What's the difference between mitm attack and sniffing?

Typically, an eavesdropper (sniffer) will be passive -- that is they will not modify the traffic.

Man-in-the-middle (MiTM) attacks usually imply an active adversary -- one who will change the contents of the message before passing it on.

The two are not entirely distinct, as a MiTM may use their active attack to read the contents of messages, or simply to disrupt communications.


It's sort of like asking the difference between a car and steering. When you are driving a car, you can (and probably should!) steer it. But you can steer a bike too...

Enough with the analogy, the difference, in my view, is that MitM is a class of attack and the sniffing is simply the word for analyzing packets on the network (and often just the packets going to/from your network card).

Once someone has become the "man" in a man-in-the-middle attack, they are able to sniff incoming/outgoing packets of their target.

Other related attacks/terms (to name a few) would be Arp Poisoning and DNS hijacking


A sniffing attack is a attack on confidentiality. It can be via a span port on a switch, processes on servers through which the traffic passes, on the end user client. Sniffing is often an MITM attack but it is passive.

A MITM attack is typically a more active attack where the traffic route has been altered to include the adversary, such as a rogue access point, or ARP/DNS poisoning, to allow a sniffing attack, break encryption, and/or tamper with the delivery of content (an integrity and confidentiality attack).

Once established as an active attack a MITM can hijack sessions, alter content to hide activity, inject malicious code, and depending on the service accessed perform sensitive functions. Some but not all of this is possible as a follow on from a passive sniffing attack using the information gathered.

Related / similar attacks are MiTB (man in the browser), keylogging, session hijacking, click jacking, and XSF.