GeorgeSupport6411 wrote:
The Little Snitch developers market it primarily as a firewall. But did you know Little Snitch also examines packet traffic, and captures it?
No. I didn't know that. But apparently, it is not the standard behavior. You have to manually trigger it (as described here: http://www.chrisle.me/2012/11/little-snitchs-hidden-pcap-network-sniffer/ - the link is a few years old).
Indeed it is my primary capture tool these days to grab the traffic from an individual process, particularly terminal processes.
That said, to analyze the packets you need an analyzer, like tcpdump, Wireshark, or CPA. But we all have one of those free tools.
More importantly, you have to know about this feature, plan to capture those packets before you start, and then you have to be able to understand them. I have had people use Little Snitch to detect and complain about my app EtreCheck phoning home. But in its standard firewall mode, it doesn't provide any information beyond the web site, not even the full URL. Most network communication these days is encrypted. That level of network analysis is far beyond what anyone on Apple Support Communities is doing.
LS is a better tool than you think and if you are going to support users you might want to get another copy and experiment with it.
It is not my job to support Little Snitch. While I have made improvements to my software to be more compatible with Little Snitch, ultimately it is something that makes life more difficult for everyone involved.
"I have seen a number of cases where people get curious and start digging around into internals that they don't understand..."
This is the point. It's what we should all be doing, hopefully with some guidance! Breaking things is unfortunately sometimes part of the process. Luckily it isn't too difficult to reinstall the OS. And these days, with Time Machine and other technologies, breaking something isn't the big fear it used to be.
Sorry, but you are totally on the wrong platform. There are a handful of people using packet sniffers on a Mac and doing other kinds of security forensics. But you could put all of those people into a single room and have space left over. The many millions of other Mac users who only wind up scared, confused, and much less secure than when they started. Apple does a pretty good job of supporting the needs of such people. In the vast majority of cases, the best thing to do is keep 3rd party system modifications off the machine, use default settings, and let Apple do its job.
