I have a system which appears to be sending packets to 223.1.128, which sounds like a Sonicwall VPN address (per stuff found on the internet) - but there is no sonicwall software installed on the box. It fires from TCP port 139 to a random destination port in the 1000-1500 range.
It happens very regularly - but not exact - at about 20 second intervals.
Netstat shows no reference to a 223 address (netstat -abnv | find "223")
Thoughts? Any idea on how to track such an animal down?