HTTP traffic is shown in packet capture from the Monitor, but the Enforce console shows no traffic at all for the Monitor.

First you'll need to download and install Wireshark (http://www.wireshark.org/) on the Network Monitor where traffic should be going.

On Linux systems, you can install wireshark to do a packet capture, but using the built in tool tcpdump will work, too.  For details on using tcpdump, please see TECH221427 (Use tcpdump to do a packet capture).  Just open the packet capture created by tcpdump in wirehark to filter it.

Open the capture in Wireshark, and apply a filter for HTTP POST to the pcap file:

http.request.method == "POST"

If none of the packets remain after applying the above filter, then no HTTP Post data is seen. There is valid HTTP traffic, but not traffic which needs to be examined by DLP - that is, the traffic only contains GET requests or HTTP responses.

Confirm that the SPAN or TAP is configured to send traffic of the correct type (and direction) to the Monitor.

When HTTP POSTs are seen in the captured packets, traffic will be reported. If results are returned, you should be able to right click on any of the entries and choose "Follow TCP Stream".  In this view you will see the specific HTTP Post data that was sent.

Another thing to verify is the traffic feed the monitor is getting is clean.  Use the Traffic Feed Analyzer Tool (TFAT) to verify this.  See TECH221639 (Checking for valid HTTP POST traffic when no HTTP traffic seen on Monitor) for details how to use TFAT.