Hello,
if the unexpected traffic you're seeing is flooded unicast after CAM table flushes caused by STP topology changes ("TCs"), you can use the 'show spanning-tree detail' command to see where the last TC came from. I always use it with an RegExp which provides a handy output:
show spanning-tree detail | include exec|occur|from
It depends on the STP version which kind of events trigger TCs, so it would be interesting to know if you use RSTP or the legacy version or a mix of both. All Cisco or 3rd-party as well?
Often TCs are caused by ports to end devices without portfast configuration, so make sure that portfast is configured on all the edge ports.
If you see frequent changes in your STP topology, you could also enable 'spanning-tree logging' on your switches (or some of them) to track where the changes come from.
HTH
Rolf