fprobe Only Collects One-Way Data

Problem

Running fprobe-1.1, feeding nfsen 1.3.6 using nfdump 1.6.6 on CentOS-5. The data is being collected on a port-mirrored port from a HP-5412zl switch. The mirrored port is the LAN side of my firewall.

My issue is that nfsen is only showing traffic which flows in one direction (from the internet into my LAN). However if I do a tcpdump on the eth that fprobe is listening to, it sees all traffic (inbound and outbound).

Does anyone have any idea why my flows are not being collected in both directions?

Discussion

I saw this issue once before. (Link) I had a 3Com 4900 which had a port with multiple VLANs sent to a port-mirror. Fprobe correctly collected all traffic in both directions from all VLANs involved. When that switch was replaced with a Dell 3448, I only saw a single direction (in that case, outbound-only) collected. I got around this issue by defining VLAN interfaces and attaching individual fprobe processes to each VLAN interface.

However in this case I'm not VLAN'd on this port at all. So I don't understand what is going wrong.

Update

So I messed around with tcpdump some more to see what was going on and I had some interesting results.

If I did my tcpdump as so:

# tcpdump -ni eth1 dst net $NET and not src net $NET

# tcpdump -ni eth1 src net $NET and not dst net $NET

If, however, I specified VLAN tagging:

# tcpdump -ni eth1 vlan and src net $NET and not dst net $NET

So clearly something weird is happening either on my network card or my switch. I'm tempted to think the former, because when I had this plugged into a different computer, the fprobe collection worked. The port-mirror has been unchanged. (Unfortunately I can't go back in time and see what was different about the old computer since it physically died.)

The man page for fprobe suggests I should be able to say -f "ip or vlan" to collect both vlan and non-vlan traffic, but fprobe barfs on this.

(13 November 2012):

So I found out that since the fprobe only collects one way, I have to have two fprobe instances:

/usr/local/sbin/fprobe -fvlan -K18 -i eth1 -e 120 -q 10240 $TARGET:9999
/usr/local/sbin/fprobe -fip -i eth1 -e 120 -q 10240 $TARGET:9998

I further refine this by creating a live nfsen profile that has appropriate src net and not dst net (etc) rules, and using that live profile as a basis for analysis.