Many people I speak to think that simply because they are on a switched network, they are immune to packet sniffing, a process whereby a computer listens for packets not intended for that address, and logs them, potentially gathering usernames, passwords, and other useful information within network traffic. For example, every time you log into a website which does not use SSL (Secure Sockets Layer), your username and password are transmitted in plain text as part of the HTTP (HyperText Transfer Protocol) request. If another user is running packet sniffing software, this request will get logged for later analysis, which could lead to that user gaining access to the website you visited, under your account.
Packet sniffing was easy on networks connected using hubs, as a hub is a device which sends every packet it receives to every computer connected. This is bad for a number of reasons, including reducing transfer rates due to collisions and unnecessary transmission; if data is not destined for a computer, it would still be sent there. It does, however, also allow for easy packet sniffing; simply set a network card to pass every packet up to the application layer, instead of only those addressed to the specific computer. These can be logged for later analysis.
On a switched network, packets usually go only to the computer to which they are addressed, based on MAC address resolution of the IP. The switch then sends packets to the port hosting that MAC address, and only that port.
So, how is it that switched networks are still vulnerable to packet sniffing, if packets only get transmitted to their destination?
This is where ARP Poisoning comes in. ARP is the Address Resolution Protocol, and maps IP addresses to MAC addresses. In an ARP Poisoning attack, a system sends out faked ARP responses claiming to be the MAC associated with an IP. As such, packets destined for that IP will be sent to the computer doing the ARP poisoning, as they traverse the switch, instead of the real destination.
Using this mechanism, it is possible to redirect packets between a computer on the network to the border router, forcing them to be delivered to a system running a packet sniffer, instead. From here, they can be logged and then sent on to the real MAC address of the router. This is known as a man-in-the-middle ARP Poisoning based network sniffing attack, and is effective against switched networks.
Because this attack is based on ARP requests and responses, which are a local network mechanism, this attack cannot traverse routers or any other level 3 or higher device.