Little Snitch Help


Internet address (IP address)

In the metaphor of a phone call, an Internet address is the phone number of a computer. You must know the computer’s Internet address in order to send any information to it.

In version 4 of the Internet Protocol (IPv4), each computer connected to the Internet is identified by a worldwide unique 32 bit number between 0 and ca. 4 billion, its Internet address. Version 6 of this protocol (IPv6) allows an even much, much higher number of computers.

For readability, Internet addresses are written in groups of digits. IPv4 addresses are written as 4 groups of up to 3 digits each, separated by a dot (e.g. Each group has a valid numeric range of 0-255. IPv6 uses 8 groups of up to 4 hexadecimal digits each, separated by a colon (e.g. 2a00:1450:4016:801:0000:0000:0000:1013).

Since these addresses are long, there are ways to abbreviate. A range consisting of zeros only can be written as double-colon. The address in the previous example would then be 2a00:1450:4016:801::1013. The address 0000:0000:0000:0000:0000:0000:0000:0001 can simply be written as ::1 or an address consisting of zeros only can be written as ::.

Port number

Since a computer can be responsible for more than one task, its Internet address is not sufficient to address all services it provides. Processes on the server can acquire a port (identified by a 16 bit number in the range 0-65535) and provide a service on that port. In the metaphor of a phone call, the Internet address is the phone number of a big company and the port number is the extension to dial directly to a particular person.

Well known services, such as HTTP (web sites), HTTPS (secure web sites), SMTP (sending email), SSH (secure shell), etc. use well known port numbers. The Internet Assigned Numbers Authority (IANA) maintains a long list of well known services and their assigned port numbers.


A protocol is a convention how data is transferred from one computer to an other. The protocol specification says what an address looks like (e.g. 32 bit Internet address plus 16 bit port number), what other information is added, in which order the components are sent over the wire and so on. We distinguish connection-oriented protocols (such as TCP) from connectionless protocols (such as UDP).

A connection-oriented protocol is analogous to a phone call. There’s one computer which initiates the connection (= starts the phone call by dialing a number) and another one which accepts it (= picks up the phone). The connection lasts until one of the participants closes it (= hangs up the phone). While the connection is up, each computer can send data to the other (= speak) at any time. The computers may use any format or sub-protocol (= language) they like, as long as they agree on something.

A connectionless protocol is similar to postal mail or SMS. Data is sent in packets to the remote address. The protocol may provide some feedback whether the data has been delivered or not. A data packet (= letter, message) is always unidirectional. The remote computer may respond with another packet directed to the sender or it may not.

Little Snitch cannot delay incoming connectionless data. See incoming connections for more details.

Internet Protocol (IP)

Protocols are layered (OSI model). Each layer builds on the services provided by the layers below it. The lowest layer we deal with is the Internet Protocol (IP) layer. The Internet is IP only. The Internet Protocol defines what Internet addresses look like (see above) and how data packets are sent from one computer to another. IP requires another protocol layer on top of it, it cannot be used by itself.

Transmission Control Protocol (TCP)

TCP is a protocol layered on top of IP and offers ports and connection oriented bidirectional transfer of data streams. It ensures delivery even if IP data packets are lost between sender and recipient (by doing retries) and it ensures that all data is delivered in order (no part of the data can overtake other parts). These features make it the favorite for almost all services on the Internet. It is used for serving web pages, delivering email, file sharing, etc.

User Datagram Protocol (UDP)

UDP is the minimum addition to IP to make it useful for applications. It adds ports to IP, but neither guarantees delivery of packets nor delivery in order. UDP is used for real-time multimedia content such as Voice-Over-IP or other applications where it’s better to lose a packet than wait for a retry.

Internet Control Message Protocol (ICMP)

This protocol is also a minimum addition to IP. Contrary to UDP it does not add a port number to the address and is rarely used by applications. Most of ICMP is used by the operating system kernel itself (the IP stack) to administer data transmission in other protocols (e.g. destination port unreachable messages etc.). However, there’s one exception to this rule: The ping Unix command, which sends an ICMP request to the remote computer and listens for a response. It then dumps the requests sent and responses received. This information is useful for network debugging.

Code signature

A Code signature is a cryptographic signature over an executable (e.g. an application) and all its resources.

Code signatures on macOS contain the following information:

The purpose of a code signature is twofold:

  1. Any (possibly malicious) modification of the code or resources included in the signature can be detected. Modifications can occur before download (when downloading from a malicious site), by malware on your computer (e.g. a virus) or by you, the user, with the intent to improve the program's behavior.
  2. The real identity of the signer (usually the developer) can be found, if the certificate issuer “guarantees” to issue certificates only after checking the identity. This means that, in the worst case, a real person or company can be held responsible for the behavior of the program.

Learn more about how Little Snitch handles code signatures…

Certificate (in cryptography)

A certificate connects a public key of a cryptosystem with a set of properties (a small text file). The issuer (in our case Apple) confirms that the person or organization knowing the associated private key fulfills the properties given in the certificate. The issuer does this by signing the public key and the set of properties with a digital signature.

Well, wait. That’s recursive, isn’t it? Who issues the certificate in this signature? There are two possible answers. It can be another authority (we talk about a certificate chain) or the the certificate is signed using its own private key (root certificate). Your computer comes with a pre-installed list of trusted root certificates. If a root certificate is not in the list, it’s not trusted.

Apple Location Services

Mobile computers don’t have GPS, so they don’t know your geographic location from direct sources. If you are in an environment with Wi-Fi networks available (even if you don’t have the passwords to join them), the received signal levels of each network are enough information to determine your location with surprising precision.

All you need is a database with all Wi-Fi hotspots on earth and their respective geographic location. This database is not installed on your Mac and it would be outdated quickly as Wi-Fi hotspots are frequently installed, removed or moved. But Apple maintains such a database and makes it available online to determine your current location. That’s Apple Location Services.

When you use this service, your computer sends technical properties and signal levels of all Wi-Fi stations in your vicinity to Apple and Apple returns an estimate for your location.

Remember that using this service means that Apple can keep statistics of your geographic location and the Wi-Fi hotspots in your vicinity.

Was this help page useful? Send feedback.
© 2016-2019 by Objective Development Software GmbH