Little Snitch utilizza un'estensione del kernel di rete per intercettare il traffico di rete.
NKEs allow you to create modules that can be loaded and unloaded dynamically at specific positions in the network hierarchy. These modules can monitor and modify network traffic, and can receive notification of asynchronous events from the driver layer, such as interface status changes.
Each of the networking KPI mechanisms performs a specific task. The basic networking KPI mechanisms are:
- Socket filter KPI, which permits a KEXT to filter inbound or outbound traffic on a given socket, depending on how they are attached. Socket filters can also filter out-of-band communication such as calls to setsockopt or bind. The resulting filters lie between the socket layer and the protocol.
- …
- Interface filter KPI, which allows a KEXT to add a filter to a specific network interface. These interface filters (previously known as data link NKEs) can passively observe traffic (regardless of packet type) as it flows into and out of the system. They can also modify the traffic (for example, encrypting or performing address translation). They essentially act as filters between a protocol stack and a device.
- …
Le alternative alle estensioni del kernel di rete esistono come hai menzionato, ma solo per determinati casi d'uso.
Because even minor bugs in kernel-level code can cause serious consequences, including application instability, data corruption, and even kernel panics, the techniques described in this document should be used only if no other mechanism already exists. For example, where possible, IP filtering should generally be done using ipfw. Similarly, packet logging should generally be done using bpf.
Le estensioni del kernel di rete sono molto più potenti e consentono un controllo più dettagliato.
Enfasi nel mio contenuto citato. Non ho familiarità con l'altro software, ma presumo che segua lo stesso principio.