Issue/Problem/Symptoms: 

The NFA console top protocol chart displays lot of traffic for the fragment protocol . 

No 630/631 protocol found in the netflow packets when analysing a wireshark capture .

Environment:  

NFA 9.3.3 on win2012 server .

Cause: 

The netflow config is wrong on the router : some fields are missing trigerring a wrong NFA parse of the netflow packets .

Wrong V9 netflow template used :

flow record WIS_FLOW_LAN
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport tcp source-port
match transport tcp destination-port
match transport udp source-port
match transport udp destination-port
match interface input
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last

Resolution/Workaround:

modify the netflow config on the router .

You must add the line :
match interface output

replace the lines :
match transport tcp source-port
match transport tcp destination-port
match transport udp source-port
match transport udp destination-port
by
match transport source-port
match transport destination-port

then reload this config

Wait 20 minutes
recheck the NFA console

Release:
Component: NQRAHV