Wireshark is a passive application from the network's POV.  It simply records anything that is already available on the segment to which the host is connected.  You may be able to limit the amount of information one could sniff by controlling what is sent to your access segment, but your network infrastructure will likely not help you "prevent" someone from running Wireshark.  It may be possible to prevent the application through some  Windows policies (if you're running a Windows infrastructure), but I'm not familiar enough with AD to provide a definitive answer to that.  There are other solutions, I believe, that enforce a "trusted desktop", but these are applications and separate from the network infrastructure.

Port scanning software is more active, so it can be observed.  The key points would be 1) finding an active scanner, and 2) determining how you wan to stop it.  The first step requires something in the network to be able to monitor traffic by host(s) over a period of time and analyze for patterns.  It is possible that the access switch could play a role in this, but I don't believe it would be the sole point of action.  Once a scanner is found, the policing system could work in conjunction with the access switch to shut down the port or take other action as appropriate.  However, it will not be able to directly affect the application running on a host machine.

Good luck! -Ed

Hi

Basically the answer is You can not do that.

That does not mean however that it is not possible to achieve to some degree what you are asking for.

First of all what is it that you want to achieve ? the end goal I mean.

Lets se here

Wireshark

Shure you can do a check to se if the computer (if it adheres to your windows group policys) does not have wireshark installed but what happens with fx vmware ? is that allowed ?

if it is you are toast. and so on

There are always ways around this type of blocking so the best thing is to have a good IT policy that tells people that they are not allowed to do whatever it now is that you do not want them to do.

If you find out that they are doing it anyway then I usualy go out to the user in question and have a chat with them to make sure that they are fully aware of the situation and the rules. If they continue I let HR dept know that they are in violation of the protocols and then its up to their bosses to fire them or deduct pay or whatever the punishment is for violating the rules.

Now the second part you want to do is not allow portscanning.

This is basically impossible to do, a port scan can take a few seconds to years to do.

There is no timelimit in theory, but well in practice it is all dependant on what or why you are scanning.

Only an idiot not caring about getting cought would scan as fast as it is possible to do so.

if you do a scan that will scan a class C network for 5 different ports in about a week it will just drown in the static noise of the network and you will not find it.

You stated that you had users in one place and resources in outher places, dependant how scattered the users are you can do some stuff.

First are the users in any way in need to contact eachother ?

if they are this will not work.

if they are not this might work.

if you setup users in a fx 3750 stack and then you apply protected ports on the users but not the router then they can not see eachother but they can reach their router so this solves both the wireshark question ie they can see their own traffic but not anyone elses and some of the portscanning question ie they can not reach anyone in their own vlan except the router. Also they will be able to portscan things through the router.

To handle the portscanning internally you simply put up a honey net and space out the adresses

if they are scanning you will detect them if you setup enough addresses.

word of advice though let them step in it properly before taking action someone could have misspelled or written an ip address wrong so it could be just innocent.

You can even do checks with access-lists and eem to let you know when and who so you can monitor them more carefully. fx you could setup a capture in the router if they trip an access-list that automagicaly captures all traffic to and from that host.

Good luck

Hope This Helps

Off the top of my head I don't have a perfect answer. You may be able to find a NetFlow analyzer that either has a trigger or can be scripted to look for certain activity. Snort comes to mind as well. It may have portscan detection capability. It is freely available for at least some applications, so you could give it a trial.

Hope this helps! -Ed

Sent from Cisco Technical Support Android App

Port scan is an application.  Routers and switches do not operate in this layer.

Windows Group Policy is your answer here. 

I think 802.1x, along with a rigid windows security policy is your answer here. IPS/IDS is the only way to detect or prevent portscans, and would be incredibly expensive to deploy in a way that would prevent portscanning on the subnet/VLAN the device resides on.

Rather than stopping the scanning from happening I would look at how to keep the machine from getting on the network in the first place.

Sent from Cisco Technical Support Android App

If you are in a situation where running DAI is an option , the default behavior is to rate limit arp requests to 15pps - 20pps , most " IP Scanners" greatly exceed this threshold. the default behavior is to err-disable (p-arp inspection)  this port. (although it can be modified to another value) this would catch anyone who just connected to a port and ran an IP scanner on it.