A "sniffer" is a software or hardware that monitors all network traffic, unlike a standard network station that only monitors network traffic sent explicitly to it.
Software sniffers can be a real security threat to a network. In the "old days" a network sniffer was large piece of hardware that connected to the network and monitored all the network traffic. Today, sniffers are simple software applications that can be on any UNIX, Linux or Windows box.
The security threat presented by sniffers, is their ability to catch all going network traffic, including passwords or other sensitive information.
Theoretically, sniffers are "invisible". They can be fully passive, and can serve as listeners only. However, since the threat is usually from UNIX or Linux machines (because they are easy to setup as sniffers), there is a way to identify sniffers running on standard Linux machines.
How to detect if your machine is running a sniffer
If your machine is UNIX, an attacker that has gained root access can run a sniffer in order to gain more access to your network (for example, to retrieve passwords to other hosts on the network). Detecting the process that does the sniffing is difficult, because the name of that process can be disguised as something innocent. It can even be a Trojan horse version of a known binary! (In this case, the user doesn't even need root access to the machine. It's enough to just plant the Trojan and wait for the administrator to run it).
The only way to detect the sniffer in this case is to check if the network interface is in promiscuous mode. If the network interface is in promiscuous mode, this means that it listens for all packets on the network and not only for packets destined to that machine.
A UNIX machine shouldn't move into promiscuous mode unless it is for a very good reason, and therefore being on promiscuous mode is a strong indication that a sniffer is running.
One application that checks if the network interface is in promiscuous mode is CPM (check Promiscuous Mode) by Carnegie Mellon University. Another method is to run: ifconfig -a. This will list the available network interfaces, and show all the information about them. The word PROMISC means that the interface is in promiscuous mode. Running the command: ifconfig -a | grep PROMISC will be non-empty if one of the interfaces is in promiscuous mode (this can be easily incorporated into a cron entry that can run hourly or daily and check for sniffers).
Note that the ifconfig utility is sometimes replaced by attackers to avoid being discovered in the method described above. A checksum (or an MD5 signature) should be made to make sure the ifconfig utility is the original one.
How to detect other sniffers on the network
Detecting other sniffers on other machines is very difficult (and sometimes impossible). But detecting whether one of the Linux machines is doing the sniffing is possible.
This can be done by exploiting a weakness in the TCP/IP stack implementation of Linux.
When Linux is in promiscuous mode, it will answer to TCP/IP packets sent to its IP address even if the MAC address on that packet is wrong (the standard behavior is that packets containing wrong MAC address will not be answered because the network interface will drop them).
Therefore, sending TCP/IP packets to all the IP addresses on the subnet, where the MAC address contains wrong information, will tell you which machines are Linux machines in promiscuous mode (the answer from those machines will be a RST packet)
While this is far from being a perfect method, it can help discover suspicious activity on a network.
How to avoid packet sniffers altogether
Active hubs only send packets to the intended machines. This can disable the sniffer since it will not receive packets not intended for that specific machine. Cisco, HP and 3Com have such active hubs.
Other utilities
See the additional section below for more information about sniffer detection tools.
