DEV.co
Open-Source Observability · elesiuta

picosnitch

Picosnitch is a Linux network monitoring tool that tracks which programs connect to the network and how much bandwidth they use. It runs as a system daemon and provides web and terminal interfaces to visualize traffic patterns, with optional integration to VirusTotal for security checks.

Source: GitHub — github.com/elesiuta/picosnitch
961
GitHub stars
38
Forks
C
Primary language
GPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryelesiuta/picosnitch
Ownerelesiuta
Primary languageC
LicenseGPL-3.0 — OSI-approved
Stars961
Forks38
Open issues0
Latest releasev2.1.2 (2026-07-05)
Last updated2026-07-08
Sourcehttps://github.com/elesiuta/picosnitch

What picosnitch is

Built in C with eBPF and fanotify for kernel-level network traffic aggregation and executable monitoring. Logs connections to a local SQLite database (with optional remote SQL backends), supports container detection via hash-based executable tracking, and includes GeoIP annotation. Requires Linux kernel with libbpf CO-RE support and Python ≥3.12 for the userspace components.

Quickstart

Get the picosnitch source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/elesiuta/picosnitch.gitcd picosnitch# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Threat Detection & Incident Response

Identify unauthorized or anomalous network activity by executable, detect parent/child process chains, and correlate with VirusTotal checks. Tamper-evident remote logging enables forensic-grade auditability.

Bandwidth Governance & Capacity Planning

Monitor per-application bandwidth consumption over time with drill-down by domain, port, and user. Export to external SQL databases for trend analysis and SLA enforcement.

Privacy & Supply-Chain Auditing

Catch unwanted background communications from software packages, containers, or third-party dependencies. Hash-based tracking differentiates app versions and detects tampering.

Implementation considerations

  • Requires root privileges to run the daemon and read fanotify/eBPF event streams; plan for privilege escalation and service hardening (e.g., systemd sandboxing).
  • Local SQLite database grows with connection log volume; configure retention_days and write_limit_seconds tuning based on traffic profile to manage storage.
  • Optional remote SQL logging (MariaDB, MySQL, PostgreSQL) demands network reliability and schema alignment; test failover and reconnection behavior for off-system audit trails.
  • GeoIP lookups require periodic updates to the DB-IP Country Lite CSV; set up automation for cache refresh to maintain data freshness.
  • VirusTotal integration is opt-in; API key management and rate limits require planning if used at scale across many executables.

When to avoid it — and what to weigh

  • Windows/macOS Required — Linux-only project; no native support for Windows, macOS, or non-Linux kernels.
  • Old or Minimal Kernels — Requires modern libbpf CO-RE support; older kernels without eBPF capabilities or insufficient fanotify support will not work.
  • Lightweight/Embedded Systems — eBPF and fanotify introduce non-trivial kernel overhead and memory footprint; unsuitable for deeply resource-constrained embedded deployments.
  • Real-Time, Sub-Second Latency SLAs — Data aggregation and batching (configurable write_limit_seconds) trades latency for reduced disk I/O; not designed for ultra-low-latency intrusion detection.

License & commercial use

GPL-3.0 (GNU General Public License v3.0). Strong copyleft: any derivative works or bundled distributions must also be GPL-3.0 compatible and include source code.

GPL-3.0 is a strong copyleft license. Commercial use is permitted, but any software that distributes or links Picosnitch must be open-source and GPL-3.0 compatible. If you need proprietary, closed-source modifications or distribution, contact the maintainer or seek alternative licensed tools. Requires legal review before enterprise integration.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Runs as root to access kernel eBPF and fanotify subsystems; implement strict access control and systemd sandboxing to minimize privilege escalation risk. Desktop notifications use notify-send and can leak information to unprivileged sessions; review notification content policies. Remote SQL logging introduces network exposure; use TLS/authentication and network segmentation. GeoIP and VirusTotal integrations involve external API calls; review data retention and privacy policies of those services. Local SQLite databases are readable by root; restrict file permissions. No security audit history is stated in the provided data; conduct threat modeling before deploying to high-security environments.

Alternatives to consider

Zeek (formerly Bro)

Mature, industry-standard network security monitoring with rich protocol analysis; heavier-weight than picosnitch, designed for enterprise SOC integration rather than per-executable local monitoring.

Sysdig

Systems introspection tool using eBPF with container-native monitoring; broader system call and file I/O tracing, but less focused on network traffic aggregation and GeoIP/VirusTotal enrichment.

Netdata

Real-time performance monitoring with per-process network metrics and cloud integrations; emphasizes live dashboards and alerts over forensic logging and off-system audit trails.

Software development agency

Build on picosnitch with DEV.co software developers

Review the GPL-3.0 license terms and kernel compatibility requirements. Pilot on a test Linux system with Python ≥3.12 and modern eBPF support to validate integration with your monitoring infrastructure.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

picosnitch FAQ

Does Picosnitch require containers or Kubernetes?
No; Picosnitch runs on bare-metal Linux and detects containerized applications by watching for hash and inode changes. It does not require or depend on container runtimes, though it can monitor workloads inside them.
How much CPU and memory overhead does eBPF monitoring add?
Overhead is claimed as 'low' in the README, but exact benchmarks are not provided. In-kernel aggregation minimizes context switches. Tuning perf_ring_buffer_pages and conn_map_max_entries helps optimize memory use; test in your environment before production.
Can I export logs to a SIEM or centralized logging system?
Yes, via remote SQL backends (MariaDB, MySQL, PostgreSQL); you can then integrate those databases with any SIEM or log aggregation tool that supports SQL. Alternatively, text_log=true writes a CSV file that can be shipped via rsyslog or other mechanisms.
What happens if the daemon crashes or is killed?
In-flight connections may be lost. Systemd auto-restart (if enabled) will recover. Completed connection logs are persisted to SQLite, so historical data is not lost. For critical deployments, implement monitoring and alerting on daemon health.

Software development & web development with DEV.co

Adopting picosnitch is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source observability software in production.

Evaluate Picosnitch for Your Security Stack

Review the GPL-3.0 license terms and kernel compatibility requirements. Pilot on a test Linux system with Python ≥3.12 and modern eBPF support to validate integration with your monitoring infrastructure.