attempting to troubleshoot for customer

Started by Tier3 April 2, 2007
This little poor thing looks just odd. When you take a closer look, you will 
see that port numbers and other TCP parameters of this packet are 
actually... constructed of what should be the packet payload! Source port 
and destination port, two 2-byte values that start every TCP header, are 
18245 and 28261 - 0x4745, 0x5420 in network endian order. This translates to 
ASCII string 'GET ', a beginning of a HTTP request. This kid has lost its 
TCP header, but IP header (with protocol type set to TCP) and TCP payload 
are still there... We started to see thousands of packets just like this one 
somewhere in the middle of 2000, coming from many locations in Poland. After 
some time, we realized that all were generated by a badly broken Nortel CVX 
access servers deployed country-wide by the Polish Telecom. Firmware was 
fixed within a month or so, but this priceless packet dump will live