NetMuteSetup, installation, and the first 24 hours
Installation is straightforward: download the disk image from obdev.at, drag the app into Applications, grant the system extension permission in System Settings, and reboot. The whole process takes about five minutes. Little Snitch 6 requires macOS Sonoma or later — if you are still on Ventura or earlier, you are stuck on Little Snitch 5. Once installed, Little Snitch immediately starts intercepting outbound connections. This is where the first surprise hits: the prompt-flood is real. Every app, every background process, every macOS subsystem that wants to talk to a server triggers a dialog asking you to allow or deny. In the first hour I clicked through more than 80 prompts — for things like Spotify, Mail, the Mac App Store, Time Machine cloud verification, CloudKit, Apple Push Notifications, Crashlytics in third-party apps, and dozens of things I had never heard of. Little Snitch ships in Alert Mode by default, which is the source of the flood. You can switch to Silent Mode (deny by default, log everything) or Allow Mode (allow by default, log everything) — but if you do that on day one, you will not have any rules built up and either every app gets blocked or nothing learns anything. The intended workflow is: stay in Alert Mode for a week, build your ruleset, then switch to Silent Mode once you trust the rules. After 48 hours the flood subsides noticeably. By day five, prompts dropped to about three a day, mostly from new connections in apps I had not used yet. By day ten, it was effectively quiet. This is the trade-off Little Snitch asks of you: pay an upfront cognitive tax to build rules manually, then enjoy fine-grained control afterwards.
The Network Monitor and Map — what Little Snitch actually shows you
The headline feature in Little Snitch is the Network Monitor, opened from the menu bar icon. It is a separate window that shows your network activity in real time, organised by process. Each app is a row; underneath you see every domain or IP it is currently talking to, with live bandwidth charts. Click a connection and you get the full context: which process, which port, which protocol, how long it has been open, how much data went through. The Map view plots active connections geographically. This sounds gimmicky and partly is, but it occasionally caught a connection I would not have noticed — a translation widget in a productivity app that was sending data to a server in Singapore, for example. The map is helpful as a sanity check, not as a primary workflow tool. The Research Assistant provides context for processes. When you get a prompt for a process you don't recognise, click the (i) button and the Research Assistant pulls up context: who develops it, what the binary does, which apps commonly install it. What the Network Monitor does not do automatically is identify which domains belong to tracker networks. You see the raw domain (e.g. `google-analytics.com`, `app-measurement.com`, `incoming.telemetry.mozilla.org`) and have to decide for yourself which are trackers and which are functional. Little Snitch 6 added integrated blocklists that you can subscribe to — Hagezi, Steven Black, OISD — and those help, but you have to enable them, and they operate as denylists rather than categorised tracker intelligence.
Little Snitch features — rules, development, and DNS encryption
Some specific features of Little Snitch: Rule granularity. You can write a rule like "allow Firefox to connect to mozilla.org over HTTPS on port 443, but deny everything else from Firefox on this Wi-Fi network only, except between 9 AM and 5 PM". Rules can be that detailed. The rule editor is dense. Twenty-plus years of development. Objective Development has been shipping this app since 2003. When macOS releases a new beta and changes the network stack APIs, Little Snitch ships updated builds. DNS encryption. New in version 6 (released May 2024), Little Snitch can act as a DNS-over-HTTPS or DNS-over-TLS client, encrypting your DNS lookups so your ISP and Wi-Fi network cannot see them. Demo mode. You can run Little Snitch in demo mode for three hours per session, with no limit on how often you can reactivate it. You can try the full app before deciding to buy.
Little Snitch trade-offs and considerations
The learning curve. The documentation assumes familiarity with TCP/IP, ports, and process trees. The first days involve answering connection prompts and building rules in the rule editor. No automatic tracker categorisation. Little Snitch shows you that an app contacted `firebase-analytics.googleapis.com`, but it does not categorise this as an analytics SDK. You identify that yourself, or look it up. NetMute ships with categorised tracker databases — advertising, analytics, social, data brokers — so connections that match are categorised. Little Snitch's integrated blocklists operate as binary denylists, not categorised databases. Pricing and licensing. Little Snitch is sold directly from obdev.at as a paid license, with upgrade and family-license options and a student discount. Radio Silence and NetMute are paid; NetMute is a one-time purchase on the Mac App Store. LuLu is free and open source. Ongoing prompts. Prompts subside after the first days but continue, because every new app you install or new feature in an existing app triggers fresh connection attempts.
Little Snitch and the alternatives
Little Snitch provides per-connection control with a rule editor and a network monitor, and is maintained by Objective Development. It uses manual rule-building: you answer connection prompts and create rules. NetMute ships with Tracker Shield (1,100+ known tracker domains, categorised), so the day-one workflow is install, review privacy scores, and block matching connections, rather than building rules for each prompt. NetMute is a one-time purchase on the Mac App Store with no subscription. LuLu is open source and free, without a network monitor dashboard. Radio Silence blocks apps at the app level with no prompts. The macOS built-in firewall covers inbound connections only. The summary: Little Snitch 6 uses manual rule-building and a network monitor; tracker-aware firewalls block known trackers automatically. They make different trade-offs depending on what you want from the tool.
