There is a good one at [ethereal.com,...] click download on the left, select the "HTTP Main Site" link under the windows installers. And just install winPCap and Ethereal setup.

This will sniff every packet going past you, whether internet or intranet.

One thing I noticed about modern switches - once any two computers start talking, the switch ports they are connected to "join" and disconnect from the other ports.

So, if the computer with the sniffer cannot have its switch port set to "promiscuous mode" (to borrow a term), you might not be able to see any traffic other than the traffic the sniffer machine is engaged in.

Disclaimer: I know that I do not know everything. These are my observations and experiences. Your mileage may vary.

The reason that you'll only see data that's meant for your computer is because switches are much more intelligent that old-style hubs.

Hubs used to re-broadcast anything that came into one port into all the others. So, computer A on port 1 sends an "ACK" to computer H on port 8, which is sent through the hub, the hub takes that data, and replicates it through to ALL of the ports, 2-8. That's why you can see "everything" when you're plugged in to a hub.

Switches work by looking at the destination MAC address. The MAC address can be thought of as the "Hardware" address of the network card. It keeps an internal store of what MAC addresses are plugged into what ports. So imagine Computer A trying to send to computer H again, the switch will look at the incoming frame and say "Ahhh, it's destined for computer H's MAC address, so I won't send it to ports 2-8 as well, but only to port 8."

Kind of a simplified view of everything, but hopefully it'll help you to figure out with you can't see another computer's network traffic even though you're right next to it and so on.

for more complicated topics, look at [sans.org ] and [snort.org ] (the latter I have built myself, and it works like a charm). Also, today many corporate switches come with spanning ports as well.

MM