If you're at the point where you're worried about someone placing an interface in promiscuous mode, it's probably too late for the rest of your system. A greater emphasis needs to be placed on securing the machine itself, and not creating workarounds that monitor the interfaces. Are you going to write a program that checks to see if root's cronjob has been modified? Probably not, and if someone has access to /dev/nit, they're going to have access to root's cronjob as well. The best thing for you to do is completely remove /dev/nit from the system, and make sure noone can get access to mknod to recreate it. Also, realize that snooping can occur _anywhere_ in your network. Unless you're willing to shield all of the cable in your building with some massively thick steel conduit, and place video cameras and armed guards at every network 'T' connection, you're vunerable. -john