6
+    },
+    "unique_sources_count": 2,
+    "unique_destinations_count": 2,
+    "echo_sessions": 1
+  },
+  "packets": ["...detailed ICMP analysis..."]
+}
+```
+
 ## 5. Use Analysis Prompts
 
 mcpcap includes specialized prompts to guide your analysis:
@@ -165,16 +194,37 @@ mcpcap includes specialized prompts to guide your analysis:
   - Evidence collection
   - Incident reconstruction
 
+### ICMP Analysis Prompts
+
+- **`icmp_network_diagnostics`** - Network troubleshooting:
+  - Ping connectivity analysis
+  - Network path tracing
+  - RTT and latency analysis
+  - Packet loss detection
+
+- **`icmp_security_analysis`** - Security threats:
+  - ICMP-based attacks (floods, tunneling)
+  - Reconnaissance activity detection
+  - Covert channel communication
+  - Network scanning patterns
+
+- **`icmp_forensic_investigation`** - Forensic analysis:
+  - Network activity timeline
+  - Host communication patterns
+  - Evidence preservation
+  - Attack vector analysis
+
 ## 6. Example Workflow
 
 Here's a typical analysis workflow:
 
 1. **Start the server**: `mcpcap`
 2. **Analyze DNS traffic**: `analyze_dns_packets("/path/to/capture.pcap")`
-3. **Review results**: Look for unusual domains or query patterns
+3. **Review results**: Look for unusual domains or query patterns  
 4. **Use specialized prompts**: Apply security_analysis for threat detection
 5. **Analyze DHCP traffic**: `analyze_dhcp_packets("/path/to/capture.pcap")`
-6. **Cross-reference findings**: Correlate DNS and DHCP data for complete picture
+6. **Analyze ICMP traffic**: `analyze_icmp_packets("/path/to/capture.pcap")`
+7. **Cross-reference findings**: Correlate DNS, DHCP, and ICMP data for complete network picture
 
 ## 7. Configuration Options
 
@@ -187,8 +237,11 @@ mcpcap --modules dns
 # DHCP analysis only
 mcpcap --modules dhcp
 
-# Both modules (default)
-mcpcap --modules dns,dhcp
+# All modules (default)
+mcpcap --modules dns,dhcp,icmp
+
+# Or specific combinations
+mcpcap --modules dns,icmp
 ```
 
 ### Performance Tuning
@@ -211,6 +264,9 @@ analyze_dns_packets("./examples/dns.pcap")
 
 // Test DHCP analysis  
 analyze_dhcp_packets("./examples/dhcp.pcap")
+
+// Test ICMP analysis
+analyze_icmp_packets("./examples/icmp.pcap")
 ```
 
 ## Next Steps

{mcpcap-0.5.5 → mcpcap-0.5.6}/src/mcpcap/_version.py

@@ -28,7 +28,7 @@ version_tuple: VERSION_TUPLE
 commit_id: COMMIT_ID
 __commit_id__: COMMIT_ID
 
-__version__ = version = '0.5.5'
-__version_tuple__ = version_tuple = (0, 5, 5)
+__version__ = version = '0.5.6'
+__version_tuple__ = version_tuple = (0, 5, 6)
 
-__commit_id__ = commit_id = 'g776b9d2d9'
+__commit_id__ = commit_id = 'gff58bfaa5'

{mcpcap-0.5.5 → mcpcap-0.5.6}/src/mcpcap.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mcpcap
-Version: 0.5.5
+Version: 0.5.6
 Summary: A modular Python MCP Server for analyzing PCAP files
 Author: mcpcap contributors
 License: MIT License