If the LAN you are sniffing uses static ARP mapping, or retains ARP information for a very long time, normal ARP poisoning will not work because each host ignores any ARP Reply messages you send.
Even though it is not stealthy in the least, my favorite way is to use ettercap's port mode and basically blast the existing hosts out of the switch's internal MAC table. It is going to take some explaining to truly appreciate how this works.
Amazingly, this works well enough to capture most, if not all, of the traffic between any two hosts:
[lou@duodenum] ettercap -Tq -M port:remoteettercap can also circumvent static ARP tables using crafted ICMP Redirect packets. Basically, ettercap is telling the other hosts on the LAN that it is a better gateway than the default router. Unfortunately, this technique results in a half-duplex sniffing session; you can see traffic that the internal hosts are sending out, but the replies from systems beyond the gateway are not intercepted:
[lou@duodenum] ettercap -Tq -M icmp:00:0A:5E:02:3B:B3/192.168.2.1ettercap's dhcp MITM mode takes a long time because you have to wait for a host to renew their DHCP lease; however, if you are interested in how it works, the ettercap manpage covers it in detail.
dsniff handles the problem of static ARP tables in a different way. The MAC OverFlow (macof ) program floods the switch and the rest of the network with bogus MAC addresses with the intention of overloading the switch's processor and memory limitations and forcing the switch to revert to hub mode. A surprising number of switches actually do this; rather than drop packets when overloaded, the switch willingly turns off the switching features designed to provide speed and drops to a hub mode, spamming every Ethernet frame it sees to every port. If this happens, you will suddenly start receiving frames intended for some other port, and you can begin sniffing as if you were connected to a hub. Once the network quiets down, the switch regains its composure. To prevent this from happening, stick macof into a simple while loop to have it run periodically:
[lou@duodenum] while [ 1 ] ; do macof -n 300000 ; sleep 59 ; doneThe -n option sets the number of packets to send.
[lou@duodenum] ettercap -Tq -i eth0 -B eth1The -i option sets the primary interface (here it's eth0), and the -B option sets the second bridging interface.
Since bridged mode requires two interfaces, casual sniffing on the LAN with a laptop is more difficult. The reason you may be interested in using bridged mode is that it is stealthy. You do not have to spray the LAN with ARP packets, nor do you have to win any DHCP races with some random server. You can sit quietly and intercept packets without putting any of your interfaces into promiscuous mode.
If you like to run ettercap using the curses or GTK+ user interface, you can enable bridged mode when ettercap first starts by selecting the menu item "Sniff → Bridged sniffing . . . " as shown in Figure 4-3.
Once you have established yourself in bridge mode, sniffing and other functions are mostly the same as using Unified Sniffing mode, aside from some incompatibilities with a few MITM modes. The manpage contains a good explanation of what is going on.