It is very difficult to detect sniffers, because they work passively. Some sniffers do generate small amounts of traffic and though, so there are some techniques for detecting them.
- Machines cache ARPs (Address Resolution Protocol). Sending a non-broadcast ARP, a machine in promiscuous mode (a network card that makes the card pass all traffic) will cache your ARP address. Then, sending a broadcast ping packet with our IP, but a different MAC address. Only a machine which has our correct MAC address from the sniffed ARP frame will be able to respond to our broadcast ping request. So, if the machine is responding, it must be sniffing.
- Most sniffers do some parsing. Sending huge amount of data and pinging the suspect machine before and during the data flooding. If the network card of the suspected machine is in promiscuous mode, it will parse the data and increase the load on it. This way it take some extra time to respond to the ping. This little delay can be used as an indicator of whether a machine is sniffing or not. It could provoke some false positive, if there were some "normal" delays on the network because of high traffic.
- The following method is old and not reliable any longer: sending a ping request with the IP address of the suspect machine but not its MAC address. Ideally nobody should see this packet as each network card will reject the ping because it doesn't match its MAC address. If the suspect machine is sniffing it will respond as it does not bother rejecting packets with a different Destination MAC address.
There are some tools which implment these techniques, for example open source tools like Neped and ARP Watch or AntiSniff for Windows, which is a commercial tool.
If you want to prevent sniffing, the best way is to use encryption for any network activity (SSH, https etc.). This way sniffers can read the traffic, but the data won’t make no sense to them.
You're understanding is basically correct.
First I'd like to mention that if you know the PSK, or have a copy of the certificate, it's basically game over. Cracking the the session key is cryptographically trivial if you've got that much information. If you don't have the PSK or cert you're left with brute force, as you mentioned.
Certificates are just as "easy" to brute force as PSKs, except that certificates are usually longer. A sufficiently long PSK works just as well however (for practical purposes). Also cracking RC4 is essentially as easy as cracking AES (for the purposes of NGOs)
You are however drastically underestimating the processing power required to crack a decently complex PSK. A PSK should be at least 12 characters long, using lower case, upper case, numbers, and symbols.
If you wanted to search all the possible keys up to 15 characters long (using all the aforementioned characters) you would have to search about 800 septillion keys. If your computer can calculate a billion keys per second it would take about 24 billion years to try them all.
Now after you you get half way through those keys, you're more likely than not that the next key you calculate will be the correct key; thus for the purposes of probable key cracking, you can chop that time in half.
Best get started now, you've going to be there a while. See also, Jeff's Post.
It'd be much easier to simply break into the person's house and beat the information out of them. (I absolutely do not condone, advocate, or suggest physically harming someone or threatening to do so)
WiFi under WEP everyone shares the same encryption key anyway, so broadcasts are no trouble. Under WPA/WPA2 a Group Transient Key (GTK) is given to each endpoint after the initial PTK (session key) is setup. Broadcasts are sent using this GTK so that all endpoints can decrypt it. In infrastructure mode endpoints aren't allowed to talk to each-other directly, they always go through the AP.
Edit:
If you need to generate a good WPA password, here's a random password generator.
If you pick a weak dictionary based passphrase, it can be cracked very quickly (<5 minutes) with an average modern laptop; it does however require the cracker to intercept the 4 way handshake when a WPA is setup.
Edit2:
NGO = Non-Governmental Organization (ie, typical corporations or mad scientists, people without the resources to build or use a top100 supercomputer to break keys, even if they wanted to).
Within WEP, WPA, and WPA2 there is no way to prevent legitimate users who can "hear" the two initial nonces from cracking the PTK. Another layer such as IPSec could be grafted over the top (in fact, IPSec could be used to replace WEP/WPA). WEP and WPA are not meant to insure individual privacy. They are meant to make your wireless network as secure as a wired network (which is not very secure in the first place). While they aren't perfect, they meet this goal most of the time.
Best Answer
More expensive switches will offer port mirroring, where they will mirror the traffic of one or more ports to a dedicated monitor port for (among others) problems like yours.
But I am not sure at what price class features like that are offered.