Why would a network admin, security admin or a network developer be concerned with packet tracing software like Wireshark or Snort? To some that answer might be extremely clear, but others maybe not so much. The basic premises is that a packet tracing program like Wireshark or my own sniff is that it can read all the traffic that is coming in on the network adapter. They do this by setting the appropriate network adapter into promiscuous mode and recording all the packets that the network adapter receives. There are some network protocols or even types of traffic that generally isn't visible or gets completely ignored by all but designated computers. For instance DHCP traffic, when a PC boots into it's OS it broadcasts a DHCP request onto the network (if it is set that way) and a DHCP server assigns an IP address that it can use. Computers that are already fully up and running ignore these DHCP requests but the requests do come across the network unless they are the DHCP server. The point here is that these packets get broadcasted across the network and can be seen with a packet tracing software.
There are a few caveats to using this kind of software on a network. First if you are not the admin, then always get permission first. On switched networks, part of the design of switches is to not broadcast everything to every computer all the time (how a Hub works). This by design is a good thing, it separates traffic on the end points and has a extremely dramatic affect on overall performance. But in terms of capturing traffic the only traffic on an end point is the computer's traffic and broadcast messages. There are a couple of ways around this, one is to get a hub and put it in line and hook up the capture machine to the hub and the network to the other side where one wants to test. Probably not the best as if there is extremely large amounts of traffic on that segment of the network it can cause the hub to have major issues. One of the other ways is basically creating a man in the middle attack on the network, which involves poisoning the ARP tables in the switches. Again not exactly a great way as it can adversely affect network traffic. There is one of particular interest but is only possible with smart switches like ones from cisco or 3com etc, where you can control the individual ports and behaviors on the switch. One of the settings on these smart switches is to be able to treat one port as a hub and copy all the traffic on the switch to that port as well.
Now reading the information being seen is a story all of it's own. As you are seeing the raw network data, it helps to know a little bit about what you are looking at. There are several good books out there, and there is always the RFCs. Some of the more typical things though, are TCP packets, especially if the computer is going to a website. There are also the broadcast messages like the DHCP messages, as well as a variety of others.
Back to the original question, how can such a tool be that useful to a network admin, security admin or a network developer. In the cases of the network and security admin it is good for troubleshooting or monitoring the network. More specifically, if there is a segment of the network that is running extremely slow that apparently shouldn't be, plugging in a PC with a packet tracer can clue into what might be going wrong with that segment. Or in the case of monitoring can see if someone is trying to do a man in the middle attack or even playing games on the network. In the case of developing network based applications, it can be compared to another type of debugging tool. Where development of the program can be tested to see if it is operating correctly or per specification.
