We have Cisco switches and firewalls. Is there a way to not allow protocol analyzers to be used by employees on their workstations?
If an employee goes on a bad website, then multiple bad things could happen including the installation of unauthorized software - which might include a packet sniffer. But I do not believe that the routers or switches can detect the presence of software like that on workstations.
And duplicate TCP sequence number does not particularly indicate the presence of a packet sniffer. A packet sniffer just listens to traffic and does not interfere with traffic. The duplicate TCP sequence numbers are more likely caused by something that is requiring retransmission of TCP packets (lost packets or late arriving packets).