Wireshark-users: Re: [Wireshark-users] Analyzing a "broken" FTP session
From: Sake Blok <sake@xxxxxxxxxx>
Date: Fri, 21 Aug 2009 21:56:23 +0200
On Fri, Aug 21, 2009 at 10:28:31AM -0700, Chivian, John wrote:
> Network information:
> The systems are both operating at 100 Mb/s.
> They are both in the same physical location.
> Client <-> Switch <-> Router <-> Switch <-> Server

Looking at the tracefiles, it seems that the router is not just a
router, it looks like a security device (PIX, ASA, FWSM, ACE, etc). Is
that correct?

> The problem is generally seen with FTP sessions involving hundreds of 
> small files.
> I understand that the issue may be network as opposed to server 
> related, and I understand that the packet captures may not contain 
> enough information to make a definitive judgment.

The traces tell me that the problem is on the server-side. Somehow the
server is not accepting valid packets, as if there is data missing. Are
you running some form of NAT or FW on the server too (iptables,
netfilter, etc)?