Wireshark-users: Re: [Wireshark-users] Analyzing a "broken" FTP session
On Fri, Aug 21, 2009 at 10:28:31AM -0700, Chivian, John wrote:
> 
> Network information:
> The systems are both operating at 100 Mb/s.
> They are both in the same physical location.
> Client <-> Switch <-> Router <-> Switch <-> Server

Looking at the tracefiles, it seems that the router is not just a
router, it looks like a security device (PIX, ASA, FWSM, ACE, etc). Is
that correct?

> The problem is generally seen with FTP sessions involving hundreds of 
> small files.
> 
> I understand that the issue may be network as opposed to server 
> related, and I understand that the packet captures may not contain 
> enough information to make a definitive judgment.

The traces tell me that the problem is on the server-side. Somehow the
server is not accepting valid packets, as if there is data missing. Are
you running some form of NAT or FW on the server too (iptables,
netfilter, etc)?

Cheers,
     Sake