Is it possible to detect whether a program such as tcp dump is sniffing 
   by seeing if any of the interfaces are in promiscious mode?

   I know you can remove bpf from the kernel as one step in stopping sniffing,
   but it is also trivial if someone gains root to recompile the kernel with
   it back on.  It might be useful to have a script that periodically checks
   to see if the kernel has bpf on and/or check if any interfaces are in promisc
   mode.

If someone can install a new kernel, how are you going to stop them
from hacking ifconfig(8)?