I started using this tool last year ago during internal tests, it was immediately obvious to me that this is a great tool to have. It's name is Satori, if you never heard about it that's not a proof the tool is no good but rather that it's Author Eric Collman does not really seem to care if you do (or at least doesn't scream it from the top of every house)
I found out about Satori while reading the paper "Chatter on the Wire" (from the same author) which goes into great length about passive OS fingerprinting and it's potential for improvement as done by several other tools.
What is interesting is that the paper was not only theoretical but rather practical, it's outcome was Satori, a beautiful plug-in based Passive enumeration and Fingerprinting tool.
Satori uses Winpcap and captures packets passively at the NDIS level, every packet flying by is being scrutinised for information that might determine it's OS. Nothing new here you might say, well Satori does the fingerprinting on :DHCP, BOOTP, ICMP, TCP, CDP, EIGRP, HPSP , HSRP, HTTP, ICMP, IPX, SMB, SNMP, STP, UPNP precisely enough to either correlate the results with nmap or to rely on them. It makes spotting potential vulnerable systems a breeze.
It's obviously very handy for critical networks where you are not allowed to scan or to scan only a minimum. (This does exists.)
It shows it's strength when used in internal networks, I was able to spot machines that didn't belong in a certain critical network immediately (as they broadcasted their Netbios presence) by only using passive means. It's also very usefull when doing quick scans (nmap port 80 as example) across an internal network, it gathers all packets, makes a list of all responding machines, fingerprints them and gives you an exportable list. Very handy.. and speedy, I was able to pump 8000 packets per second thorough without any lags or problems.
Nice tool to have in your toolbox. Send it's author your support :)