A Linux version of Little Snitch, the iconic network monitoring tool for macOS, has been released.

Little Snitch for Linux is written in Rust and uses eBPF for kernel-level traffic interception (this lets sandboxed code run inside the Linux kernel without modifying it). The tool shows processes on your machine making network connections, and give you options to block them using rules.

Linux version uses a web-based UI, so you can monitor remote devices

Little Snitch for Linux has a web-based interface rather than a traditional GUI, as it means you can monitor a Linux server remotely from any device, which is useful if you want to know what your Nextcloud or media server is actually connecting to.

Its creator, Christian Starkjohann, of Austrian software company Objective Development, says he created the Linux port out of personal need since he’d installed Linux on some old hardware, and immediately felt his system was ‘naked’ without it.

While Linux has native network monitoring tools, the best known being OpenSnitch (inspired by Little Snitch). None of those, as Christian puts it, gave him what he wanted: see which process are making which connections, and deny any a single click. So he built it.

Run it, inspect it, deny it (if needed)

But Little Snitch for Linux is not the same as the macOS version, positioned more as a privacy aid than a a security tool. This is because eBPF has strict resource limits, processes can evade, and it is harder to reliably tie each network packet to a process name.

The macOS version uses deep packet inspection to achieve it, which isn’t available on Linux. Christian says privacy is the focus, letting you see “…what’s going on, and where needed, blocking connections from legitimate software that isn’t actively trying to evade it.”

Christian ran the Linux version on a stock Ubuntu and says he “…found 9 system processes making internet connections over the course of one week. On macOS, we counted more than 100”.

Firefox connected to Mozilla’s advertising and telemetry servers on launch, before any browsing took place, and metrics and telemetry and network pings occur in other desktop apps too, like VSCode. But LibreOffice made no network connections at all during use.

Download Little Snitch for Linux

Little Snitch for Linux is available now at obdev.at. It runs on a Linux distribution with Linux kernel 6.12 or above and built with BTF support (Ubuntu 25.04 or newer). Deb packages are available for 64-bit Intel/AMD devices, ARM64 and RISCV64.

However, while Little Snitch is free to download and use, it’s not wholly open source. It’s described as “free, functional, and open where it counts”. The eBPF kernel component and UI are open source, so means you can verify what’s happening at the interception layer.

The backend portion is not open. Christian says this “carries more than twenty years of Little Snitch experience, and the algorithms and concepts in it are something we’d like to keep closed for the time being”.

For more detail on the why and how, read the official post on the developer’s blog.