picosnitch
Picosnitch is a Linux network monitoring tool that tracks which programs connect to the network and how much bandwidth they use. It runs as a system daemon and provides web and terminal interfaces to visualize traffic patterns, with optional integration to VirusTotal for security checks.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | elesiuta/picosnitch |
| Owner | elesiuta |
| Primary language | C |
| License | GPL-3.0 — OSI-approved |
| Stars | 961 |
| Forks | 38 |
| Open issues | 0 |
| Latest release | v2.1.2 (2026-07-05) |
| Last updated | 2026-07-08 |
| Source | https://github.com/elesiuta/picosnitch |
What picosnitch is
Built in C with eBPF and fanotify for kernel-level network traffic aggregation and executable monitoring. Logs connections to a local SQLite database (with optional remote SQL backends), supports container detection via hash-based executable tracking, and includes GeoIP annotation. Requires Linux kernel with libbpf CO-RE support and Python ≥3.12 for the userspace components.
Get the picosnitch source
Clone the repository and explore it locally.
git clone https://github.com/elesiuta/picosnitch.gitcd picosnitch# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires root privileges to run the daemon and read fanotify/eBPF event streams; plan for privilege escalation and service hardening (e.g., systemd sandboxing).
- Local SQLite database grows with connection log volume; configure retention_days and write_limit_seconds tuning based on traffic profile to manage storage.
- Optional remote SQL logging (MariaDB, MySQL, PostgreSQL) demands network reliability and schema alignment; test failover and reconnection behavior for off-system audit trails.
- GeoIP lookups require periodic updates to the DB-IP Country Lite CSV; set up automation for cache refresh to maintain data freshness.
- VirusTotal integration is opt-in; API key management and rate limits require planning if used at scale across many executables.
When to avoid it — and what to weigh
- Windows/macOS Required — Linux-only project; no native support for Windows, macOS, or non-Linux kernels.
- Old or Minimal Kernels — Requires modern libbpf CO-RE support; older kernels without eBPF capabilities or insufficient fanotify support will not work.
- Lightweight/Embedded Systems — eBPF and fanotify introduce non-trivial kernel overhead and memory footprint; unsuitable for deeply resource-constrained embedded deployments.
- Real-Time, Sub-Second Latency SLAs — Data aggregation and batching (configurable write_limit_seconds) trades latency for reduced disk I/O; not designed for ultra-low-latency intrusion detection.
License & commercial use
GPL-3.0 (GNU General Public License v3.0). Strong copyleft: any derivative works or bundled distributions must also be GPL-3.0 compatible and include source code.
GPL-3.0 is a strong copyleft license. Commercial use is permitted, but any software that distributes or links Picosnitch must be open-source and GPL-3.0 compatible. If you need proprietary, closed-source modifications or distribution, contact the maintainer or seek alternative licensed tools. Requires legal review before enterprise integration.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
Runs as root to access kernel eBPF and fanotify subsystems; implement strict access control and systemd sandboxing to minimize privilege escalation risk. Desktop notifications use notify-send and can leak information to unprivileged sessions; review notification content policies. Remote SQL logging introduces network exposure; use TLS/authentication and network segmentation. GeoIP and VirusTotal integrations involve external API calls; review data retention and privacy policies of those services. Local SQLite databases are readable by root; restrict file permissions. No security audit history is stated in the provided data; conduct threat modeling before deploying to high-security environments.
Alternatives to consider
Zeek (formerly Bro)
Mature, industry-standard network security monitoring with rich protocol analysis; heavier-weight than picosnitch, designed for enterprise SOC integration rather than per-executable local monitoring.
Sysdig
Systems introspection tool using eBPF with container-native monitoring; broader system call and file I/O tracing, but less focused on network traffic aggregation and GeoIP/VirusTotal enrichment.
Netdata
Real-time performance monitoring with per-process network metrics and cloud integrations; emphasizes live dashboards and alerts over forensic logging and off-system audit trails.
Build on picosnitch with DEV.co software developers
Review the GPL-3.0 license terms and kernel compatibility requirements. Pilot on a test Linux system with Python ≥3.12 and modern eBPF support to validate integration with your monitoring infrastructure.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
picosnitch FAQ
Does Picosnitch require containers or Kubernetes?
How much CPU and memory overhead does eBPF monitoring add?
Can I export logs to a SIEM or centralized logging system?
What happens if the daemon crashes or is killed?
Software development & web development with DEV.co
Adopting picosnitch is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source observability software in production.
Evaluate Picosnitch for Your Security Stack
Review the GPL-3.0 license terms and kernel compatibility requirements. Pilot on a test Linux system with Python ≥3.12 and modern eBPF support to validate integration with your monitoring infrastructure.