>> You can't "detect a sniffer" from looking at the net; [...] > >Not even with a Time Domain Reflectometer? In certain circumstances you can make certain tests, which will catch some ways of hooking in a sniffer. TDR is fine if someone tries to hook in a new tap to your ether. If someone replaces an existing transceiver with a small multiport, a TDR won't help. If someone uses an already-installed but currently unused tap, I wouldn't expect TDR to help. Can TDR tell whether an installed tap is live or not? If someone is using an existing system you can look for signs on that system (e.g. growing logfiles, increased system load, etc). If they're forwarding their traffic (or, as someone else pointed out, doing DNS lookups), you can look for the resulting generated traffic. For almost every distinct approach to packet sniffing, there's a reasonable way to attempt to detect that approach. Taking all together, no one strategy will suffice, and given a sufficiently determined intruder any set of detection strategies can be worked around. Some folks take pressurized armor jackets with pressure sensors to just be a challenge:-). -Bennett bet@mordor.com