In passive wiretapping, packets are analyzed after begin reassembled in flow, this operation, present in every kind of PASSIVE network analyzer (IDS, sniffer, trojan, stats generator) is called "protocol reassembly". In order to obtain an information, the number of reassebly has to be done in equal complexity of the transmissions layer.
If you are anlyzing "ftp protocol" you have only the binary data trasmitted to be collected and dumped: the passive third party have record the packet flow, save in the correct order and extract the transmitted file.
A third party will fall in some "ambiguity" when reading passive packets: will never be 100% sure that a packet will be accepted or rejected by the peers under monitoring. using and abusing of this unreliability will bring the wrong rebuilding of the transmission.
exploiting the swiftness of the network supports, the differencies of every ISP configuration and (not yet implemented) of the Operating System TCP/IP stack differencies, sniffjoke put the sniffers under the difficult option of: drop every packets that have something weird, in order to follow the growning bandwidth and the demaning hardware requests, or to improve analysis, expeding CPU and time, and implictly increase the costs per megabit. this will demotivate massive sniffing from evil entities.