To me it sounds like normal netbios browser election traffic. Try turning off netbios over tcp/ip if this concerns you and there is no ill-effect on the clients’ ability to perform standard network tasks.
You can also use Sysinternals Procmon tool to look at the running processes on these client computers and see which process has a tcp connection (3-way handshake completed) to the destination of interest.
Also, <a href=”http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx”>Sysinternals TCPView</a> could help you identifying the process that is generating such traffic.
Exactly! I would have added “on client machine, scan registry for IP address of destination machine to confirm,” but I’d suspect an annoying NB browser election, not malware. Fix with client reconfiguration.