Try running tcpview (http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx).
It’s a better version of netstat that will show attempted as well
as established TCP/UDP sessions. I’ve used it myself recently to
find a process responsible for mystery traffic.
From:
wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jon Ziminsky
Sent: Wednesday, October 01, 2008
3:13 PM
To: Community
support list for Wireshark
Subject: Re: [Wireshark-users]
Unexplained Netbios Traffic
I understand how NetBIOS works... This server has tried to contact 350
hosts since this morning... All completely random.
The two I posted were examples of the 1000+ packets it has generated thus far
today.
I have used Arin to lookup about 20 of the IPs and they are all over the
board... From China to Amsterdam to the US...
The server in question is behind the corporate firewall, and has no outward
facing ports. The firewall is blocking these packets before they leave the
network.
Attached is a snippet of the capture files, as i tried to post the entire file
and was told by the bot that my message was too big.