On Mon, Apr 10, 2006 at 06:28:24PM -0400, James Nachlin wrote: > I'm having a strange situation where I'm getting back errors when > connecting to a web server (lighttpd) from IE, which I do not get from > firefox and I don't get connecting directly, not through the pf firewall. > > To the client, this appears as slow connections or dropped connections. > Looking at the traffic with Ethereal, the main difference seems to be > the presence of tons of packets with the RST flag set. > > The problem will probably be obvious to someone who knows more about TCP/IP.
The client is opening a lot of connections (from unique source ports) to the server, after the handshake, it sends the HTTP request, half-closes the connection (sending a FIN, telling the server it will send no more data, but only read the replies). The server sends an empty ACK back (which I'm not sure is typical, but it looks valid), then starts to send the HTTP reply. Often, the client immediately sends a RST after the first data packet. It's not obvious why the client would do that, if the RST really is generated by the client. Looks like a problem on the client. Since it affects different browsers, maybe a network setting in the OS. Try capturing traffic at the client (or close to it, at least on the firewall interface closest to the client). If it's really the client generating the RSTs, and showing the replies it gets up to that point are valid, it's the clients' fault... All your captures show this behaviour, I'm not sure why you'd experience different behaviour from the different browsers, maybe they show cached contents differently in error cases. Daniel
