WireGuppy
A Wireshark-style packet sniffer in C that reads raw traffic from /dev/bpf0 on macOS and walks the Ethernet, IP, and transport layers by hand.
2025 · Networking · archived
WireGuppy started as an attempt to write a firewall on macOS. It became a packet sniffer instead — and the lesson it taught me became the design brief for the next project.
What it does
WireGuppy reads raw frames straight off the network interface via
/dev/bpf0, then parses each frame layer-by-layer in C:
Ethernet → IP → Transport → Payload
For the payload it includes a small strings-style extractor that surfaces
anything human-readable in the bytes.
What I learned
I picked Berkeley Packet Filter because I assumed "low-level packet access" meant control as well as visibility. It doesn't — at least not on macOS. BPF on macOS is excellent for sniffing: you can see every byte. But it cannot act: user programs can't accept, drop, modify, or rate-limit traffic.
That distinction — visibility versus control — is the whole point of
network defense. A firewall has to make decisions. So WireGuppy ended its
life as a working sniffer, and the firewall work moved to Linux, where
iptables + NFQUEUE give userspace the decision-making interface BPF
withholds.
Status
Archived. The follow-on work lives in the userspace firewall.
CBerkeley Packet FiltermacOSbpfpacket-sniffingmacosethernet