You should already know by now that most current application protocols send data across the Internet as plain-text and sniffing is the technique used by attackers to exploit this vulnerability, sniffing for people who do not know is the virtual world definition of shoulder surfing or the process of intercepting and reading network traffic of other network users, sniffers operate at the Data Link layer of the OSI module and because of this fact we have five compromised layers from Data Link layer upward the stack which means more possibilities for other various network attacks such as MITM, replay, DOS, VOIP call tapping to compromise other network devices on the same subnet, In this article, I will assume that you already have more than basic understanding of networking.

Sniffing in Wired Environment (LAN)
Because LAN networks are way too secure, a physical access is required to perform sniffing in wired environment which raises the idea of disgruntled employees and social engineering as vulnerabilities threatening the confidentiality of data streamed through LAN networks.

A) Network Sniffing Using TAP and SPAN Ports:
TAP and SPAN ports are mostly included in switches, they are configured to receive a copy of every frame enters or leaves the switch and their main purpose is helping the network engineer in auditing, troubleshooting and detecting problems and threats affecting his network by analyzing sent and received frames from all connected hosts to isolate the problem and solve it from a lower level.

Unauthorized access to TAP or SPAN ports with the help of a NIC in promiscuous mode can compromise the entire network and make it vulnerable to passive sniffing which at some point, may lead to numerous network attacks to escalate privileges on network devices.

B) Network Sniffing Without TAP or SPAN Ports:
Not all networks have TAP or SPAN ports because they are manually configured by the network engineer, that is why a hub placed between the targeted switch and the router, connected to a NIC in promiscuous mode can also lead to passive sniffing by receiving a copy of every frame enters or leaves the targeted switch without sending any probes.

C) Network Sniffing Using Only The Wire:
Switches will not broadcast all frames to all physical ports because they have CAM tables which store information such as MAC addresses available on physical ports with their associated VLAN parameters to send frames to the correct host only without broadcasting to all connected hosts, that is why a NIC in promiscuous mode will only capture local traffic, leaving other network devices safe from sniffing and that is one of the reasons why switches are the mostly used.

Switches have a limited memory for CAM tables and this limitation can be easily exploited using a DOS attack, where the attacker floods the switch with fake MAC addresses until the switch cannot keep up and eventually fails over to a pre-configured state, fail-open which is falling back to hub-like state that sends all traffic to all ports or fail-closed which is preventing the switch from routing any further traffic creating a DOS attack for network users.

MAC flooding attacks are easy to detect and hard to accomplish on modern switches that is why ARP cache poisoning is the most commonly used attack to accomplish active sniffing in wired networks, ARP cache poisoning takes advantage of the insecure nature of the ARP protocol, where the attacker sends fake ARP messages, mostly to associate his MAC address with the IP address of another host such as default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.

The attacker is required to subvert the switch in such a way as to divert traffic to his machine and with the help of NIC in promiscuous mode, the attacker can again compromise the entire network.

Stealth Sniffing in Wired Environment
NICs in promiscuous mode can be detected by abusing ARP, DNS and Ping against the suspected device to determine the existence of a sniffer that is why most sophisticated attackers change the state of their NIC to stealth mode by unbounding IP stack before they sniff a network.

Conclusion and Final Words
In this article I demonstrated the most common techniques used by attackers to sniff a wired network without mentioning any tools used to accomplish such attack because everyone has his own tools also I do not know if you noticed that this article is unfinished as I never mentioned the countermeasures used to defend against such attack.

Think of me as the attacker and based on this article I am compromising your network by sniffing your wired network traffic, what would you do, please share your thoughts with me by sending your approach to crypted[at]dark-hack[dot]net and the best approach will be included in this article to finally seals it, thanks for reading and have a nice day.