Hi Folks,
I work for an ISP and we use a CCR1036-8G-2S running OS 6.33.5 running BGP to our peers.
Recently I set up Traffic Flow and it's being collected by an nfsen server. We can view the data using nfdump.
We can see destination traffic for unused subnets which is normal due to port scanners etc, but what is puzzling is I am seeing replies from IPs that don't exist.
I have looked using tcpdump and wireshark and the snooper on the CCR, I can't see any traffic from a source IP that doesn't exist on our network.
Here is an example.
I did a telnet from outside our network to an IP I know doesn't exist. I can see the packet coming into the CCR on tcpdump and wireshark but nfdump shows replies from the unused IP address. I am baffled, is this an OS bug in Traffic Flow of the OS itself?

nfdump data when I telnet to an non existent IP address from 109.106.103.26. The IP that isn't is use is 81.31.215.10.
nfdump says there was a packet sent back to 109.106.103.26 with a source IP of 81.31.215.10 but my test PC didn't see any response.

pnetadmin@NFSEN-Wireshark-Server:/data/nfsen/profiles-data/live/CCR1/2017/01/20$ nfdump -r nfcapd.201701201605 'src ip 81.31.215.10'
Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2017-01-20 16:05:52.781 0.000 TCP 81.31.215.10:9221 -> 195.154.183.169:160 2 136 1
2017-01-20 16:06:41.631 0.000 TCP 81.31.215.10:23 -> 222.142.73.139:42827 2 136 1
2017-01-20 16:06:34.101 9.020 TCP 81.31.215.10:23 -> 109.106.103.26:48328 4 352 1

Thanks for reading folks,
Chris.

Have you checked with a packet capture the interfaces involved when the .10 address replies? Any entry in ARP for that IP?