We use protocol analyzers for network troubleshooting, but these are equally deadly to a network if a hacker uses them. Because TCP/IP sends authentication across the network in the clear, anyone listening with a protocol analyzer can eventually learn traffic patterns, and logons and passwords going across the LAN. Aside from physically guarding all conductors in the LAN (not practical), is there any other defense against this kind of exposure?
Physical security and configuration management are the biggest hammers in the toolbox.
One thing to do is configure switches to allow only known media access control addresses to connect, and to shut any down if the MAC changes.
Locking the workstations so tight that users cannot put the network interface card in promiscuous mode can help.
Tools such as AntiSniff and ProDetect search out sniffers on the LAN.
Migrating away from applications such as Telnet and FTP, which send clear text passwords, is recommended. Another approach is to implement VPN client software inside the LAN, so that little clear text traffic crosses the wire. This can help protect sensitive applications.