ARP poisoning is the correct answer because it allows the penetration tester to intercept traffic in a switched network environment. By sending falsified ARP (Address Resolution Protocol) messages onto the network, the attacker can link their MAC address with the IP address of another host (usually the gateway), causing the traffic of the target host to pass through the attacker's machine, allowing packet capture and analysis. Switched Port Analyzer (SPAN) is incorrect as it is not a practical sniffing approach for an attacker since it requires configuring the switch, which is not typically viable during a penetration test. The remaining options are incorrect because they either do not apply to sniffing network traffic (like Subnetting) or are less effective in a switched network environment without additional network manipulation (like promiscuous mode alone).