# Network Forensics MCP Interfaces This document describes the two MCP (Model Context Protocol) interfaces available in the Network Forensics Environment. ## Overview The Network Forensics Environment provides **two distinct MCP interfaces** to support different use cases and client compatibility: 1. **Simplified MCP Interface** (`/mcp`) - OpenEnv custom protocol 2. **Standard MCP Interface** (`/mcp-standard`) - Full MCP protocol compliance ## Interface Comparison | Feature | Simplified MCP (`/mcp`) | Standard MCP (`/mcp-standard`) | |---------|-------------------------|--------------------------------| | **Protocol** | OpenEnv custom JSON-RPC | Full MCP specification | | **Compatibility** | OpenEnv clients | Claude Desktop, Cursor, LangChain | | **Initialize** | Not required | Required (`/initialize`) | | **Tool Discovery** | Static | Dynamic (`/tools/list`) | | **WebSocket** | Custom format | Standard MCP format | | **Use Case** | Legacy support | Modern MCP clients | ## Simplified MCP Interface (`/mcp`) **Endpoint**: `http://localhost:8000/mcp` This interface maintains compatibility with existing OpenEnv clients and provides a simplified JSON-RPC style API. ### Usage ```bash # HTTP POST curl -X POST http://localhost:8000/mcp \ -H "Content-Type: application/json" \ -d '{"action_type": "inspect_packet", "packet_id": "pkt_0001"}' # WebSocket ws://localhost:8000/mcp ``` ### Tools Available - `inspect_packet` - Reveal packet payload - `flag_as_suspicious` - Mark packet as malicious - `group_into_session` - Group related packets - `tag_pattern` - Classify attack patterns - `identify_entry_point` - Find initial compromise - `submit_report` - Submit final analysis ## Standard MCP Interface (`/mcp-standard`) **Endpoints**: - HTTP: `http://localhost:8000/mcp-standard` - WebSocket: `ws://localhost:8000/mcp-standard/ws` This interface implements the full MCP specification and is compatible with standard MCP clients like Claude Desktop, Cursor, and LangChain. ### Quick Start 1. **Start the server**: ```bash python -m server.app ``` 2. **Get MCP interface info**: ```bash curl http://localhost:8000/mcp-info ``` 3. **Initialize connection**: ```bash curl -X POST http://localhost:8000/mcp-standard/initialize \ -H "Content-Type: application/json" \ -d '{ "protocolVersion": "2024-11-05", "capabilities": {}, "clientInfo": {"name": "claude-desktop", "version": "1.0.0"} }' ``` 4. **List available tools**: ```bash curl -X POST http://localhost:8000/mcp-standard/tools/list ``` 5. **Call a tool**: ```bash curl -X POST http://localhost:8000/mcp-standard/tools/call \ -H "Content-Type: application/json" \ -d '{ "name": "inspect_packet", "arguments": {"packet_id": "pkt_0001"} }' ``` ### Available Tools #### `reset_env` Start a new investigation episode. ```json { "name": "reset_env", "arguments": { "task_id": "easy" // "easy", "medium", or "hard" } } ``` #### `get_status` Get current investigation status. ```json { "name": "get_status", "arguments": {} } ``` #### `inspect_packet` Reveal packet payload for analysis. ```json { "name": "inspect_packet", "arguments": { "packet_id": "pkt_0001" } } ``` #### `flag_as_suspicious` Flag a packet as malicious. ```json { "name": "flag_as_suspicious", "arguments": { "packet_id": "pkt_0001" } } ``` #### `group_into_session` Group related packets. ```json { "name": "group_into_session", "arguments": { "session_name": "ddos_attack_1", "packet_ids": ["pkt_0001", "pkt_0002", "pkt_0003"] } } ``` #### `tag_pattern` Classify attack patterns. ```json { "name": "tag_pattern", "arguments": { "session_name": "ddos_attack_1", "pattern_type": "ddos" } } ``` #### `identify_entry_point` Find initial compromise. ```json { "name": "identify_entry_point", "arguments": { "claimed_entry_point": "pkt_0001" } } ``` #### `submit_report` Submit final analysis. ```json { "name": "submit_report", "arguments": { "incident_summary": "Found DDoS attack targeting...", "claimed_entry_point": "pkt_0001" } } ``` ## WebSocket Usage (Standard MCP) For real-time communication, use the WebSocket endpoint: ```javascript const ws = new WebSocket('ws://localhost:8000/mcp-standard/ws'); ws.onopen = () => { // Initialize ws.send(JSON.stringify({ jsonrpc: "2.0", id: 1, method: "initialize", params: { protocolVersion: "2024-11-05", capabilities: {}, clientInfo: { name: "claude-desktop", version: "1.0.0" } } })); }; ws.onmessage = (event) => { const response = JSON.parse(event.data); console.log("MCP Response:", response); }; ``` ## Testing Both Interfaces Use the provided test script to verify both interfaces work correctly: ```bash python test_mcp_interfaces.py ``` This will test: - ✅ Simplified MCP interface - ✅ Standard MCP HTTP endpoints - ✅ Standard MCP WebSocket - ✅ Complete forensics workflow ## Choosing the Right Interface ### Use Simplified MCP (`/mcp`) when: - Working with existing OpenEnv clients - Need backward compatibility - Prefer simpler JSON-RPC style ### Use Standard MCP (`/mcp-standard`) when: - Integrating with Claude Desktop - Building Cursor plugins - Using LangChain or other MCP-compatible tools - Need full protocol compliance ## Troubleshooting ### "Method not found: initialize" **Cause**: Using standard MCP client with simplified interface **Solution**: Use `/mcp-standard` endpoint instead of `/mcp` ### Connection refused **Cause**: Server not running **Solution**: Start the server first: ```bash python -m server.app ``` ### WebSocket connection fails **Cause**: Port conflicts or firewall issues **Solution**: Check port 8000 is available and firewall allows WebSocket connections ## Migration Guide ### From Simplified to Standard MCP 1. **Add initialization step**: ```bash # Old (simplified) curl -X POST /mcp -d '{"action_type": "inspect_packet", ...}' # New (standard) curl -X POST /mcp-standard/initialize -d '{...}' curl -X POST /mcp-standard/tools/call -d '{"name": "inspect_packet", ...}' ``` 2. **Use tool discovery**: ```bash curl -X POST /mcp-standard/tools/list ``` 3. **Update WebSocket format**: ```javascript // Old (simplified) ws.send(JSON.stringify({"action_type": "inspect_packet", ...})); // New (standard) ws.send(JSON.stringify({ jsonrpc: "2.0", id: 1, method: "tools/call", params: {name: "inspect_packet", arguments: {...}} })); ``` ## Further Reading - [Model Context Protocol Specification](https://modelcontextprotocol.io/) - [OpenEnv Documentation](https://openenv.readthedocs.io/) - [Network Forensics Environment README](README.md)