The Berkeley Packet Filter
The Berkeley Packet Filter (BPF) is a mechanism which allows privileged programs to capture and inject network traffic on any network interface. It was originally designed to analyze problems in network communication with tools like
tcpdump or Wireshark.
BPF is not used to filter incoming or outgoing network data. This is the domain of firewalls. Since networks transmit large amounts of data and a debug analysis is usually only interested in a particular aspect of that data, BPF allows the debug tool to specify this aspect in the form of a script, the filter program. Access to BPF is controlled via pseudo-devices in the file system:
What relevance does BPF have for Little Snitch?
In addition to traffic capturing, BPF allows injection of data packets at the network interface. This means that a (privileged) app which opens a BPF device can send any data packet to any destination. The packet is injected directly at the network interface layer, circumventing all firewalls. Little Snitch can therefore not detect packets injected in this way.
Since Little Snitch cannot filter network packets injected via BPF, it controls access to the
/dev/bpf devices. When a process opens a
/dev/bpf device, Little Snitch treats this in the same way as network connections and applies BPF-rules. If no rule allows or denies access, it asks with a connection alert.
How is BPF related to Endpoint Security?
In order to control access to file system objects (
/dev/bpf), Little Snitch needs to register an Endpoint Security System Extension. This is an additional install. Choose Little Snitch > Preferences > Advanced > Install Endpoint Security…. While this System Extension is installed, Little Snitch is consulted whenever a file is opened.
Why is Endpoint Security a separate install?
Controlling access to BPF devices has a price. Installing Little Snitch is more complicated because there are two System Extensions which need to be allowed separately and there is a slight performance impact because Little Snitch is involved in each file open operation. On the other hand, there is currently (at the time of Little Snitch 5.0 release) no known malware which exploits BPF to circumvent firewalls. We therefore decided to make this an optional install.
Should I install Endpoint Security?
It depends. If you use Little Snitch primarily to protect your privacy by blocking trackers, you won’t need to care about BPF and probably want to avoid the additional complexity. However, if you use Little Snitch to identify zero day malware, you certainly want to control every possible communication channel.
Was this help page useful? Send feedback.
© 2016-2023 by Objective Development Software GmbH