username in www basic auth can be 175 characters. if more than this, it will return 401. it can be anything if <= 175 it has incremental ip_id it does not send process record route or timestamp ip options when ttl is time exceeded, packet is dropped with an icmp time exceeded. trailing data in a http request is ignored requires a \r\n\r\n however. - is it static or dynamic? if u send 1M of data then \r\n\r\n it works - sending total lenght of 837737 works - 1 more and it returns RST - two requests of 837737 at the same time. both fail - dynamic memory management? - afterwards. the limit is lower - memory leak? - seeing FIN coming in with 39 byte ip header on occasion - somtimes it sends FIN but no response to http request ping -f will crash the box and not recover (from initial testing) -- this is without authorization Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. SUBSCRIBE / HTTP/1.1 HTTP/1.0 500 Internal Server Error Connection: close Server: UPnP/1.0 UPnP-Device-Host/1.0 Timeout: Second-0 SID: uuid:1983bd Connection closed by foreign host. -- SUBSCRIBE f HTTP/0.9 500 Internal Server Error Connection: close Server: UPnP/1.0 UPnP-Device-Host/1.0 Timeout: Second-0 SID: uuid:eac5 -- ack 857980040 win 3072 (ttl 43, id 31871, len 40) 20:40:03.836508 66.135.130.241.113 > 192.168.1.100.1163: R 0:20(20) ack 3607765980 win 5840 [!RST \002\004\005\264\004\002\010\012\000\037\2106\000\000\000] (ttl 61, id 44013, len 60) -- the incoming log, is a ring buffer that holds 100 entries. it only logs tcp/udp port, ip it does not log duplicate entries (ie, 2 connections to same port) -- passing traffic external to port 1701 (l2tp) with flags tl, and length not the exact size, with any non zero protocol (version? check), will crash the router.. i'm guessing it does dynamic malloc.. then a free(ptr, l2tp->length); -- it has a maximum seemingly of 50 dhcp leases this is the default you dont have to send it a valid dhcp discovery packet to get the occasional offer! dont have to include most of the bootp packet! my guess, is that its oob read(s), with a chance that memory matches when an offer gets sent out. --