Why are the headers of this SPDY SYN_STREAM sample apparently uncompressed?

Question

I am experimenting with the SPDY protocol and I stumbled upon a sample of SPDY protocol (which can be downloaded using the "attachment" link).

Here's how I viewed it:

1. Open the pcapng file in Wireshark 1.12.2 (or newer)
2. Right click on any SSL/TLS frame, and go to Protocol Preferences -> RSA keys list...
3. Click new and enter IP address 0.0.0.0, port 443, protocol spdy and the path to this key file,
4. Right click on any SPDY frame, go to Protocol Preferences -> Uncompress SPDY headers to disable SPDY header decompression
5. Go to frame 45 and observe that in the "SPDY: SYN_STREAM" layer, after highlighting "Header Block", the hex dump below is readable

According to the SPDY specification, this should be compressed. Why can I see this? Is there a way to disable header compression in the SPDY protocol? Am I using Wireshark the wrong way?

Answer 1

About the specification

The draft you linked states this :

The entire contents of the name/value header block is compressed using zlib. There is a single zlib stream for all name value pairs in one direction on a connection. SPDY uses a SYNC_FLUSH between each compressed frame.

Implementation notes: the compression engine can be tuned to favor speed or size. Optimizing for size increases memory use and CPU consumption. Because header blocks are generally small, implementors may want to reduce the window-size of the compression engine from the default 15bits (a 32KB window) to more like 11bits (a 2KB window). The exact setting is chosen by the compressor, the decompressor will work with any setting.

It doesn't enforce any compression level. In fact, you can use zlib with no compression at all, this is supported by the zlib format :

Level 0 actually does no compression at all, and in fact expands the data slightly to produce the zlib format (it is not a byte-for-byte copy of the input).

About the sample

I contacted the author of the sample. Turns out he was using nginx for his experiment. In the documents he provided, nginx was configured like this :

 # SPDY
 server {
     listen       443 ssl spdy;
     server_name  localhost;
     ssl_certificate      cert.pem;
     ssl_certificate_key  key.pem;
     ssl_session_cache    shared:SSL:1m;
     ssl_session_timeout  5m;
     ssl_ciphers  DES-CBC3-SHA;
     ssl_prefer_server_ciphers  on;
     location / {
         root   html;
         index  index.html index.htm;
     }

However, the nginx documentation states that header compression must be specified explicitly:

Syntax: spdy_headers_comp level;
Default : spdy_headers_comp 0;

Sets the header compression level. [...] The special value 0 turns off the header compression.

This means headers compression was most likely not enabled for the experiment.

My conclusion

• Yes, you can disable headers compression in SPDY, but you have to keep the zlib format with a compression level of 0
• You are using Wireshark correctly. The sample you used was created with a compression level of 0