Detecting promiscuous sniffers with masscan

Is somebody on the local Ethernet eavesdropping on network traffic? There is a simple way you can tell with masscan.

Let's say that your current IP address is 192.168.1.103, and you want to test if anybody is sniffing traffic. You'd run the following command:

masscan 192.168.1.0/24 --ping --dst-mac aa:aa:aa:aa:aa:aa

If you see any responses, then it means their network interface is in promiscuous mode.

What the --dst-mac parameter does here is overwrite the destination MAC address to the bogus value of aa:aa:aa:aa:aa:aa. This is an invalid MAC address, so no machine can receive the ping packets -- unless they are in promiscuous mode.