I'm going on the assumption that if it's written and put into the kernel
and you're running this kernel, the person is going to trip over this at
least once.  I mean, what's he gonna do?  Patch the kernel while it's
running?  (That's why there's code in the kernel to prevent writes
to /dev/[k]mem in multi-user mode.)  Build a new kernel and reboot the
machine while you're not looking?  Right.  As if you wouldn't notice
that.  It's a lot of workarounds to accomplish that one.

Unless, of course, you mean that the user is sniffing from his own machine,
and you want to detect that THAT machine is sniffing stuff on YOUR network.
There is no way to detect that someone else's net IF is in promisc mode.


--
 ______________ ___   ________ _____WHO: Greywolf (unto death)
/ ___\ _ \ __\ V / \  / /__ \| | __/WHAT: UNIX System Mangler...er, Admin
\ \| |   < _| ` ' \ '` / \/ /|_| _/ WHERE: Ithaca SW,  1301 Marina Village Pkwy
 \___|_|\_\__\|_|  \/\/ \__/___/_|  Alameda, CA 94501 (415) 332-2344 x7255