Sniffers will capture all packets on the network, but in practice, an attacker has to be choosier. A sniffer attack is not as easy as it sounds. It requires some knowledge of networking. Simply setting up a sniffer and leaving it will lead to problems because even a five-station network transmits thousands of packets an hour. Within a short time, a sniffer's outfile could easily fill a hard disk drive to capacity (if you logged every packet).

To circumvent this problem, crackers generally sniff only the first 200–300 bytes of each packet. The username and password are contained within this portion, which is really all most crackers want. However, it is true that you could sniff all the packets on a given interface; if you have the storage media to handle that kind of volume, you would probably find some interesting things.

Authentication information is one of the most common targets for sniffer activity. In particular, information sent to Ports 23 (Telnet) and 21 (FTP) are valuable because authentication information (like usernames and passwords) is sent in clear text in these protocols. Port 513 (rlogin) is also useful when trust relationships don't exist. (If a trust relationship does exist, then no username or password is required, but the system becomes a potential target for spoofing.)