During some flow analisys on SWE and CTR, I observed that some flows are been reported on the inverse direction, for example, there is a connection from an IP address located in Korea to my public IP address (located in Costa Rica). Checking this flow on CTR and SWE it seems the connection is been originated from my IP address, however, analizing the flow further, is clear that the flow originates from the Korean IP... this flow seems to be captured by a Flow Sensor located on the external network perimeter, and there is only one packet sourced from the Korean IP address.
Any hints about this behavior?
Some screenshots attached as reference.