Network information gathering is a bit like telephone eavesdropping and, while often unethical, can go unnoticed indefinitely. By sniffing a network, one can uncover personal data, conversations, passwords, and potentially embarrassing topics. Whether or not this is appropriate to your network depends entirely on your network policy. Users should be made aware of the monitoring capabilities of your network, log destinies, and so on.
Our systems, for example, log all data in and out of the LAN. After a storage period of several weeks is elapsed, the data is removed and the storage space recycled. The logs are not browsed or made available to anyone unless an attack is being investigated or packet logs are needed as supporting evidence of an attack.
We do not use the information to conduct "witch hunts" among our own users. No matter how hard you try, you will inevitably get a browser pop-up window that points you to an inappropriate Web site, or receive emails that are not "company business." These random events may come across in your network administrator's packet logs as being evidence of less-than -desirable behavior ”even though the administrator's actions were entirely innocent.
In general, if trust exists between the administrators and the users, " spying " on individuals is unnecessary. If you can't trust the people on your own LAN, there are bigger problems afoot than a sniffer can uncover.
Portscans, also an information-gathering tool, are more likely to be used on a day-to-day basis than a sniffer. They can uncover unauthorized services running on network machines, and help audit large hardware installations where no one person is responsible for equipment purchases. Unlike sniffers, portscan tools do not present the ethical dilemma of uncovering private information. They are, however, widely recognized as an attack by intrusion detection systems and administrators in general. You should never run a portscan on a network that you do not administer. If you do, you're likely to find your ISP or security group knocking on your door.
A friend learned the hard way that portscans are frowned upon when he accidentally transposed two octets in his network address when attempting to scan his own subnet. Within an hour , he was under investigation by his own security group as a potential attacker. A quick look at the target subnet revealed the obvious (and, in retrospect, amusing) mistake.
Although portscans are considered "legal" (http://online.securityfocus.com/news/126), it is difficult to prove that the intent was not malicious.