"While I was at university, I once discussed the topic
of sniffers with an experienced network administrator. He casually
mentioned that he was not bothered by sniffers, as all his machines
were connected to switches. This was someone who was paranoid about
security and read almost all security newsgroups religiously, but
he was living in complete ignorance about the threat to his
network. Unfortunately, he is not alone as many experienced systems
and network administrators feel switches are immune to being
sniffed. Switches may be difficult to sniff, but they are certainly
not immune.
A computer connected to the LAN has two addresses. One is the
MAC (media access control) address that uniquely identifies each
node in a network and is stored on the network card itself. Each
network card has a unique MAC address. It is the MAC address that
gets used by the Ethernet protocol while building `frames' to
transfer data to and from a machine. The other address is the IP
address, which is used by applications.
The Ethernet header uses the MAC address of the destination
machine and not the IP address. It is the job of the network layer
to map a particular IP address to the corresponding MAC address, as
required by the Data Link Protocol. It does this by initially
looking up the MAC address of the destination machine in a table,
usually called the ARP cache. If no entry is found for the IP
address, the Address Resolution Protocol broadcasts a request
packet (ARP request) to all machines on the network. The machine
with that address responds to the source machine with its MAC
address (ARP reply). This MAC address is added to the source
machines ARP cache, and it is then used by the source machine in
all its communications with the destination machine."
