sniffer/promisc detector

There are a number of heuristics that *sometimes* work. For example,
some platforms (older Linux kernels, I think; not sure about current
ones; definitely not BSD) will respond if a packet sent to their IP
address but with a wrong Ethernet address is received. That will only
happen if they're in promiscuous mode. (BSD checks that the packet is
addressed to the proper MAC address or is broadcast/multicast.)
Another is to emit a packet with a distinctive IP source address,
under the assumption that the recipient might look up the host name via
a boobytrapped DNS server.

In general, though, there's no way to tell. My general advice is to
assume that any network is tapped, and to use crypto even locally. And
no, switched networks won't protect you from certain kinds of sniffers,
though you can detect anomalous ARP traffic.

    --Steve Bellovin,