Computers are always communicating with other machine during normal task like web surfing, file sharing, emails etc. A computers are connected on Local Area Network (LAN) means they are sharing a connection with several other computers. There are two types of network like Shared network (using HUB) and one is Switched network (using switch) sniffers work differently on both the network.
In these types of shared network, all hosts are connected with each other through the hub and they are sharing same bandwidth. In Shared network packets broadcast to all ports. Suppose computer A want to send packet to the Computer E then computer A send the packet on network with destination MAC address of Computer E along with source MAC address but in hub network packet will broadcast to every machine ports connected to LAN. If hacker runs a sniffer tool on any of one machine then he can easily grab the data and take your valuable information in no time.It is commonly refereed as the Man in the middle attack This sniffing method is totally passive and it is very difficult to detect
In this types of network all host are connected with each other through the switch. Switch maintain table of every computer MAC address.Switch operates at data link layer of the OSI Layer model. Switch does not broadcast all information on network. Switches examine the data packets for source and destination addresses and then forward the data packet to the appropriate destination. so its difficult to sniff switches attacker are using technique that he send bogus MAC Address to fool the switch. Attacker use two method to sniff switch network ARP spoofing and Mac Flooding
ARP stands for Address Resolution protocol. ARP resolves IP address in to MAC address. ARP is stateless protocol if attacker spoof ARP cache with the bogus IP and MAC address then target machine blindly accepts the ARP entry into its ARP table by this way attacker can easily sniff the switch network and gather all the information from it.
Switch maintain translation table of various MAC address to the physical ports on the switch to route packet from source to appropriate destination but switch has limited capacity of stored MAC address in its table. If attacker flood the switch table with bogus MAC address until the switches cannot maintain it then switch started work like hub and broadcast all traffic to all ports if hacker sniff any of one machine then he can easily capture all traffic from network.
Originally written by - Santosh
Edited by - John
Note :- You can also read my tutorial on How do a man in middle attack using ettercap
Hope this information Helps you ....