Neither the web server or someone else’s browser is just going to want to send you their traffic (unless there’s a bug). The reason tools work Burp Suite work is because you add it as a proxy in your browser. This would require some kind of access to one or both of the devices.
Promiscuous sniffing with wireshark works because the wireless traffic is radio waves that your computer can pick up. On an unsecured WiFi network this traffic is not encrypted. On a wpa2 network it is encrypted with the wifi password (i.e. if you know it you can decrypt all the traffic). This should change with the wpa3 standard (encrypts the traffic differently to different devices).
If you do not have access to the traffic you need to pretend to be the devices involved so they connect to you instead of each other. An example of this is ARP (Address resolution protocol) spoofing. When devices are on the same subnet they work out which devices has the IP addresses they want to send packets to by broadcasting a request. Devices on the network respond to this request by specifying the MAC address belonging to the device with that IP. With ARP spoofing you respond to requests for the server and client’s IPs by specifying your own MAC address so they connect to you instead.
tl;dr I know of 3 main methods for getting traffic between a server and a third party
- Have access to one of the devices
- Passively sniffing the traffic between the devices if you have access to it
- Actively pretending to be the devices (spoofing) so they connect to you instead of each other
I think MiTM is specifically when you get into a situation where you relay the packets between the targets. So, I’m not sure if I’d count the second or some instances of the first.
Encryption (mainly ssl/tls) tries to prevent these attacks by encrypting the traffic so that what you receive when performing these attacks loos like nonsense. If the client and server implement this properly and certificate authorities can be trusted this should fix the problem. In practice there can be bugs in these setups and sometimes CAs can’t be trusted. E.g. heartbleed, sslstrip, poodle. These particular attacks are a bit old and (mostly) have been fixed, theyshouldn’t work on modern software).