I'm not sure if this method is any less tedious than taking a packet capture, but you can try to decypher the traffic using the "show ip cache flow" command. This will give you a list of traffic from source interfaces and source IP addresses with the destination interface, ip address and port the traffic is being sent to. The fun part is the well known port number is listed in hexadecimal format. The following is the list of field descriptions from the NetFlow Command Reference guide from Cisco.
Table 16show ip cache flow Field Descriptions in NetFlow Record Display
SrcIf Interface on which the packet was received.
SrcIPaddress IP address of the device that transmitted the packet.
DstIf Interface from which the packet was transmitted.
Note: If an asterisk (*) immediately follows the DstIf field, the flow being shown is an egress flow.
DstIPaddress IP address of the destination device.
Pr IP protocol “well-known” port number, displayed in hexadecimal format. (Refer to http://www.iana.org, Protocol Assignment Number Services, for the latest RFC values.)
SrcP The source protocol port number in hexadecimal.
DstP The destination protocol port number in hexadecimal.
Pkts Number of packets switched through this flow.
Hope this helps.
The netflow senders ( many of them) are not Cisco devices.... they are riverbed stealhead devices.
I am really hoping that Orion / NTA has some basic log for the traffic its discarding... if not, this could be an important feature to include in a future version.
Has anyone else seen this and has a resolution?
We do alert you in the Events resource when there is a flow that is being discarded. We don't interrogate the data that we discard so we can't give you any details on it.