Let begin with some definitions;
Passive attack: When the attacker only observes and not interacts with any of the parties it is called the Passive Attack. Detection of a passive attack is difficult to detect.
Active Attack: In Active attack, the attacker modifies the system on behalf of him. He can change, replay, or even delete the values or try to impersonate one of the users. There is no bound for the active attacker. Remember the quote;
"Attacks always get better; they never get worse."
- why do most documents say about altering the message content by the attacker?
That really depends on the aim of the attacker. When the attacker is able to change the message and the target is accepting the messages it is perfect. The target is a puppet of the attacker. More sophisticated attacks may require more than a message change as in The 9 lives of Bleichenbacher's CAT, it puts another scratch again. Also, remember that even in Cryptoanalysis the first aim is accessing the message not the key. The key is sufficient but not necessary.
- Can't the hacker just keep a copy of encrypted block and send the encrypted original data to Bob?
If it suits he can, but he is no longer a passive attacker, now he is an active attacker, he modified the protocol. For full answer see in 5.
- Why does a MITM presence interrupt the network? For example, Wireshark captures the packets but still, the actual recipient receives the packet.
The MitM attack requires an active attacker. You use the WhireShark as a passive attacker. This is similar to wiretapping. Tapping is even possible in Fiber Channels.
- could an interlock system be susceptible to passive attack?
There is no known passive attack for the Interlock protocol. Of course, there is always a passive attack, that is; breaking the Diffie-Hellman problem or the Discrete Logarithm Problem.
- Can Eve send the original data without altering the message content, and keep a copy of it to integrate it with the remaining message blocks
Let remember The Interlock Protocol which is designed to expose the MitM attack. Once the key exchange is finished the two sides execute;
- Alice encrypts a message $m$ with her key and sends only half of the message.
- Similarly, Bob encrypts a message $m$ with his key and sends only half of the message.
- Then, Alice sends the other half of her message and finally,
- Bob also sends the other half of his message.
Alice and Bob can combine and see the message.
Replaying is not possible as noted in the The Interlock Protocol article. The MitM attacker must decrypt the incoming data and then encrypt with the key between his and Bob. Since he cannot decrypt, he must send something else. But, he cannot send the same half text since when Bob decrypts it with the "wrong" key and Bob will get a garbage message.
Since he is exposed, the parties must establish a new key exchange in a secure way.
