Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Best way to detect and prevent DSNIFF

The new CAT6500 with 720 SUP has a security feature by hard-coding the MAC and the default gateway. What other ways to detect and prevent DSNIFF?

Thanks,

Audie

2 REPLIES
Silver

Re: Best way to detect and prevent DSNIFF

ARP Watch - one method to sniff on a switched network is to ARP spoof the gateway. A utility called arpwatch can be used to monitor the arp cache of a machine to see if there is duplication for a machine. If there is, it could trigger alarms and lead to detection of sniffers

Bronze

Re: Best way to detect and prevent DSNIFF

4.x sensors contain the ATOMIC.ARP engine which has signature to detect ARP cache poisoning type attacks used by tool like Dsniff. Keep in mind that the IDS must be on the same physical segment (or VLAN) as the attacker to detect this type of attack. See the 71xx signatures for more information.

187
Views
0
Helpful
2
Replies