Automating SSL Keys and Trace File Selection in Wireshark with PowerShell

As network engineers and technicians, we often rely on Wireshark to troubleshoot and analyze network traffic. When it comes to decrypting TLS traffic, we need to use an SSL keys file to enable Wireshark to decode the encrypted packets. However, manually selecting and updating the SSL keys file and trace file can be time-consuming and cumbersome, especially when we have to do it frequently. To address this challenge, we have created a PowerShell script that automates the process of selecting an SSL keys file, updating Wireshark preferences, and opening a trace file, thus streamlining the workflow for network professionals.

Our custom PowerShell script simplifies the process of working with SSL keys and trace files in Wireshark by automating the selection and updating steps. Here’s how the script works:

1. Presents a file dialog for the user to select the SSL keys file (with a „.sslkeys“ extension) and the trace file (with a „.cap“ or „.pcap“ extension).
2. Reads the Wireshark preferences file.
3. Updates the „tls.keylog_file:“ line with the selected SSL keys file path.
4. Saves the updated preferences back to the Wireshark preferences file.
5. Opens the chosen trace file with Wireshark.

This script is particularly useful for those who work with multiple SSL keys and trace files regularly, as it saves time and effort, allowing network engineers and technicians to focus on analyzing network traffic instead of dealing with the hassle of manual file selection.

.SYNOPSIS
Automates the process of selecting an SSL keys file, updating Wireshark preferences, and opening a trace file.

.DESCRIPTION
This script allows the user to select an SSL keys file and a trace file, updates the Wireshark preferences with the selected SSL keys file, and opens the trace file in Wireshark. It supports custom Wireshark installation paths.

.PARAMETER WiresharkInstallationPath
The installation path of Wireshark. Default is "C:\Program Files\Wireshark\wireshark.exe".

.PARAMETER WiresharkPreferencesFilePath
The path to the Wireshark preferences file. Default is "$env:APPDATA\Wireshark\preferences".

.AUTHOR
Mauricio Schaepers
VS Qloud Solution GmbH

.DISCLAIMER
This script is provided "as-is" without any warranty or support. Use at your own risk.

.EXAMPLE
.\WiresharkTlsAutomation.ps1

.EXAMPLE
.\WiresharkTlsAutomation.ps1 -WiresharkInstallationPath "C:\CustomPath\Wireshark\wireshark.exe" -WiresharkPreferencesFilePath "C:\CustomPath\Wireshark\preferences"
#>

[CmdletBinding()]
param(
[string]$WiresharkInstallationPath = "C:\Program Files\Wireshark\wireshark.exe",
[string]$WiresharkPreferencesFilePath = "$env:APPDATA\Wireshark\preferences"
)

Add-Type -AssemblyName System.Windows.Forms

# Function to show the file dialog
function Select-FileDialog {
param(
[string]$Title = "Select a file",
[string]$Filter = "All files (*.*)|*.*"
)

$openFileDialog = New-Object System.Windows.Forms.OpenFileDialog
$openFileDialog.Title = $Title
$openFileDialog.Filter = $Filter
$openFileDialog.Multiselect = $false

if ($openFileDialog.ShowDialog() -eq "OK") {
return $openFileDialog.FileName
} else {
return $null
}
}

# Select SSL keys file and trace file
$localSslKeysPath = Select-FileDialog -Title "Select the SSL keys file" -Filter "SSL keys files (*.sslkeys)|*.sslkeys"
$traceFilePath = Select-FileDialog -Title "Select the trace file" -Filter "Capture files (*.cap, *.pcap)|*.cap;*.pcap"

if ($localSslKeysPath -eq $null -or $traceFilePath -eq $null) {
Write-Host "File selection cancelled or invalid. Exiting script."
exit
}

# Update Wireshark preferences
$prefContent = Get-Content -Path $WiresharkPreferencesFilePath
$updatedPrefContent = @()

foreach ($line in $prefContent) {
if ($line.StartsWith("tls.keylog_file:")) {
$updatedPrefContent += "tls.keylog_file: $localSslKeysPath"
} else {
$updatedPrefContent += $line
}
}

Set-Content -Path $WiresharkPreferencesFilePath -Value $updatedPrefContent

# Open trace file with Wireshark
Start-Process $WiresharkInstallationPath -ArgumentList $traceFilePath

Write-Host "Wireshark preferences updated and trace file opened successfully."

We hope this script streamlines your Wireshark workflow and proves to be beneficial in your network analysis tasks. Feel free to use and adapt the script provided in this blog post to your needs.