Due to popular demand, Little Snitch is now scriptable, it comes with a command line tool. Since this littlesnitch
command is very powerful and can potentially be misused by malware, most of its functionality is only available when enabled in Little Snitch > Preferences > Security > Allow access via Terminal. We recommend that you enable access to the command line tool only as long as you need it. When access is enabled, you must take precautions that untrusted processes cannot gain root privileges.
- View Little Snitch Capture Login
- View Little Snitch Capture Log In Account
- View Little Snitch Capture Log In Facebook
- View Little Snitch Capture Log Template
Functions in the command line interface cover the following areas:
Send a Little Snitch Gift Card! Make someone happy and send a Little Snitch Gift Card. Whether it’s for your family or friends – let Little Snitch protect their privacy! Choose from 6 different designs and add your personal message. It’s so easy to make your loved ones smile. Little Snitch is a favorite Mac program that finds outgoing connections and lets you set rules to block this link. Once set up, Little Snitch monitors your online visitors and every time it finds an outbound link, for example, Adobe Reader tries to access the Internet, a window pops up and asks if you want to allow a single link or make guidelines.
- Allowing configuration changes for mass deployment (for sysadmins of big companies).
- Obtaining particular internal information to help debugging problems together with our support team.
- Expert functionality such as filter verification, traffic capturing and importing of backups with user mapping.
The command line utility is a moving target. Experimental features are tested here and the documentation may therefore be out of date.
Using built-in help
The command line tool comes with a built-in help system providing basic usage information. For a general help, use:
There is little to add to this info. Most subcommands require that you run littlesnitch
as root (sudo littlesnitch
). If the command behaves differently for different users (e.g. setting a user specific preference), the the value is changed for the user running sudo
, not for root. If you want to change something on behalf of an other user, use the --user
option.
list-preferences
Without any options, this command lists all Little Snitch preference options and their values:
The options -g
and -o
limit output to only global or user-specific preferences.
read-preference
This command prints a preference value in JSON format, e.g.:
write-preference
This command is used to modify preferences. The value argument is converted to the type of the preference. Examples values for types are:
Dictionary and array elements can only be set individually. If you want to add an entry to an array, use e.g.:
where 1
represents the index to be written.
Note that you can disable the command line utility with sudo littlesnitch write-preference allowCommandLineAccess false
. If you do that, you lock yourself out and you must go back to the preferences dialog to enable it.
export-model
This command does the same thing as the user interface action Little Snitch > File > Create Backup…. If no output file is specified, the backup data (JSON representation) is written to standard output.
restore-model
This command imports backups and configuration database files from various versions of Little Snitch. You can use it to import backups in JSON format, backups from Little Snitch 3 and 4 as well as current configurations from other instances of Little Snitch 3, 4 or 5.
Backups and configuration databases usually contain settings for all users on the computer where users are identified by their User Identifier, a small integer number. When you import data from a different computer, users may have different identifiers and you may want to tell Little Snitch which user on the old computer corresponds to which user on the new computer.
If you import data from a different computer, first list the users in the archive:
The archive in this example has been created by Little Snitch 4 where no user names were stored. User names help you with the mapping. If no user names are available, you can probably distinguish users by the number of rules. User 248 in the example above never really used Little Snitch. And you can see that user 501 was primarily active while 502 probably was a test account.
If you want to import a backup as-is, just use (with the example backup file from above):
However, if you have a different User ID on the new computer, you need to set a mapping:
Rules and settings from users which are not mapped are discarded.
If you need to perform any automated changes in the data model (hey, nerdy sysadmins!), you can export a JSON model with export-model
, modify the resulting JSON code in whatever way you like and re-import it with restore-model
.
Note that restoring a backup disables command line access if it was disabled at the time the backup was made!
debug-topics
This command is primarily made for analyzing bugs and unexpected behavior with guidance from our support. If you need this command, our support team will tell you what options and arguments you should use.
log
This command is basically a frontend to the macOS log
command, using preconfigured filters suitable for Little Snitch. Use the option --last
to see messages from the past, or --stream
to watch messages live. This command is primarily made for analyzing bugs and unexpected behavior with guidance from our support. If you need this command, our support team will tell you what options and arguments you should use.
Contrary to other commands, the log
command is available to non-root users and does not require the “Allow access via Terminal” preference to be enabled.
log-traffic
This command gives you access to the underlying data visualized by Network Monitor. You can specify a time range with --begin-date
and --end-date
or view live statistics with --stream
(which can be combined with --begin-date
). Output is in CSV format and the first line always represents the field names.
Each line represents statistics over the time interval since the previous line.
Field Name | Description |
---|---|
date | Start date of the time interval |
direction | The string “in” for inbound connections or “out” for outbound |
uid | UID of the communicating process |
ipAddress | Remote internet address |
remoteHostname | Remote computer name used to look up the IP address |
protocol | Numeric Internet protocol (e.g. 6 for TCP, 17 for UDP) |
port | Remote port number for outgoing connections, local port number for incoming |
connectCount | How often new connections were established during the statistics time interval |
denyCount | How often connection attempts were denied during the statistics time interval |
byteCountIn | Number of bytes received during statistics time interval |
byteCountOut | Number of bytes sent during statistics time interval |
connectingExecutable | A string describing the executable of the process which established the connection |
parentAppExecutable | If the connecting executable is not an application, Little Snitch tries to find a responsible application. If one is found, this string represents the parent app. |
recrypt-config
All files storing configuration data on disk are encrypted with a password stored in the macOS System Keychain. When our support needs a copy of a configuration file, it is useful to decrypt this particular file before transmission instead of sending your password along with the file in plain e-mail.
When run without any arguments, this command copies all configuration files to the current directory, changing their encryption password to “none”. The current password is read from the Keychain. You can customize this behavior by specifying a particular file, password or target password.
verify-filter
This command is used to turn filter verification on or off. When run without any arguments, it prints the current status of filter verification.
When filter verification is active, Little Snitch tracks network traffic on the network interface level (via BPF devices) and verifies whether all connections have been presented to the network filter at the Network Extension level. Connections entering the network stack after the Network Extension level are shown in Network Monitor and tagged as “bypassing the filter”.
As far as we can tell from current experience, only network packets originating in Kernel Extensions and Hypervisors (such as VMWare or Parallels) can bypass the Network Extension filter.
capture-traffic
This command captures all network traffic from a particular executable and outputs it to a file or to standard output. The executable is selected by path (or, in special cases such as scripts, Java executables or executables in temporary paths, the string used by log-traffic
in the connectingExecutable
and parentAppExecutable
columns).
Example:
With option --pcap
, captured data is wrapped into faked protocol frames (TCP/UDP/ICMP, IP/IPv6, Ethernet) and stored in PCAP format. This is the format which can be decoded by powerful protocol analyzers such as Wireshark.
Little Snitch 5.2.2 (6209)
This version fixes a crash in Network Monitor when the “Make Connections Private” action was invoked from the context menu.
Little Snitch 5.2.1 (6207)
This is a hotfix release for 5.2. It fixes a crash of the Little Snitch Agent when an iOS app runs in the simulator. The effect of this crash was that no connection alert was shown and Internet connections not covered by existing rules would hang.
Little Snitch 5.2 (6205)
This version focuses on three main areas:
- The list of „Known Networks“ used for Automatic Profile Switching which was previously shown in a separate window is now integrated into the main window of the Little Snitch application.
- The search and sort performance in the rules window has been greatly improved.
- Added support for executables running from randomized file system paths. Rules for executables in
/tmp
or/var/folders
automatically ignore random path components. Rules for executables in other locations can be converted manually into „Identifier Rules“ which refer to the process by its code signature identifier and team identifier or SHA256 (for unsigned scripts) instead of the executable’s path.
Improvements
- Improved detection of Wireguard VPN: Added explicit check for PIA VPN Service.
- It’s now possible to remove other users’ connections shown in Network Monitor after authenticating as an administrator.
- Rule group modifications or resetting to factory rules can now also be authorized via biometric authentication.
- When a selected rule changes its position within the list due to some modification, the scroll position of the list is now adjusted so that the rule remains visible.
- Minor visual improvements in the configuration window.
Bug Fixes
- Fixed a bug where a connection alert for a terminated process did not disappear after creating a rule.
- Fixed an issue where a suspicious process warning with “validation error 255” was shown in a connection alert.
- Fixed identification of iOS processes running in the Xcode debugger. Rules for these processes now match regardless of random path components.
- Connection Alerts for incoming connections now always create IP address based rules because the remote computer name cannot reliably be known.
- Fixed an issue where two domains were not recognized as equal due to a lowercase/uppercase mismatch.
- Fixed a bug where an error message was shown in the inspector of Network Monitor if no Internet Access Policy was available for a process.
- Fixed a possible crash when showing the list of files available for „Restore from Backup“.
- Fixed startup issues after restarting computers with Fusion Drive.
- Fixed a bug where a temporary rule would overwrite a disabled rule and eventually remove it.
- Fixed a rare crash of the Little Snitch app when searching in rules.
Little Snitch 5.1.2 (6194)
New Features
- Capturing traffic of individual processes in PCAP format. This feature is available from the command line via
littlesnitch capture-traffic
. - The rules shown in the configuration application can now be sorted by the remote server’s domain name. Clicking the table header in the rules window brings up a menu with available sort options.
Bug Fixes
- Fixed automatic update of “My Location” in Network Monitor.
- Fixed a bug where a profile selection button appeared in the connection alert even if no profiles were available.
- Fixed a rare crash of Little Snitch Agent during upgrade. This fix affects the next upgrade, the crash can still occur when upgrading to this nightly build.
- Fixed a bug in detecting the path of Java applications.
- Fixed a possible crash of Network Monitor.
Little Snitch 5.1.1 (6185)
View Little Snitch Capture Login
This patch release fixes a possible loss of network connectivity due to a crash of the Little Snitch network extension. This crash could occur when an application used the QUIC protocol. This protocol is a replacement for HTTPS which is used primarily by Google Chrome and its derivatives when connecting to Google servers.
Little Snitch 5.1 (6183)
Improvements
- Improved accessibility via VoiceOver.
- Better detection of VPNs for Automatic Profile Switching.
- Improved indication of Little Snitch installation issues in the status menu icon.
- Performing code signature verification for shell scripts and other scripts, if they are signed.
- Shell scripts and other scripts are no longer considered as the connecting process when they use helper processes like ping or curl. They are now treated as the parent of the helper process.
- Little Snitch no longer warns when shell scripts and other scripts don’t have a code signature.
- Accepting code signatures of iOS applications on Apple Silicon Macs.
- The macOS kernel is now treated as if it were code-signed. This allows the default localnet rules to apply to the kernel.
- Improved detection of remote computer name. Connection alerts with multiple, ambiguous host names are now less likely.
- Numerous user interface improvements.
Bug Fixes
- Fixed various memory leaks in all components of Little Snitch.
- Fixed a bug where the traffic view in Network Monitor did not display any data.
- Fixed identity check for code signatures using non-Apple certificates.
- Fixed an issue where an Identity Mismatch Alert could not be resolved by clicking “Accept Modification”.
- Fixed an issue where clicking on a silent mode activity notification did not select the corresponding process in the configuration app.
- Fixed a bug where loading subscribed rule groups did not load anything. This bug occurred with the abbreviated format.
- Fixed a bug where subscribed rule groups were not updated automatically.
- Fixed a possible crash when importing configurations from (Time Machine) backup.
- Fixed a bug where Little Snitch could crash when exporting a configuration backup.
Little Snitch 5.0.4 (6162)
Improvements
- Improved Automatic Profile Switching. The delay between a network change and the resulting profile change has been significantly reduced.
- A warning sign is now shown in the menu bar status icon if the Little Snitch network content filter got deactivated in System Preferences > Network.
Bug Fixes
- Fixed a bug where the pop-up button for selecting the domain did not appear in connection alerts.
- Fixed a bug where an identity mismatch error was incorrectly shown for the operating system kernel.
- Increased startup timeouts to facilitate booting on slow Macs (with HDDs).
- Fixed a bug where (in some cases) an Internet Access Policy was not shown in the connection alert.
- An incorrect ownership of the Launch Daemon and Launch Agent configuration files is now fixed automatically during the installation and update process.
- Fixed a crash when an invalid protocol number was present in a rule.
- Fixed a bug where servers could have a trailing dot in their name.
Little Snitch 5.0.3 (6160)
Improvements
- New icons in the Suggestions section of the Rules Window.
- Improved selection behavior in the Rules Window after deleting a rule.
- Improved status menu to show the selected profile at the top level of the menu.
- Improved layout of numerical data rate values shown in the status menu icon.
- Improved performance when launching Network Monitor.
- Improved updating the Little Snitch app to a newer version via Drag and Drop. The app will now start automatically to perform the necessary completion of the installation.
Bug Fixes
- Fixed a bug where rules making connections private in Network Monitor would not become effective until a restart.
- Fixed a crash when a connection alert should be shown for
www.domain
wheredomain
is a top level domain. - Fixed incorrect display of port number for incoming connections. Previous versions showed the remote port instead of the local port.
- Fixed a possible random crash of the Network Extension.
- Deny-rules are now always applied, regardless of the trustability of the process.
Little Snitch 5.0.2 (6152)
Improvements
- If the identity of a process is not checked, the identity of helper processes is now also not checked. This is a concession to the fact that apps without code signature usually ship with helpers that have no code signature. In addition, it allows iOS developers to disable identity checks on Xcode, thereby disabling identity checks on simulator apps running in Xcode's debugger.
Bug Fixes
- Fixed a bug where configuration changes such as modified preference settings could get lost after a restart of the computer.
- Fixed a bug where access to URLs like https://1.2.3.4/ would be interpreted as host 1.2 in domain 3.4.
- Improved compression of disk image to reduce the size of the download.
- Added missing localization in Connection Alert.
- Fixed a bug where Network Monitor opened unexpectedly when the demo period ended.
Little Snitch 5.0.1 (6147)
Improvements and new features
- Improved handling of DNS lookups. It’s no longer necessary to allow DNS lookups for each process individually.
- Extended debug capabilities of the command line tool.
Bug fixes
- Addressing an issue that could cause Little Snitch helper processes to prevent from getting started.
- Fixed a crash when loading a corrupted configuration file.
Little Snitch 5.0 (6142)
Upgrade pricing
If you have purchased Little Snitch 4 after November 1, 2019, you can upgrade to Little Snitch 5 for free – just use your existing license key. If you purchased Little Snitch 4 before that period, you can get the upgrade at a reduced price.
What’s new in Little Snitch 5?
There has been quite a bit of public discussion recently about the deprecation of various types of kernel extension on macOS. Among them are Network Kernel Extensions (NKEs). You probably did not care so far, but Little Snitch 4 was based on an NKE to do its job. Since NKEs are now deprecated and no longer officially supported by Apple, we have spent the last year rewriting the core of Little Snitch to the Network Extension (NE) framework. While working on this core, we took the chance to revise some old design decisions and add some long anticipated features.
So what are the benefits of the new version?
- Compatibile with (and requires) macOS Big Sur.
- Future-proof, because it is based on the new Network Extension and Endpoint Security frameworks.
- Drag and Drop installation and upgrade, no reboot required.
- Universal Binary which runs on both Intel and Apple Silicon Macs.
- Little Snitch now comes with a command line interface for preferences editing, configuration import and export, debugging, logging and access to traffic history.
- The time range available in Network Monitor’s traffic diagram has been extended from one hour to up to a year.
- Rules can now specify a list of port numbers, not just one contiguous range as before.
- The export format for backups is human readable normalized JSON.
- Recording of network statistics is done independently of Network Monitor. You can quit Network Monitor and still have statistics recorded.
- Live traffic logs via command line tool.
- Ready for mass deployment installation in corporate environments.
Little Snitch 5 Beta 2 (6140)
Improvements and new features
- Optionally control access to
/dev/bpf
devices (Berkeley Packet Filter). These devices can be used to send and receive data with arbitrary network protocols. Requires installation of an Endpoint Security module in Little Snitch > Preferences > Advanced.
Bug Fixes
- Improved recovery when reading broken configuration files.
- Fixed a memory leak in the Little Snitch Network Extension.
- Numerous other bug fixes.
Little Snitch 5 Beta 1 (6136)
Improvements and new features
- Lots of user interface refinements to match the new look of macOS Big Sur.
- Rules can now be created for a list of port ranges, not just a single range.
- Added command line interface for accessing connection history and traffic log data.
- The traffic diagram in Network monitor can now display traffic data from up to one year (compared to the previous 1 hour).
- The menu for selecting the time period that’s displayed by Network Monitor has been moved from the Filter menu in the search field to View menu in the menu bar.
- Various performance improvements.
Bug Fixes
View Little Snitch Capture Log In Account
- Fixed a bug where a connection alert would not go away after clicking allow or deny.
- Fixed various crashes of Network Monitor.
- Fixed a bug where Little Snitch complained about a code modification although the process was not modified.
- Reduced the number of cases where connection alerts for Internet addresses instead of server names were shown.
- Lots of other minor bug fixes.
Little Snitch Technology Preview (6130)
- Improved notification handling. All notifications are now generated by one single component (the “Little Snitch Agent”), which reduces the number of alerts shown by macOS for allowing the display of these notifications.
- Code identity checks now provide information about a developer’s name, and not just the developer’s team identifier.
- Improved information shown when the code signature of a process became invalid because a library with missing code signature was loaded.
- Improved debug logging. Little Snitch no longer writes log messages to individual log files but uses the logging facilities of macOS.
- Added a command line API for accessing log messages related to Little Snitch.
- Removed menu items responsible for Network Monitor snapshots because snapshots are no longer available.
- Fixed possible crashes when importing backups.
- Various bug fixes and improvements.
Little Snitch Technology Preview (6128)
- This release brings back “Automatic Profile Switching”. Profiles can now be automatically activated when a network is joined.
- Little Snitch is now scriptable. The app package contains a command line utility at
Contents/Components/littlesnitch
which can be used to control Little Snitch from scripts or via Terminal. Scriptability must be enabled in Little Snitch’s Security Preferences. - Improved detection of a remote computer’s domain name for connection alerts and for display in Network Monitor.
- The debug interface for activation and deactivation of components is now password protected.
- Various bug fixes and improvements.
Little Snitch Technology Preview (6121)
This is a hotfix for a bug in macOS Big Sur Beta 5! Please install this version before upgrading to Beta 5! Otherwise you won’t be able to boot your computer!
This version does not install an Endpoint Security System Extension because Big Sur Beta 5 suffers a kernel panic immediately after booting this System Extension is installed. During upgrade, an existing Endpoint Security System Extension is removed. Currently, the only function of the Endpoint Security System Extension is to detect access to Berkeley Packet Filter devices. This version can therefore not warn when a process tries to access the Berkeley Packet Filter.
The good news is that Big Sur Beta 5 fixes an other kernel panic which occurred on some computers when Little Snitch’s Network Extension was installed.
Little Snitch Technology Preview (6118)
- Re-implemented process identity checks.
- Re-implemented creation of Diagnostics Reports.
- Various improvements and bug fixes in the user interface.
Little Snitch Technology Preview (6112)
- This version is now a Universal Binary which runs on both Intel and Apple Silicon Macs.
- Import of rules and settings from previous versions. Choose Little Snitch > File > Restore from Backup… and select a previously created backup file or
/Library/Application Support/Objective Development/Little Snitch/configuration4.xpl
to import rules and settings from Little Snitch 4. This also works with configurations and backups from Little Snitch 3. - Export of rules and settings in JSON format. Choose Little Snitch > File > Create Backup…
- Various improvements and bug fixes in the user interface.
Little Snitch Technology Preview (6109)
- Improved upgrade procedure to work around an issue where macOS sometimes fails to start the newly installed network extension. If this problem occurs, the installer now completely uninstalls the previously installed extension before retrying to install the new one.
- If a previous, incompatible version of Little Snitch is found, this version is now uninstalled automatically in the course of installing the new version. This uninstallation may require a restart of the computer in order to let macOS complete the removal of the kernel extension.
- Several user interface refinements in the rules window.
- Little Snitch now correctly identifies connections that were established by a Java process or a shell script.
Little Snitch Technology Preview (6106)
This version is primarily a test of the automatic software update. Please install this version using the automatic software update mechanism, not manually.
Installation
If you install this Technology Preview for the first time, please read the installation hints in the release notes of build 6104 below.
Changes
- Redesigned Rules window title bar.
- Little Snitch specific log files are now created in a dedicated
Library/Logs/Little Snitch
subdirectory.
Little Snitch Technology Preview (6104)
This Technology Preview of Little Snitch is not yet feature complete. There are several known limitations you should be aware of before you install:
Installation
During the installation you will be asked to enable system extensions in System Preferences > Security & Privacy. After clicking on “Open Security Preferences”, the same dialog will appear once again. This is a bug in macOS Big Sur.
After clicking on “Allow…” in System Preferences > Security & Privacy, you will see a confirmation dialog containing two entries labeled “Placeholder Developer”. These incorrect labels are a bug in macOS Big Sur. The checkboxes for both of these entries must be checked.
Known Limitations
- Rules and settings from previous versions of Little Snitch are not yet imported. Little Snitch will therefore start with the default factory rule set.
- Backup and restore of rules and settings is not yet implemented.
- Code identity checks (usually based on code signature) are not yet implemented.
- Automatic Profile Switching is not yet implemented.
- Some UI components don’t yet have their final appearance and layout.
Tips and Tricks
- All data files are encrypted with a password which is stored in the System Keychain (“Little Snitch Encryption Key”). When you make a backup of the files in
/Library/Application Support/Objective Development/Little Snitch/
, make sure you also backup this password. - Traffic history is now recorded by a background process, even when Network Monitor is not running.
Feedback
If Little Snitch crashes or behaves in an unexpected way, please contact our support using the “Send Feedback” button above.
View Little Snitch Capture Log In Facebook
Make sure to include the following information:
View Little Snitch Capture Log Template
- Version number of your Little Snitch app.
- A textual description of the issue: What did you do, what would you have expected to happen and what did happen.
- Crash logs of Little Snitch components, which can be found in Console.app sidebar under “Crash Reports”.
- Logs from Little Snitch under
/Library/Logs/
and~/Library/Logs/
. - Screen shots which describe the issue (if applicable).