in reply to Questions with a TCP stream protocol (POE, code)

In this code snippet:
# lop off the event code and the length, the hacker has it in the obje +ct. if ($length and (length $little_e >= 4 + $length)) { $body = substr($little_e, 4, $length);
Do you actually mean:

$body = substr($little_e, 4, $length, '');

The substr earlier looks a little suspicious, too. I'd use the four argument form in both places.