What tools or techniques are available for *nix and Windows that help in finding if someone else on the LAN is using a sniffer?
Having said that and strongly considering that there are tools out there to discover such "phenomena" what would be the work around to not getting sniffed?
It is very difficult to detect sniffers, because they work passively. Some sniffers do generate small amounts of traffic and though, so there are some techniques for detecting them.
There are some tools which implment these techniques, for example open source tools like Neped and ARP Watch or AntiSniff for Windows, which is a commercial tool.
If you want to prevent sniffing, the best way is to use encryption for any network activity (SSH, https etc.). This way sniffers can read the traffic, but the data won’t make no sense to them.
Packet sniffing is a passive activity, it's generally not possible to tell if someone is sniffing your network. However, in order for someone on an wired, switched LAN to see traffic that's not destined just to or from their IP (or broadcast to the network/subnet) they need to either have access to a monitored/mirrored port that duplicates all traffic, or install a 'tap' on the gateway.
Best defense against sniffing is decent end-to-end encryption, and physical controls on sensitive hardware.
Edit: CPM, Neped, and AntiSniff are now 10-15 years stale... Think Linux kernel <2.2 or Windows NT4. If someone has access to a tap or mirror, it will generally be very difficult to detect. Manipulating ARP or DNS is probably the best bet, but it's far from a sure thing.
The (I believe) only way you can sniff all traffic on a switched LAN is with a 'man in the middle' attack. You basicly do ARP poisoning, stealing everyone's packets, reading them and sending them to the right computer afterwards.
There are probably multiple tools that can do this, I only know of one:
Ettercap can both perform the Mitm attack and detect one when someone else is doing it.
Social engineering is the other way to do it. Set up a honeypot root/admin account or some other tempting target, broadcast its password in the clear and watch your logs.
There is a simple way to detect most sniffers. Put two boxes on the network which are not in DNS and are not used for anything else. Have them periodically ping or otherwise communicate with one another.
Now, monitor your network for any DNS lookups and/or ARP requests for their IPs. Many sniffers will by default look up any addresses they find, and thus any lookup on these devices would be a solid warning.
A clever hacker could turn off these lookups, but many wouldn't think to, and it would definitely slow him down.
Now, if he's smart enough to not enable DNS lookups, and prevents any ARPs for these devices, your task is much more difficult. At this point, you should work under the philosophy that the network is always being sniffed, and enact proactive procedures to prevent any vulnerabilities that would arise under this assumption. Several include:
Wireshark is a great tool for monitoring network traffic. And it will look up names to match IP addresses, find the manufacturer from a MAC address, etc. Naturally, you can watch it doing these queries and then you know it's running.
Of course, you can turn these things off and then not be detected. And there are other programs designed to intentionally go undetected. So it's just something to consider while trying to answer this question.
The only sure way to do this is to examine each of the devices on the sub-net.
There are tools, e.g. nmap, but they're are not guaranteed to work and passive taps wont betray their presence.
The best approach is to assume that your network is more or less public and use encryption. Either on an application basis - SSH, HTTPS IMAPS etc, or tunnel all your traffic through a VPN
Hubs (or really old network setups, like Thinnet/Thicknet) transfer all data across the wire at all times. Anyone plugged in would see every packet on their local segment. If you set your network card to promiscuous mode (read all packets, not just the ones sent directly to you) and run a packet capturing program you can see everything that happens, sniff passwords, etc.
Switches operate like old school network bridges-- they only transfer traffic out a port if it is either a) broadcast b) destined for that device
Switches maintain a cache indicating which MAC addresses are on which port (sometimes there will be a hub or switch daisy chained off a port). Switches do not replicate all traffic to all ports.
Higher end switches (for business use) may have special ports (Span or Management) which can be configured to replicate all traffic. IT departments use those ports to monitor traffic (legit sniffing). Detecting unauthorized sniffing should be easy-- go look at the switch and see if anything is plugged into that port.
Off the top of my head I'd watch switch SNMP interface data for interfaces that a host is receiving more data and/or sending less data than average. Look for anything outside of a standard deviation on either and you'll probably find the people most likely to be doing something they shouldn't.
It might not just be sniffers though, might find avid hulu/netflix watchers.
Your switches/router may also have features to watch for and catch people attempting to poison arp tables, that would be a pretty big givaway as well.
