LogoChatTCP
menu-icon

ChatTCP MCP Server is Now Live - Use AI to View and Analyze PCAP Files

ChatTCP MCP Server Launch

ChatTCP now provides MCP Server, a remote MCP service that users do not need to install.

The MCP Server provides the following tools:

  1. Get all TCP connections
  2. Get diagnostic analysis results for specified connections
  3. Get detailed packets for specified connections with application layer protocol decoding
  4. Get diagnostic analysis results for all TCP connections
  5. Decode application layer protocols for specified connections, returning decoded results
  6. Support searching packets by TCP flags, application layer protocol, and fuzzy search supports direct matching of TCP payload, as well as decoded application layer protocol payload.

AI + ChatTCP makes TCP analysis and troubleshooting much simpler. AI can perform further analysis based on diagnostic results, latency, packet loss, retransmission data provided by ChatTCP, as well as readable packet information obtained, discover issues that ChatTCP might have missed, streamline analysis conclusions with the goal of solving user problems, and provide more comprehensive recommendations.

How to Use

  1. Log in to ChatTCP online web version - switch to MCP Integration to get your API key.
  2. The MCP Integration page provides MCP server configuration.

To use ChatTCP MCP Server to analyze PCAP files, you first need to upload PCAP files to the MCP server. There are two upload methods:

  1. For small files (<10M), you can upload directly through AI conversation by having AI encode the file in base64 and upload it.
  2. For large files (>10M), you need to upload PCAP files on the web version, or have AI call MCP to provide a curl command for temporarily uploading local files, execute the curl command in the terminal to complete the file upload, then tell AI that you have finished uploading.

After uploading is complete, AI will list all your uploaded PCAP files. In subsequent AI conversations, you need to tell AI which file you want to analyze.

Click to go: MCP Integration.

A Use Case

User Input

@mcp:chattcp: What files have I uploaded?

Planner Response

I'll check what files you have uploaded to the chattcp MCP server.

Running MCP tool

Planner Response

You have uploaded 2 PCAP files to the chattcp server:

  1. 30.pcap

    • File ID: 20250730103547.pcap
    • Upload time: 2025-07-30 10:35:47
    • File size: 2.81M

  2. 28.pcap

    • File ID: 20250730103440.pcap
    • Upload time: 2025-07-30 10:34:40
    • File size: 1.14K

You can use these file IDs for network traffic analysis, such as viewing TCP connections, packet contents, protocol parsing, etc. Which file would you like to analyze?

User Input

Help me analyze connections to server port 8080 in the 30.pcap file, why didn't the client receive a response after sending a request?

Planner Response

I'll help you analyze the connection issues for server port 8080 in the 30.pcap file. Let me first get all TCP connection information.

Running MCP tool

Planner Response

I see that there are no connections to port 8080 in this file, all connections are to port 36780. Let me search for any port 8080 related packets:

Running MCP tool

Planner Response

It seems there are no port 8080 connections in the 30.pcap file. Let me check if the other file 28.pcap contains port 8080 connections:

Running MCP tool

Planner Response

Let me search for port 8080 in the 28.pcap file:

Running MCP tool

Planner Response

Based on the analysis results, I found:

Analysis Results

No port 8080 connections found in 30.pcap file

In the 30.pcap file, I found 14 TCP connections, but all are connecting to port 36780, with no port 8080 traffic. Specific connection information:

  • Source IP: 192.168.12.223 (client)
  • Destination IP: 172.16.2.116 and 172.16.2.120 (servers)
  • Destination Port: 36780 (not 8080)

Possible Scenarios

  1. File content mismatch: You may need to check if you uploaded the correct PCAP file
  2. Wrong port number: The actual server port might be 36780 instead of 8080
  3. Time range issue: Port 8080 traffic might be in other time periods, not in this capture file

Recommendations

  1. Confirm port number: Check if the server is actually listening on port 8080
  2. Re-capture: If you need to analyze port 8080 traffic, please recapture packets containing that port traffic
  3. Analyze existing connections: If you want to analyze port 36780 connection issues, I can help you analyze problems in these connections (I noticed some connections have retransmission and unacknowledged flags)

Would you like me to analyze the port 36780 connection issues, or do you have other PCAP files containing port 8080 traffic?

User Input

Can you help me analyze if there are any issues? The downloaded images are all corrupted, seeming to be only half of the images.

Planner Response

I'll help you analyze the connection issues in the 30.pcap file, especially the incomplete image download problem. Let me first check the detailed diagnostic information of the connections.

Running MCP tool

Planner Response

Now let me check the detailed packet information of some problematic connections, especially those with retransmission and unacknowledged flags:

Running MCP tool

Planner Response

Now let me decode the HTTP application layer protocol data for this connection:

Running MCP tool

Planner Response

Let me check another problematic connection:

Running MCP tool

Planner Response

Based on the detailed analysis of the 30.pcap file, I found several key issues causing incomplete image downloads:

🔍 Analysis Results

Main Issues

  1. Incomplete server response

    • In connection 192.168.12.223:63267->172.16.2.116:36780, the client requested image file /public/5345617217620803711.jpg
    • The server only sent 196 bytes of HTTP response, then immediately initiated connection closure (FIN packet)
    • This explains why images are only half complete or corrupted

  2. Abnormal connection termination

    • Server actively closed connections before data transmission was complete
    • TCP retransmissions and duplicate ACKs occurred
    • Multiple connections have has_not_ack and has_retransmission flags

  3. Network transmission issues

    • Detected low transmission speed (0 bytes/s)
    • Out-of-order packets and retransmissions present
    • Unstable connections with frequent Keep-Alive packets
Specific Problem Connections

Connection 1: 192.168.12.223:63267->172.16.2.116:36780

  • Request: GET /public/5345617217620803711.jpg
  • Issue: Server only returned 196 bytes before closing connection
  • Status: Has retransmission flags

Connection 2: 192.168.12.223:51851->172.16.2.120:36780

  • Request: GET /metrics_state
  • Issue: Many out-of-order packets and duplicate ACKs
  • Status: Has unacknowledged packet flags

🛠️ Solution Recommendations

  1. Server-side issues

    • Check if server application properly handles large file transfers
    • Ensure server doesn't close connections prematurely
    • Check server memory and disk space

  2. Network issues

    • Check network connection stability
    • Possible firewall or proxy interference
    • Consider adjusting TCP window size and timeout settings

  3. Client-side optimization

    • Implement resume download functionality
    • Add retry mechanisms
    • Check client receive buffer settings

The root cause of incomplete image downloads is that the server actively closed connections before file transmission was complete, which may be due to server application bugs or configuration issues.

User Input

Can you tell me the HTTP transmission content in these connections? If it's a file, just tell me it's a file, otherwise show the complete HTTP transmission data.

Planner Response

I'll check the HTTP transmission content in these connections. Let me examine each connection with HTTP data:

Running MCP tool

Planner Response

This connection only has Keep-Alive packets, no HTTP data. Let me check another connection:

Running MCP tool

Planner Response

Now let me check another connection with HTTP data:

Running MCP tool

Planner Response

Based on the detailed analysis of these connections, I can now summarize the HTTP transmission content in the 30.pcap file:

📋 HTTP Transmission Content Summary

🖼️ File Download Requests

Connection 1: 192.168.12.223:63267->172.16.2.116:36780

  • Request: GET /public/5345617217620803711.jpg HTTP/1.1
  • Content: Image file download
  • Issue: Server only returned 196 bytes before closing connection, causing incomplete image

Connection 2: 192.168.12.223:49459->172.16.2.116:36780

  • Request: GET /public/5345617217620803711.jpg HTTP/1.1
  • Content: Duplicate request for the same image file
  • Issue: Also only returned 196 bytes, with retransmission issues
📊 API Interface Requests

Connection 3: 192.168.12.223:51851->172.16.2.120:36780

  • Request: GET /metrics_state HTTP/1.1
  • Content: [Omitted]
  • Response: Returned large amount of JSON data (about 72KB), containing system status information
  • Issue: Out-of-order packets and duplicate ACKs present

Connection 4: 192.168.12.223:53972->172.16.2.120:36780

  • Request: GET /metrics_delay HTTP/1.1
  • Content: [Omitted]
  • Response: Returned large amount of JSON data (about 72KB), containing latency metrics information
  • Issue: Many out-of-order packets and unacknowledged packets
🔗 Other Connections

The remaining 10 connections are mainly Keep-Alive connections with no actual HTTP data transmission, only TCP handshakes and connection maintenance packets.

🚨 Main Issues

  1. Incomplete image file transmission - Server closed connections prematurely
  2. Unstable network transmission - Many retransmissions, out-of-order packets and duplicate ACKs
  3. API responses are complete, but network issues occurred during transmission

User Input

Can you show me the JSON data from the HTTP responses?

Planner Response

I need to extract the HTTP response JSON data from the packets. Let me examine the server response packets from those connections with large data transfers.

From the previous analysis, I saw that connections 192.168.12.223:51851->172.16.2.120:36780 and 192.168.12.223:53972->172.16.2.120:36780 both have large amounts of JSON response data.

Let me extract the HTTP response data from one of these connections. From the previous packet analysis, I can see the JSON data returned by the server. Let me organize it:

📄 HTTP Response JSON Data

/metrics_state Interface Response

JSON response data extracted from connection 192.168.12.223:51851->172.16.2.120:36780:

[Omitted JSON data]

📊 Data Description

These JSON responses contain detailed analysis data of network connections:

  1. Connection Status Information - Detailed statistics for each TCP connection
  2. Network Quality Assessment - Including retransmission rate, packet loss rate, latency and other metrics
  3. Latency Measurements - Client-to-server and server-to-client latency statistics
  4. Performance Recommendations - Network optimization suggestions based on analysis results

This data indicates that the server is providing network monitoring and analysis services, monitoring TCP connection performance metrics.

Published: August 2, 2025