I'm trying to find out why every morning from 2am to 3:45am some
machine on our LAN is sending consistant data to a machine on our DMZ.
I'm looking through our router's logs (IPCop distro), and in the
process found something odd I don't understand.
We have several WinXP machines, and the packets they sent yesterday all
seem legit... except for this block listed below:

From 192.168.0.11 - 9 packets
To 100.100.100.102 - 9 packets
Service: netwatcher-mon (tcp/3203) (NEW not SYN?,eth0,eth2) -
3 packets
Service: neon24x7 (tcp/3213) (NEW not SYN?,eth0,eth2) - 3
packets
Service: isi-irp (tcp/3226) (NEW not SYN?,eth0,eth2) - 3
packets
From 192.168.0.13 - 11 packets
To 38.113.212.207 - 1 packet
Service: http (tcp/80) (NEW not SYN?,eth0,eth2) - 1 packet
To 38.113.212.226 - 1 packet
Service: http (tcp/80) (NEW not SYN?,eth0,eth2) - 1 packet
To 38.113.212.239 - 1 packet
Service: http (tcp/80) (NEW not SYN?,eth0,eth2) - 1 packet
To 38.113.212.243 - 1 packet
Service: http (tcp/80) (NEW not SYN?,eth0,eth2) - 1 packet
To 209.8.50.38 - 7 packets
Service: http (tcp/80) (NEW not SYN?,eth0,eth2) - 7 packets
From 192.168.0.14 - 266 packets
To 100.100.100.102 - 266 packets
Service: tl1-lv (tcp/3081) (NEW not SYN?,eth0,eth2) - 6
packets
Service: pcihreq (tcp/3085) (NEW not SYN?,eth0,eth2) - 6
packets
Service: ptk-alink (tcp/3089) (NEW not SYN?,eth0,eth2) - 6
packets
Service: rapidmq-center (tcp/3093) (NEW not SYN?,eth0,eth2) -
6 packets
Service: 3097 (tcp/3097) (NEW not SYN?,eth0,eth2) - 6 packets
Service: hp-pxpib (tcp/3101) (NEW not SYN?,eth0,eth2) - 6
packets
Service: cardbox (tcp/3105) (NEW not SYN?,eth0,eth2) - 6
packets
Service: personnel (tcp/3109) (NEW not SYN?,eth0,eth2) - 6
packets
Service: cs-auth-svr (tcp/3113) (NEW not SYN?,eth0,eth2) - 6
packets
Service: mctet-jserv (tcp/3117) (NEW not SYN?,eth0,eth2) - 6
packets
Service: 3121 (tcp/3121) (NEW not SYN?,eth0,eth2) - 6 packets
Service: a13-an (tcp/3125) (NEW not SYN?,eth0,eth2) - 6
packets
Service: netport-id (tcp/3129) (NEW not SYN?,eth0,eth2) - 6
packets
Service: prism-deploy (tcp/3133) (NEW not SYN?,eth0,eth2) - 6
packets
Service: jpegmpeg (tcp/3155) (NEW not SYN?,eth0,eth2) - 6
packets
Service: navegaweb-port (tcp/3159) (NEW not SYN?,eth0,eth2) -
6 packets
Service: spandataport (tcp/3193) (NEW not SYN?,eth0,eth2) - 6
packets
Service: embrace-dp-s (tcp/3197) (NEW not SYN?,eth0,eth2) - 6
packets
Service: vx-auth-port (tcp/3207) (NEW not SYN?,eth0,eth2) - 6
packets
Service: unite (tcp/3217) (NEW not SYN?,eth0,eth2) - 6
packets
Service: esp-lm (tcp/3383) (NEW not SYN?,eth0,eth2) - 6
packets
Service: hotu-chat (tcp/3449) (NEW not SYN?,eth0,eth2) - 6
packets
Service: gbs-stp (tcp/3484) (NEW not SYN?,eth0,eth2) - 6
packets
Service: ibm3494 (tcp/3494) (NEW not SYN?,eth0,eth2) - 6
packets
Service: dashpas-port (tcp/3498) (NEW not SYN?,eth0,eth2) - 6
packets
Service: interactionweb (tcp/3508) (NEW not SYN?,eth0,eth2) -
6 packets
Service: ecmport (tcp/3524) (NEW not SYN?,eth0,eth2) - 2
packets
Service: urld-port (tcp/3534) (NEW not SYN?,eth0,eth2) - 6
packets
Service: ibm-diradm (tcp/3538) (NEW not SYN?,eth0,eth2) - 6
packets
Service: hacl-monitor (tcp/3542) (NEW not SYN?,eth0,eth2) - 6
packets
Service: 3546 (tcp/3546) (NEW not SYN?,eth0,eth2) - 6 packets
Service: ssmpp (tcp/3550) (NEW not SYN?,eth0,eth2) - 6
packets
Service: emprise-lls (tcp/3585) (NEW not SYN?,eth0,eth2) - 6
packets
Service: comcam-io (tcp/3605) (NEW not SYN?,eth0,eth2) - 6
packets
Service: cpdi-pidas-cm (tcp/3609) (NEW not SYN?,eth0,eth2) -
6 packets
Service: alaris-disc (tcp/3613) (NEW not SYN?,eth0,eth2) - 6
packets
Service: sharp-server (tcp/3617) (NEW not SYN?,eth0,eth2) - 6
packets
Service: ep-nsp (tcp/3621) (NEW not SYN?,eth0,eth2) - 6
packets
Service: volley (tcp/3625) (NEW not SYN?,eth0,eth2) - 6
packets
Service: escvpnet (tcp/3629) (NEW not SYN?,eth0,eth2) - 6
packets
Service: wacp (tcp/3633) (NEW not SYN?,eth0,eth2) - 6 packets
Service: scservp (tcp/3637) (NEW not SYN?,eth0,eth2) - 6
packets
Service: netplay-port2 (tcp/3641) (NEW not SYN?,eth0,eth2) -
6 packets
Service: cyc (tcp/3645) (NEW not SYN?,eth0,eth2) - 6 packets
Service: nmmp (tcp/3649) (NEW not SYN?,eth0,eth2) - 6 packets

192.168.0.11 and 192.168.0.14 are sending packets to a "reserved" IP.
192.168.0.11 is odd, but 192.168.0.14 is sending 6 packets apiece
through services that it really shouldn't be! I know that
100.100.100.102 IP is a reserved IP, but when I ping it on any machine,
it actually resolves! To our upstream ISP. Weird, but I guess not
suspicious.
I did a spyware and virus check on 192.168.0.14 but it didn't come up
with anything.
I did a search for that IP address to see if it's commonly connected to
some trojan or something, nothing.

Can someone give me an idea where to go from here in checking out what
may be going on with 192.168.0.14?
I'd appreciate any direction!
-Liam