Noureddine RAMDI / Picosnitch: per-executable network monitoring on Linux with eBPF and fanotify

Picosnitch tackles a common but tricky problem in network monitoring on Linux: how to attribute bandwidth usage to individual executables running on the system. Unlike traditional tools that track network flows by IP or port, picosnitch links traffic back to the exact binary responsible, even handling containerized environments and file modifications in real-time.

how picosnitch tracks bandwidth per executable

At its core, picosnitch is a Linux network monitoring daemon that combines two key kernel features: eBPF for capturing packets and fanotify for detecting file changes. It uses eBPF perf buffers to intercept network packets and associate them with processes. Meanwhile, fanotify watches executables on the filesystem to detect modifications, ensuring the tool tracks the correct file versions. This dual approach allows picosnitch to maintain accurate bandwidth accounting per executable hash.

The daemon maintains a SQLite database storing connection metadata, including source and destination IPs, ports, bytes transferred, and timestamps. It enriches this data with GeoIP lookups for remote IPs and optional VirusTotal hash checks to flag potentially malicious binaries. Parent process tracking is included to provide process context.

The architecture supports filtering connections by executable hash, domain, IP subnet, or port, and handles containerized applications by correctly associating network usage within containers.

For user interaction, picosnitch offers both a terminal-based TUI and a web dashboard built with Dash and Plotly, making it possible to explore historical connection data and bandwidth usage trends.

what makes picosnitch’s approach stand out

The standout technical detail under the hood is how picosnitch differentiates executables using a device+inode caching strategy combined with hash verification. Instead of hashing every executable on every network event — which would be prohibitively expensive — it caches the device and inode numbers of files. When fanotify signals a modification, the cache is updated, and the hash recomputed. This strikes a balance between accuracy and performance, ensuring the executable identity is up-to-date without excessive hashing overhead.

Using eBPF perf buffers for packet capture allows picosnitch to operate with minimal overhead, tapping into the kernel’s networking stack efficiently. The choice of SQLite as a local database strikes a good balance for embedded usage, with write batching to reduce disk I/O further.

The repo’s code shows careful attention to edge cases like containerized apps, where process namespaces and filesystem mounts can complicate tracking. This makes picosnitch more robust in modern Linux environments.

A tradeoff to note is the reliance on relatively recent Linux kernel features like eBPF and fanotify, which may limit compatibility with older distributions or require kernel upgrades. Also, while the JSON configuration is flexible, it demands familiarity from users to tune retention policies and filters effectively.

installation and quick start

AUR for Arch and derivatives

Details

• install picosnitch manually or using your preferred AUR helper

PPA for Ubuntu and derivatives

Details

• sudo add-apt-repository ppa:elesiuta/picosnitch
• sudo apt update
• sudo apt install picosnitch
• optionally install dash with pip or pipx
  • sudo apt install pipx
  • pipx install dash
• you may require a newer version of BCC (unofficial PPA) since the version in the Ubuntu repos sometimes lags behind its supported kernel

OBS for Debian and derivatives

Details

• visit the OBS picosnitch page and follow the instructions for your distribution
• optionally install dash with pip or pipx
  • sudo apt install pipx
  • pipx install dash
• if you’re having issues on bullseye, you may need a newer version of BCC

OBS for openSUSE Tumbleweed and derivatives

Details

• sudo zypper addrepo https://download.opensuse.org/repositories/home:elesiuta/openSUSE_Tumbleweed/home:elesiuta.repo
• sudo zypper refresh
• sudo zypper install picosnitch

Copr for Fedora, Mageia, Mandriva, and derivatives

Details

• sudo dnf copr enable elesiuta/picosnitch
• sudo dnf install picosnitch
• optionally install dash with pip or pipx
  • sudo dnf install pipx
  • pipx install dash

Nixpkgs for Nix

Details

• install and enable using the picosnitch service option
  • add services.picosnitch.enable = true; to your Nix configuration file (typically /etc/nixos/configuration.nix)
  • run sudo nixos-rebuild switch
• workaround for “Failed to compile BPF module”
  • systemctl stop picosnitch
  • sudo picosnitch start-no-daemon then send SIGINT (ctrl + c)
  • systemctl start picosnitch

PyPI for any Linux distribution with Python >= 3.8

Details

• install the BPF Compiler Collection python package for your distribution
  • it should be called python-bcc or python-bpfcc
• install picosnitch using pip or pipx
  • pipx install "picosnitch[full]"
• create a service file as appropriate

who should consider picosnitch

Picosnitch is a solid fit if you need detailed network monitoring per executable on Linux and are comfortable working with kernel features like eBPF and fanotify. Its approach is especially useful for security-conscious environments where identifying bandwidth usage by binary hash helps detect anomalies or suspicious activity.

The tool requires a modern Linux kernel and some setup overhead, so it’s less suited for quick, casual monitoring or older systems. Its database-driven storage and UI options make it practical for long-term network forensics and auditing.

The caching strategy and hash verification show thoughtful engineering to keep performance acceptable while maintaining accuracy. If you’re dealing with containerized workloads, picosnitch’s handling of namespaces and mounts is a significant plus.

Overall, it’s a niche but well-executed tool for network monitoring with an emphasis on executable-level visibility.

Related Articles

• Camoufox: a stealthy Firefox fork for AI agents and web scraping — Camoufox is a Firefox fork optimized for AI agents and web scraping with stealth fingerprint injection at the C++ level
• Pydoll: Async-native Chromium automation with typed extraction for web scraping — Pydoll is a Python library for Chromium automation using Chrome DevTools Protocol. It offers async-native APIs and Pydan
• witr: tracing the full causality chain of running processes in Go — witr is a Go CLI that traces the full causality chain of any running process, replacing fragmented commands with a singl
• nh: a Rust-based unified CLI for the Nix ecosystem with enhanced search and ergonomics — nh is a Rust CLI tool consolidating Nix, NixOS, and Home Manager commands with improved ergonomics, speed, and Elasticse
• Netdata: real-time edge monitoring with integrated machine learning anomaly detection — Netdata delivers per-second real-time monitoring with minimal overhead. Its edge-based ML-powered anomaly detection and

→ GitHub Repo: elesiuta/picosnitch ⭐ 939 · Python