Quote Originally Posted by oofki
A lot of switches do not have a mirroring mode that makes the switch act like a hub. If this is the case ARP poisioning is the easiest way to obtain the traffic.
Actually, that is incorrect and also dangerous.

First, if you ARP poison a network, you run the risk of taking the whole damn thing down, especially if you have an underpowered box. You could DoS your entire organization and also earn a pair of shiny bracelets that you wear on your way out the door. They don't have nice network labs in jail.

If your device does not have a span/mirror port, use a "Y" line tap (layer 1 repeater, i.e., a mini hub) immediately upstream from the switch. You can then watch inbound/outbound connections to that subnet.

--TH13