how big are the packets?  is there a df in the packet?

the packets are 1380 bytes.  Not sure what you mean by "DF" in the packet.  If you mean difference, there is no difference in either packet, except for the relative time is different.

Thanks.

DF is 'dont fragment'  is this a new issue?  has this ever worked?

It has been working, the users have been complaining of slowness and this application is outside our organization.  This is an issue that I just noticed because the user was complaining about slowness.

The DF bit is set to 1 on both packets.

so that i understand.... users at your company are going to www.abc.com (at another location outside your org) and you are seeing dropped packets on your network.  correct?  are there dropped packets for this website only?  what is your head end device?  do you see the same behavior going to yahoo.com?  can you call the vendor, is anyone else experiencing slowness?  is there increased traffic cause of the holiday?

It looks like something going on internally, but still unsure.

thanks for your help.

The DF bit should be set to zero.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

It shouldn't matter what the DF bit is set to, although an efficient network should not allow fragmentation to occur, so I would tend to like the DF bit being set.
 
The DF bit means "Do not fragment".
   
Normally, if a router attempts to route a packet larger than the MTU size accepted by the next router, the first router will simply fragment the packet and send it as two packets instead. This places additional overhead on both the router and the destination host as well as creating a Murphy's Law situation at any firewall or filtering device the packet fragments have to traverse.
 
If the DF bit in the packet is set to 1, this means the first router is not allowed to fragment the packet. In this case, the router drops the packet, and sends a special ICMP "Destination unreachable" packet back to the packet's source, which decodes as "fragmentation needed and DF bit set" and includes the maximum MTU available for the path. The source host updates its registry with the new maximum MTU size and sends further packets at the right size.
 
That's my understanding of it, anyway.