Sniffing Attack: Definition, Defense & Prevention

Learn how Adaptive Multi-Factor Authentication combats data breaches, weak passwords, and phishing attacks.

During a sniffing attack, a hacker intercepts small bits of data sent over the internet. If the hacker grabs the right packets, your account numbers, passwords, or secrets could all be sold on the black market.

Sniffing attacks can be remarkably effective. For example, a researcher says he cracked 70 percent of neighborhood WiFi passwords using this method. 

While spotting a pass sniff in progress isn't easy, a few reasonable steps can lower your vulnerability to this type of attack.

What is a packet?

The internet is made up of messages. Each time you load a page on your phone, the device and the origin server have a deep conversation about what you want and what it provides. That conversation is broken into many small pieces, and each one is a packet.

Numbers help your device reassemble the packets into proper order, so you don't have to do the puzzle-piece work yourself. And the work happens so fast that you may never even know it's occurring.

When we talk about packets from a security perspective, we're often discussing packet spoofing. This type of attack involves:

  • Creation. A hacker makes fake packets that have a fake IP address.
  • Acceptance. The recipient doesn't know the packet isn't legitimate.
  • Theft. The fake packet gives the hacker an opening into the target server. The hacker might use a program to steal data once inside. 

Packet sniffing attacks are different, but they are no less dangerous.

What is sniffing?

During a packet sniffing attack, a hacker is performing a type of eavesdropping. The goal is to grab the right piece of the puzzle.

Legitimate forms of packet sniffing exist. Your company might use the technique to:

  • Analyze. How much traffic moves into and out of your servers? What are people sending out?
  • Fix. Why isn't information moving properly? Are some messages leaving unencrypted?
  • Test. Does a setting change make data exchange more secure? 

Criminals use packet sniffing for very different reasons. They might tap into the technique to take your:

  • Bank account numbers 
  • User names 
  • Passwords 
  • Company secrets
  • Building codes 

Researchers say more than 85 percent of data breaches begin with money. Hackers are trying to make money by taking something from you.

2 packet sniffing attack types

While hackers might share packet sniffing goals, they can carry out these attacks in different ways.

Two main packet sniffing types exist:

  • Passive: The hacker places a sniffing device on a hub that takes in traffic and retransmits it to all destinations. A router is a hub, for example. Putting a packet sniffing device here means the hacker can spy on all traffic that comes in.
  • Active: Switches determine where traffic should move, and they rely on content address memory (CAM) tables. A hacker floods this switch with traffic, and the flow essentially freezes the switch. Now, the hacker can read everything coming in.

Interactions differentiate these two approaches. In a passive packet sniffing attack, the hacker does something and waits. In an active version, the hacker launches an attack and waits for it to work.

4 packet sniffer attack implementations

We've explained how packet sniffer attacks work in theory. But how does a hacker make this idea a reality? 

Four main types of packet sniffer attack implementations exist.

  1. DNS cache poisoning: The DNS system transforms the web addresses you type into the numbers and dots the internet uses. Devices remember (or cache) the addresses to avoid unneeded lookups. During DNS cache poisoning, a hacker enters false information. Traffic moves to a site the hacker chooses.
  2. Evil twin attack: The hacker changes the DNS address of a victim server. Traffic again moves to a site the hacker has set up (also known as the evil twin).
  3. MAC flooding: The hacker sends significant traffic to the switch and breaks it. The switch begins working like a hub, allowing for endless sniffing.
  4. MAC spoofing: The hacker grabs the MAC information for devices linked to the switch. Traffic moves through a gateway with no checks. 

These are complicated attacks, but software makes them relatively easy for hackers to launch. 

Prevent & block a sniffer attack

A tiny piece of hardware or software can begin a sniffer attack. It's difficult to shear this piece away from your legitimate hardware and software. Rather than focusing on identifying an attack in progress, it's best to prevent these issues from hitting your servers. 

Take three steps:

  1. Lean on VPN. Don't allow employees to use free WiFi systems at coffee shops without the protection of your VPN. The same goes for at-home routers. Everyone who wants to connect must use a VPN to do so. All traffic will be encrypted, meaning that stolen packets will be illegible.
  2. Double down on encryption. With a VPN in place, most of your traffic is encrypted. Take an extra step and ensure that everything you send out is encrypted.
  3. Watch. Scan your systems carefully and flag anything that seems unusual. You may not catch every attack, but close monitoring could help a bit.

Read our blog to uncover how tightening your identity processes can help you block common cybersecurity attacks. 


Researcher Cracks 70 Percent of Neighborhood WiFi Passwords. (October 2021). TechTarget. 

Here's How Much Your Personal Information is Worth to Cybercriminals and What They Do with It. (May 2021). PBS.