If someone just has tcpdump running this won't catch them unless they actually try to use the links or credentials they retrieved.

I like this, but from the title I expected to be able to detect that tcpdump is running, akin to what you can do with malformed ARP packets to detect a NIC in promiscuous mode.

Edit: in case anyone is wondering what I'm talking about - http://security.stackexchange.com/questions/3630/how-to-find...