Good afternoon, I noticed unusual network traffic from the PDC at work, which runs Active Directory on Windows Server 2003 R2. It started earlier this month. About every 15 minutes it sends NetBIOS traffic to 192.168.56.1. Because the server is not on this subnet, it uses the default gateway. The router blocks the traffic and it shows up in my reports. * Some of the traffic is on UDP port 137. * Some of the traffic is sent from TCP port 139 to TCP ports 2969 and 2970. I rebooted the server, but it continues to send this unusual network traffic. I searched for "192.168.56" in DNS, the registry, and the Windows event log, but I did not find anything. I know the hour and day that this traffic began, but I did not find any relevant events from that time. I did not change the server configuration. An Internet search reveals that 192.168.56.1 is the default router for VirtualBox, but I am not aware of anyone using VirtualBox on this network. I would like to know why the server is sending NetBIOS traffic to 192.168.56.1. What would be a good tool for this job? Thanks in advance, -Ben

Thank you for the suggestion. I forgot to mention that I checked the output of "arp -a" and it did not include any addresses on the 192.168.x.x subnet. -Ben

Hi Ben, Thank you for the post. You may use some network scan tool (like Nmap) to scan your subnet filtered by port TCP 2969 or 2970. http://seclists.org/nmap-dev/2012/q3/137 If there are more inquiries on this issue, please feel free to let us know. RegardsRick Tan TechNet Community Support

Hi Rick, Thank you for the suggestion. I used nmap to scan the subnet filtered by TCP 2969 and 2970. For most of the systems scanned, nmap lists the ports as "filtered". I believe this is because most of the systems have firewall software. -Ben

I refreshed the computer inventory and found a system running VirtualBox. I am not sure how it happened, but I think this system is responsible for the "phantom" network traffic from the PDC. Thanks again for the help, -Ben