The Berkeley Packet Filter
The Berkeley Packet Filter (BPF) is a mechanism which allows privileged programs to capture and inject network traffic on any network interface. It was originally designed to analyze problems in network communication with tools like
tcpdump or Wireshark.
BPF is not used to filter incoming or outgoing network data. This is the domain of firewalls. Since networks transmit large amounts of data and a debug analysis is usually only interested in a particular aspect of that data, BPF allows the debug tool to specify this aspect in the form of a script, the filter program. Access to BPF is controlled via pseudo-devices in the file system:
What Relevance does BPF have for Little Snitch?
In addition to traffic capturing, BPF allows injection of data packets at the network interface. This means that a (privileged) app which opens a BPF device can send any data packet to any destination. The packet is injected directly at the network interface layer, circumventing all firewalls. Little Snitch can therefore not detect packets injected in this way.
Since Little Snitch cannot filter network packets injected via BPF, it controls access to the
/dev/bpf devices. When a process opens a
/dev/bpf device, Little Snitch treats this in the same way as network connections and applies BPF-rules. If no rule allows or denies access, it asks with a connection alert.
How is BPF related to Endpoint Security?
In order to control access to file system objects (
/dev/bpf), Little Snitch needs to register an Endpoint Security System Extension. This is an additional install. Choose Little Snitch > Preferences > Advanced > Install Endpoint Security…. While this System Extension is installed, Little Snitch is consulted whenever a file is opened.
Why is Endpoint Security a separate install?
Controlling access to BPF devices has a price. Installing Little Snitch is more complicated because there are two System Extensions which need to be allowed separately and there is a slight performance impact because Little Snitch is involved in each file open operation. On the other hand, there is currently (at the time of Little Snitch 5.0 release) no known malware which exploits BPF to circumvent firewalls. We therefore decided to make this an optional install.
Should I install Endpoint Security?
It depends. If you use Little Snitch primarily to protect your privacy by blocking trackers, you don't care about BPF and probably want to avoid the additional complexity. However, if you use Little Snitch to identify zero day malware, you certainly want to control every possible communication channel.
How is BPF related to filter verification?
Little Snitch's network filter uses Apple's Network Extension programming interface (API). This API intercepts network traffic at a very high level, close to the application where the traffic originates. Little Snitch can therefore intercept traffic from all processes, but not from kernel extensions or programming interfaces which inject traffic after the network filter. This basically means that Little Snitch may not be able to intercept network traffic from hypervisors (VMWare, Parallels, …).
If you want to find out whether there is traffic bypassing the filter, you can turn on filter verification via the
littlesnitch command line tool. Little Snitch's filter verification attaches to all physical network devices via
/dev/bpf (yes, Little Snitch is a user of BPF in this case). It decodes the traffic seen there and checks whether all connections leaving the machine have already been seen at the Network Extension layer. Connections which have not been seen at the Network Extension layer are shown in Network Monitor and tagged as “bypassing the filter”.
Was this help page useful? Send feedback.
© 2016-2021 by Objective Development Software GmbH