Wireshark · Wireshark-users: Re: [Wireshark-users] Wireshark Windows installer no longer redistributable?

[Laurence Perkins <lperkins@xxxxxxxxxxx>]

On Mon, 2019-03-11 at 14:15 -0700, Gordon Fyodor Lyon wrote:
> 
> On Mon, Mar 11, 2019 at 11:24 AM Laurence Perkins <lperkins@openeye.n
> et> wrote:
> 
> > So I notice with version 3 that wireshark now bundles npcap instead
> > of winpcap.  From a technical point of view this makes a lot of
> > sense since npcap is actually maintained and has a better feature
> > set. But I notice that the npcap license forbids redistribution
> > without special dispensation.
> 
> Hi Laurence.  I'm glad you like Npcap, and thanks for raising this
> important issue.  I run the Nmap and Npcap Projects and will try to
> explain the current licensing situation.
> 
> First of all, we at the Nmap project are huge Wireshark fans.  In
> fact we had a user vote and Wireshark won as the #1 security tool (ht
> tps://sectools.org/)!  So we're very happy to throw all the support
> we can behind Wireshark, and we're delighted to see our Npcap packet
> capturing driver/library proving useful for Wireshark users.  We
> already changed the Npcap license to better accommodate Wireshark
> (e.g. removing the usage limit) and we're receptive to other ideas
> for helping Wireshark/Npcap integration that don't threaten the
> financial health of the Npcap Project itself.
> 
> Our main project is the Nmap Security Scanner (https://nmap.org/),
> which recently turned 21 years old.  During most of that time we were
> happy users of WinPcap.  But then WinPcap became unmaintained and we
> had increasing concerns about security, stability, and WinPcap's use
> of deprecated Windows API's that MS could remove at any time.  Still,
> we had no desire to get into Windows device driver programming and we
> waited years hoping that someone else would step up and fix the
> issues.  That didn't happen, so we took a deep breath and dived in
> and have spent the last several years creating Npcap (https://npcap.o
> rg).  We have been shipping it with Nmap since 2016 and we're
> approaching our big 1.0 release.  The latest version is 0.99-r9,
> which now ships with Wireshark 3.
> 
> While we're really proud of where Npcap is now, it hasn't come
> cheaply.  I've personally spent hundreds of thousands of dollars
> hiring programmers to help make this happen.  That isn't financially
> sustainable, and I don't want Npcap to go the way of WinPcap and
> WinPcap Pro.  So the goal is for the Npcap Project to at least break
> even financially by spreading the development and maintenance cost
> among those who benefit from it.  This especially includes companies
> who want to redistribute Npcap as part of the products that they
> sell.
> 
> While we did grant a waiver so the Wireshark Project (Riverbed) and
> their official mirrors can redistribute Npcap with Wireshark, you are
> correct that the waiver does not allow everyone to externally
> redistribute Npcap with Wireshark.  We (Npcap Project) are concerned
> that such a waiver could open a loophole allowing companies who
> couldn't normally redistribute Npcap without buying a license to
> simply redistribute the whole Wireshark+Npcap installer with their
> product instead and use Npcap that way.   We're also worried about
> malware authors and other sleazebags to whom we'd never grant a
> license using this loophole to redistribute Npcap.  Besides being
> terrible on its own, malware using Npcap could lead to our EV
> codesigning certificate being blacklisted.  Of course straight-up
> criminals don't care what our license says, but some sleazebags who
> purport to be legitimate do.  Remember when Download.com and
> SourceForge tried adding adware/malware to the Wireshark and Nmap
> installers?
> 
> Please note that Npcap's redistribution limits only apply to external
> redistribution.  You can still download Npcap (or WinPcap+Npcap) and
> install it on multiple machines at your organization.  Though for big
> organizations who want to roll out Npcap on a lot of machines, we
> recommend our Npcap OEM product which includes a silent installer.
> See https://nmap.org/npcap/#License.
> 
> Also, the Npcap license of course only applies to Wireshark
> installers that actually bundle Npcap.  The Wireshark project or any
> user is welcome to build and redistribute a Wireshark installer which
> doesn't include Npcap and then do whatever they want with it (subject
> to Wireshark's own license, of course).
> 
> Also, we're happy to look at cases where the redistribution
> limitation is causing pain.  If you have a case where you really need
> to redistribute Wireshark+Npcap, send me an email.  We can consider
> individual waivers on a case by case basis, and we are also open to
> structural/license changes where they solve an important and common
> need without posing much risk to Npcap's financial sustainability
> goal.
> 
> For what it's worth, Nmap has been shipping with Npcap since 2016 and
> so the redistribution rule also applies to our Nmap Windows Self-
> Installer.  While we did worry about that at first, it has not
> actually proved to be much of a problem in practice.  Users should
> almost always download Nmap or Wireshark directly from the source
> anyway so they get the very latest version and avoid accidentally
> downloading trojans from shady redistributors like Download.com.
> 
> Sorry for the long mail, but I hope this helps clarify things.
> 
> Sincerely,
> Gordon "Fyodor" Lyon
> 
> 

I appreciate you taking the time to reply, and I quite understand your
reasoning from a business point of view.  The current methods you offer
for obtaining a npcap redist license are likely sufficient for
businesses with on-the-ball legal teams and workers to have no trouble
at all.

What I'm concerned about is that there was a change made in the
allowable redistribution of the complete package such that downloading
Wireshark to a thumbdrive and giving it to a friend who's having
trouble diagnosing why his Internet connection isn't working could,
depending on jurisdiction, be a crime.  Potentially with a prison
sentence attached.  And even that would be ok if it weren't for the
fact that absolutely nothing in the download process for the latest
version looks any different, so most people won't even notice until
after they've done something that's technically illegal.

From the tone of your message, I rather assume that you're not likely
to go after people who make such an innocent mistake, but the business
world is chaotic and should you someday be bought out by another group
your successors might not be so forgiving.

In my opinion the download page needs to have an easily noticeable
notification that the redist terms for the Wireshark installers have
changed and people need to review the new license.  The license text
being embedded in the middle of the installer is insufficient.  The web
site currently only mentions that Wireshark is under the GPL and makes
no mention of the fact that the Windows installer is not
redistributable anywhere except the previously posted developers
section notice.

Again, the change is a good idea from a technical point of view.  My
only concern is the lack of clear notification to the average user that
it's not redistributable.  If you're used to just clicking through the
installer because you know it's all GPL/BSD and don't notice the one
logo change in the middle of it you could quite unintentionally end up
in hot water.

LMP

Attachment: signature.asc
Description: This is a digitally signed message part