Little Snitch for Linux: eBPF Monitoring of Application Network Activity
Developer Christian Starkjohann has released a Linux version of Little Snitch—a tool for detailed control of application network activity. The solution uses eBPF to inspect traffic at the kernel level, providing a web interface for management. It supports Linux kernels 6.12 and above. The background daemon is written in Rust under a proprietary license that allows free distribution.
Architecture and Components
The core is a BPF handler loaded into the kernel to intercept network packets. It analyzes application connections in real time. The littlesnitch-daemon processes events and manages rules.
- Open components (GPLv2): eBPF programs, function library, web interface—available on GitHub.
- Proprietary daemon: littlesnitch-daemon—free for use and distribution.
The web interface runs at http://localhost:3031/ and supports PWA mode for use as a standalone app.
Monitoring and Blocking Features
The tool visualizes current connections: hosts, traffic volume, activity history. Blocking works by IP, subnets, and domains.
Features:
- Creating whitelists for trusted apps.
- Importing and auto-updating external blocklists (oisd.nl and similar) for ads, trackers, telemetry, phishing.
- One-click blocking of unwanted connections.
This lets middle/senior developers enforce strict controls in work environments without performance trade-offs.
Comparison with OpenSnitch
OpenSnitch is an open-source alternative with interactive dialogs for new connections. However, according to Starkjohann, it doesn't cover every scenario:
| Feature | Little Snitch for Linux | OpenSnitch |
|---------|--------------------------|------------|
| eBPF support | Yes | Partial |
| One-click blocking | Yes | No |
| Web interface with PWA | Yes | No |
| Auto-updating blocklists | Yes | Limited |
Little Snitch focuses on convenient process monitoring without constant popups.
Installation and Requirements
The project requires kernel 6.12+. Installation involves loading the BPF module and starting the daemon. The web interface is available immediately after launch. For production environments, configure whitelists for key services.
Key Takeaways
- eBPF delivers low-overhead monitoring without user-space overhead.
- External blocklist support automates protection from trackers and threats.
- PWA-enabled web interface simplifies deployment on headless servers.
- GPLv2 open components enable customization.
- A solid OpenSnitch alternative for one-click blocking workflows.
— Editorial Team
No comments yet.