To illustrate how a packet sniffer works, first one must understand how a
network hub (as used in this example) works.
When
network traffic is sent from
upstream to a host attached to the hub, the hub re-transmits this data to all hosts on the hub. By default, the
NIC in a computer is not set to
promiscuous mode, in other words, unless the traffic is addressed to (a) broadcast or (b) specifically its address, it ignores it.
At this point, the packet sniffer can operate in one of two modes, it can
sniff only the traffic addressed to it, or it can enter
promiscuous mode and sniff all traffic recieved.
Since the most common use of packet sniffers is on
college networks, the obvious choice is to tell your packet sniffer of choice to enable promiscuous mode. At this point, you are now recieving a massive list of all
network traffic generated by everyone on your hub.
At most
dorms, this is a good 10+ people on a single
network hub, which enables the person running the sniffer to gather
POP and
IMAP passwords (generally unencrypted), as well as monitor
AIM/
IRC conversations, keep track of what
websites everyone browses, etc.
And the packet sniffer is nice enough to sort by which
IP address each packet comes from, and filter based on
protocol.
This only covers the negative aspects of packet sniffers, however, and they have many
legitimate reasons such as testing to see if a
NIC is functioning properly, to ensure that workers in an office aren't cruising
porn sites on company time, etc.