I'm a bit confused about the working principles of FireSheep. The official website describes session hijacking as almost a piece of cake. My question is, how does the cookie information routed towards the attacker's system without using some middle man technique? If I'm the attacker, the website won't send legitimate user's cookie directly to me, even if my (attacker's) NIC is configured in promiscuous mode, right? What am I missing here? Sorry, I don't have much experience in network security. Please tolerate if the question seems silly! I've already tried a lot of Google search, but couldn't find satisfactory answers! Thanks in advance!
Trying to answer from memory...
Firesheep uses libpcap and listens to packets in promiscuous mode. So it will be able to see any data on open wifi networks (read: unencrypted). Remember that the "wifi cable" is the "air", and everybody with the right antenna can listen to that medium.
Since FireSheep attacks unencrypted HTTP traffic (without https), it is able to extract information, such as cookies, from that. It is just a matter of parsing the valuable information out of the raw frames it sniffs from the air.
It would be possible for FireSheep to decrypt and process data from pre-shared secret connections (WEP/WPA/WPA2), same as WireShark supports, although I don't think that this is implemented.