To capture network traffic, you must be on your local area network (LAN) or on a prominent intermediary point and connected to a hub, switch, or border router through which traffic crosses. Earlier, almost everyone used hubs, and by connecting to hubs, you could do what is identified as passive sniffing. Passive sniffing was possible on a hub because on hubs, all traffic was sent to all ports.
All someone had to do was plug into the hub, start the sniffer, and wait for someone on the same interference domain to start sending or receiving data. Remember that hubs are essentially shared bandwidth, whereas switches separate collision domains. In almost every case today, you will be connecting to either a managed or unmanaged switch.
When associating to a switch, you are going to have to do something to get all of the traffic redirected to you. This kind of interception is known as active sniffing, because a switch restricts the traffic that a sniffer can see to broadcast packets and those specifically addressed to the attached system. Traffic between other hosts would not usually be seen by the sniffer, as this traffic would not normally be transmitted to the switch port that the sniffer is plugged into. There are many ways to get this traffic forwarded to you:
■ Port mirroring on a managed switch
■ ARP cache poisoning
■ Flooding
■ DHCP redirection
■ Redirection and interception with ICMP
Some of these methods might be built into the switch, while others are typically used only by hackers.