192.168.56.1 is in fact the host only adapter address in a VirtualBox host machine. It is simply an interface in the host machine which can be accessed by virtual machines running on that host. No traffic from this subnet should ever appear on the physical LAN. A user on your LAN could have installed VirtualBox (or some other virtualization software) and installed a vm which is on the 192.168.56 network. If this network was routed to your local network (eg by enabling ICS on the host) the guest would be able to send traffic to your server. However I would expect the traffic on the LAN to use the host machine's LAN IP, not a 192.168.56 address (because of ICS). You could do an arp -a for 192.168.56.1 and see if you get a MAC address for the device. If that returns a MAC, you could then use a mac find utility to get the details of the network adapter. This might give you a clue to where the traffic came from. Bill

Hi Ben, Thank you for the post. You may use some network scan tool (like Nmap) to scan your subnet filtered by port TCP 2969 or 2970. http://seclists.org/nmap-dev/2012/q3/137 If there are more inquiries on this issue, please feel free to let us know. RegardsRick Tan TechNet Community Support

Hi Rick, Thank you for the suggestion. I used nmap to scan the subnet filtered by TCP 2969 and 2970. For most of the systems scanned, nmap lists the ports as "filtered". I believe this is because most of the systems have firewall software. -Ben

I refreshed the computer inventory and found a system running VirtualBox. I am not sure how it happened, but I think this system is responsible for the "phantom" network traffic from the PDC. Thanks again for the help, -Ben

192.168.56.1 is in fact the host only adapter address in a VirtualBox host machine. It is simply an interface in the host machine which can be accessed by virtual machines running on that host. No traffic from this subnet should ever appear on the physical LAN. A user on your LAN could have installed VirtualBox (or some other virtualization software) and installed a vm which is on the 192.168.56 network. If this network was routed to your local network (eg by enabling ICS on the host) the guest would be able to send traffic to your server. However I would expect the traffic on the LAN to use the host machine's LAN IP, not a 192.168.56 address (because of ICS). You could do an arp -a for 192.168.56.1 and see if you get a MAC address for the device. If that returns a MAC, you could then use a mac find utility to get the details of the network adapter. This might give you a clue to where the traffic came from. Bill

Thank you for the suggestion. I forgot to mention that I checked the output of "arp -a" and it did not include any addresses on the 192.168.x.x subnet. -Ben

Good afternoon, I noticed unusual network traffic from the PDC at work, which runs Active Directory on Windows Server 2003 R2. It started earlier this month. About every 15 minutes it sends NetBIOS traffic to 192.168.56.1. Because the server is not on this subnet, it uses the default gateway. The router blocks the traffic and it shows up in my reports. * Some of the traffic is on UDP port 137. * Some of the traffic is sent from TCP port 139 to TCP ports 2969 and 2970. I rebooted the server, but it continues to send this unusual network traffic. I searched for "192.168.56" in DNS, the registry, and the Windows event log, but I did not find anything. I know the hour and day that this traffic began, but I did not find any relevant events from that time. I did not change the server configuration. An Internet search reveals that 192.168.56.1 is the default router for VirtualBox, but I am not aware of anyone using VirtualBox on this network. I would like to know why the server is sending NetBIOS traffic to 192.168.56.1. What would be a good tool for this job? Thanks in advance, -Ben