Well, there was a claim on comp.security.unix that a sniffer could be
detected via the following procedure (note timings are VERY important).
This assumes you are running your sniffer on a machine that will reply
back, ie, a unix, nt, etc etc box.
Get a good average ping time to a machine when the net was lightly loaded.
You are trying to get the latency.
Generate a large amount of traffic to a non-existant address on the local
net and, while doing this, again measure the latency. If the latency
is close to the original than the machine is not sniffing. If the latency
goes up significantly then the machine is having to process packets the
ethernet card should not be sending on, meaning the ethernet card is in
Now, I'm not really sure I buy this, but the author claimed it would
work. I'd have to see it myself.