I'm looking for a tool that will monitor network traffic (wireshark/ethereal) and based on the traffic it sees, essentially create a firewall rule set, or show in layman's terms what traffic is on the network.

My problem now, is that with wireshark, I see every packet of every connection... which for what I want to do is too much information. My goal is to just see what each system is doing over a period of a month or so. Then, based on the data received, build a more strict firewall policy.

IE: TCP 443 Outbound, TCP 80 Outbound, TCP 22 Outbound

Anybody know of any tools that would help in doing this?

hi,

logging is your best friend - before the firewall doing the action.

example :
INPUT -i eth0 -p tcp -dport 22 -j LOG <then> action :
INPUT -i eth0 -p tcp -dport 22 -j ACCEPT/DROP?

HTH.

I suggest having TCPDUMP (or Snort) log to a flat file:

1. For each IP (if you're using static IPs within your LAN), run an instance of tcpdump, recording each IP's activity. When the month is up, replay the traffic and conduct an analysis of what traffic was captured and adjust your firewall policy accordingly.

2. Sniff your entire internal network range for a month, using tcpdump, then when the month is up, replay the traffic, filtering on each IP's traffic and adjust your firewall policy accordingly.

Sniffing traffic is better because you should be able to see all traffic. Unless you're logging before every firewall rule, you're not going to see everything...and I don't suggest logging all firewall traffic, unless you've a ton of hard disk space to burn. A firewall should used for perimeter security, IMO...a sniffer can be used as an audit tool to enhance a firewall policy.