On Jun 1, 2008, at 6:07 PM, Sarocet wrote: > Seems like a problem with the TCP stack to me. No client of normal > sockets should be abel > to do that. Do you have some device (such a firewall) in front of that > machine which could > be interfering? Could you fingerprint (p0f) from which OS come this > activity?
It's not the server or any device in front of it. (which there are not other than switches and routers). In the tcpdumps we've looked at the client appears to hang or timeout, and when the server sends acks to see if the connection is still alive (keepalive or otherwise) the client starts replying with a "zero sized window", which is broken. We thought about p0f, but with the randomness of the broken clients and the shear volume of connections the mirrors get, it would be very difficult to capture that data. It may come down to that, but I'm just pointing out that something appears to be bugged in quite a few clients that connect. -- Robert Blayzor, BOFH INOC, LLC [EMAIL PROTECTED] http://www.inoc.net/~rblayzor/ _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
