In an STP manipulation scenario, what is the purpose of creating a SPAN entry on the spoofed root bridge?

SPAN (Switched Port Analyzer) duplicates traffic from selected source ports to a designated destination port on a switch so you can monitor it on a connected device. In an STP manipulation scenario where an attacker has spoofed the root bridge, setting up a SPAN session on that bridge lets the attacker send copies of the traversing traffic to their own computer. This effectively redirects data to the attacker's system for analysis or interception, which is the primary malicious goal in this context. SPAN isn’t about turning off STP or changing the root priority, which are separate STP actions. While SPAN is indeed used to mirror traffic to a monitoring device, the attacker’s objective here is to have those copies end up on their own machine, making redirecting the traffic the best description of the purpose.