As I understand it, Little Snitch is a process-level network firewall that uses a kernel extension to monitor and report all outgoing traffic. I have used it for about a week on a Mac running OS X 10.11, and I'm seeing lots of undocumented traffic from apps and daemons signed by Apple. By undocumented, I mean that the built-in docs in Little Snitch can't explain what the sender is doing.