Little Snitch
Visualize and control network traffic on Linux
AI Summary
Little Snitch for Linux is a network monitoring tool that makes all outgoing connections visible and controllable via a web interface. It uses eBPF technology to show which applications are communicating with which servers, enables blocking of unwanted connections through rules and blocklists, and tracks data volume as well as connection history. The tool is designed for privacy-conscious Linux users who want transparency about the network activities of their software.
✓ Pros
- + Open-source components (eBPF program and web UI) available on GitHub
- + Intuitive web interface with PWA support for easy operation
- + Automatic blocklist updates from known sources like Hagezi or Steven Black
✗ Cons
- − Requires Linux Kernel 6.12 or higher with BTF support
- − No complete security guarantee at high traffic due to eBPF limitations
Use Cases
- → Monitoring and blocking unwanted telemetry from installed applications
- → Detection of suspicious network activities through traffic analysis and filtering
- → Automatic blocking of tracking and advertising services via blocklists
- → Detailed analysis of data consumption of individual applications over time
Who is it for?
Privacy-conscious Linux users and system administrators who need full transparency and control over outgoing network connections of their applications.
Tags
What is Little Snitch?
Little Snitch for Linux monitors all outgoing network connections on a system and makes visible which application is communicating with which server. The underlying technology is eBPF, a mechanism in the Linux kernel that captures network activity directly in the kernel context. Control runs through a web interface that can also be installed as a Progressive Web App. Obdev, originally known for the macOS version of the tool, has released the Linux variant with open source code: both the eBPF program and the web UI are available on GitHub.
Core features
- Real-time connection monitoring: Every outgoing connection is logged, including the associated application, destination address, and data volume.
- Rule-based blocking: Connections can be selectively blocked, either manually or through automatically updated blocklists from sources such as Hagezi or Steven Black.
- Data volume tracking: The tool records network usage per application over time, not just as a snapshot.
- Connection history: Past connections remain accessible, enabling retrospective analysis.
- Automatic blocklist updates: Known tracking and advertising services are blocked without manual intervention as soon as the blocklists are updated.
Who is Little Snitch for?
The primary audience is Linux users who want to know whether installed software is phoning home without permission. This applies to proprietary applications with telemetry as much as to self-compiled tools with unknown network behavior. System administrators can use the tool to detect suspicious connection patterns on machines at an early stage.
One hard requirement: kernel 6.12 or newer with BTF support. Anyone running an older system or a kernel compiled without BTF cannot install the tool. At very high network throughput, eBPF-related gaps in capture can also occur. Little Snitch is not a replacement for a full IDS.
Context & alternatives
Little Snitch belongs to the category of outgoing network monitors, an area that has been poorly served by convenient tooling on Linux until now. Classic firewall tools such as ufw or nftables block connections but do not show what is communicating at the application level. Tools like nethogs visualize bandwidth per process but offer no rule management or blocklists. Little Snitch combines these aspects in a single interface.
Anyone who wants to know whether a newly installed application is sending data, and who wants to evaluate that without command-line tricks, gets a direct answer here.