If someone just has tcpdump running this won't catch them unless they actually try to use the links or credentials they retrieved.<p>I like this, but from the title I expected to be able to detect that tcpdump is running, akin to what you can do with malformed ARP packets to detect a NIC in promiscuous mode.<p>Edit: in case anyone is wondering what I'm talking about - <a href="http://security.stackexchange.com/questions/3630/how-to-find-out-that-a-nic-is-in-promiscuous-mode-on-a-lan" rel="nofollow">http://security.stackexchange.com/questions/3630/how-to-find...</a>