In order to control access to file system objects ( /dev/bpf), Little Snitch needs to register an Endpoint Security System Extension. If no rule allows or denies access, it asks with a connection alert. When a process opens a /dev/bpf device, Little Snitch treats this in the same way as network connections and applies BPF-rules. Since Little Snitch cannot filter network packets injected via BPF, it controls access to the /dev/bpf devices. Little Snitch can therefore not detect packets injected in this way. The packet is injected directly at the network interface layer, circumventing all firewalls. This means that a (privileged) app which opens a BPF device can send any data packet to any destination. In addition to traffic capturing, BPF allows injection of data packets at the network interface. What relevance does BPF have for Little Snitch? Access to BPF is controlled via pseudo-devices in the file system: /dev/bpf0, /dev/bpf1, …, /dev/bpf255. Since networks transmit large amounts of data and a debug analysis is usually only interested in a particular aspect of that data, BPF allows the debug tool to specify this aspect in the form of a script, the filter program. It was originally designed to analyze problems in network communication with tools like tcpdump or Wireshark.īPF is not used to filter incoming or outgoing network data. The Berkeley Packet Filter (BPF) is a mechanism which allows privileged programs to capture and inject network traffic on any network interface.