Locating source of alerts

[einsibjarni]

I installed SO 2.4.110 on a spare server we had, and setup a port mirror (SPAN) for testing.

The port mirror is configured on one of our switches, and mirrors packets ingressing on of our VLAN's. It then outputs the mirrored packets to a dedicated VLAN that is trunked to another switch where it is egressed to the monitor port in SO.

I'm starting to get Alerts in SO, but most of them have source addresses in RFC1918 networks, which we don't use (all of our infra uses public IP addresses, IPv4 and IPv6). I suspect it's a VM or containers running amok, but I'm having a hard time locating the sources of the traffic.

I've looked for the IP addresses in Netdisco and aggregated logs and Netflow, but I've found nothing.
Do you have any hints on what I can do to try to locate the source of the traffic?

[einsibjarni]

Never mind... I'm an idiot :)

I had ran so-test and I didn't realise it imports a bunch of test PCAP data