Have been running NFA for a couple weeks and have some good data to review. It is collecting data from one cisco router that is using PAT - one IP represents all internal users (172.16.1.1 for the example). When I look at the IN Serial interface, it shows majority of the traffic is http. SO, I want to know who is receiving all this http traffic. I look at the OUT Ethernet interface which closely maps the protocol distribution. When I click on the Application tab and choose HTTP which is the highest, it displays the PATed address instead of showing me who the intended internal client is.
I cannot just look at the IN Ethernet interface because the amount of http traffic that is generated for a request is alot less than what is returned to the user.