Little Snitch’s hidden PCAP Network Sniffer

Did you know Little Snitch can also be a network sniffer and save to PCAP files? I didn’t!

I’ve been a Little Snitch user for years. Their latest version had a little hidden gem I stumbled across a few days ago: A network sniffer that saves to PCAP files. I guess it wasn’t really “hidden” but I saw nothing highlighting this feature under the new network monitor. Best of all, it will continue to capture the next time the process starts up.

Check it out:

1. Open your network monitor in your menu bar

 

2. Right click on any process, and click “Capture Traffic”

 

3. Choose where you want to save your PCAP file.

 

4. Capture traffic.

You’ll see a recording icon next to your process. Go ahead and do what you need to do. Then, when you’re done capturing, click Stop Capture

 

5. Open up your PCAP file in Wireshark.

Boom! Captured packets!

 

 

2 thoughts on “Little Snitch’s hidden PCAP Network Sniffer

  1. Nice, and I just ran across this feature, too. However, the traffic capture is from inside Little Snitch’s “view” of the network path, which includes a 0.x.y.z IP address it uses internally to perform its firewall functions. That’s fine, but in this case, the capture result is misleading.

    E.g. one of the first things I look at in a .pcap file (with Wireshark) is how often a TCP “ACK” is being sent by my machine for however many packets of data received, in some download. With this 0.0.1.97-style “fake” IP addressing from these captures, it shows an ACK for EVERY packet sent. That’s incredibly inefficient, and could indicate a major problem.

    But in this case, there is no real problem. It’s just a side effect of the way Little Snitch does the packet capture.

    Plus it just gets confusing explaining this to anyone else to whom I might send a .pcap file for analysis. E.g. no Internet provider is going to listen to me about complaints, if they see “0.0.1.97” as my source IP. They will tell me that’s invalid and hang up on me.

    So this feature is of limited practical use, to me.

Leave a Reply

Your email address will not be published. Required fields are marked *