Wireshark-users: Re: [Wireshark-users] Unexplained Netbios Traffic
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 1 Oct 2008 12:55:21 -0700

On Oct 1, 2008, at 12:29 PM, Jon Ziminsky wrote:

It is a filtered capture. I set the Capture filter to only grab packets from the source that do not have a destination inside my network.

capture filter:
src 192.168.1.23 and not dst net 192.168.0.0 mask 255.255.0.0

So the only ones were NBNS NBSTAT packets? I don't know how DNS is configured on the machine, but if it were trying to do reverse DNS lookups, I'd expect to see packets going to a server for the .arpa domain, which isn't likely to be inside your network. :-)

There might be tools that work on Windows Server 2000 (Network Monitor 3.2 apparently won't) that can identify the process from which particular packets came; I don't know what tools would do that.