picosnitch¶
Per-executable network bandwidth monitoring for Linux.
Picosnitch is a small userspace daemon built on BPF and fanotify. It notifies you when a new program connects to the network or when one is modified on disk, and keeps a per-executable log of every connection, with sent/received bytes, hashes, parents, domains, ports, and users.
Web UI¶
Bandwidth and connection counts broken down by executable, parent, domain, port, or user, over a configurable time range. Light and dark themes follow your system preference.
Terminal UI¶
A curses-based read-only view of the same database, useful over SSH or on headless boxes. Filter by executable, parent, command line, domain, address, or user; GeoIP country codes are shown next to remote addresses.
Live event feed¶
picosnitch top streams events directly from the running daemon:
every new connection as it happens, with cumulative
sent/received counters and per-row process detail. Requires root
because it reads the daemon's local socket.
Install¶
The recommended install is system-wide via pipx (requires pipx >= 1.5.0):
sudo pipx install picosnitch --global
sudo picosnitch systemd
sudo systemctl enable --now picosnitch
See configuration for the full TOML reference, how it works for the architecture overview, the database schema if you want to query the SQLite log directly, and more screenshots of every UI variant. For distribution-packaged builds, see Repology.