«

Hi,

you might try XArp2 to monitor LAN subnets. Have a look at it here:
http://www.chrismc.de/development/xarp/

Regards,
Chris

On Apr 8, 4:54 pm, Sanal Kisi <sanalk...@yahoo.com> wrote:
> Hi,
>
> We have a Cisco6500 as the backbone and a 3560 as router in each of
> the edges (buildings). Connected to 3560's there are 2960's. Each of
> the buildings have their own VLAN/subnets.
>
> Recently we found out that infected PC's in every building are sending
> strange ARP packets and announcing themselves as the gateway of the
> subnet/VLAN. As a result, instead of using the real gateway (the 3560)
> all the other users start communicating with the infected PC thinking
> it is the gateway.
>
> With this strategy, the infected PC serves as the gateway when
> communicting with the normal PC's but also injecting extra
> virus/infections when providing data to them.
>
> I have found that this operation is called Address Resolution Protocol
> (ARP) spoofing, also known as ARP poisoning or ARP Poison Routing
> (APR). (http://en.wikipedia.org/wiki/ARP_spoofing).
>
> As a solution DHCP spoofing (Dynamic ARP Inspection.) is recommended
> (http://en.wikipedia.org/wiki/DHCP_snooping). The only problem here is
> that, 3560's support "Dynamic ARP Inspection" but not the 2960's.
>
> I want to believe and hope that there is a solution available to this
> problem which affects our thousands of users.
>
> Regards.