Need help Find a local Virtual Machine thats sending packets?

Then how is the PIX seeing the Broadcast Packet? What would the MAC Address Be?

This is falling under the 'Love Of networking' guys situation...

Technically I believe a broadcast is sent to all local network hosts, and only has its source MAC, not IP. For example, when a station broadcasts for an IP address, it sends a broadcast but has no IP, therefore it only has a source mac address. I wouldn't think the host server should forward a vm broadcast, but I know you can also configure vm hosts as dhcp clients, so maybe they did some creative things to internal server networking. In short, perhaps someone else can take a stab here as I'm not sure how your pix is seeing it........but your router will definitely not have a arp entry as it did not route the packet off of the 192 network, the server did. Therefore when it reaches the router, the packet should be sourced from the 10.x IP and MAC.

Yeah, I didn't look at any of the router ARP tables, jsut the PIX's

sCOTT >> Then how is the PIX seeing the Broadcast Packet? What would the MAC >> Address

Another reason your server may be forwarding it out is the broadcast address itself. I thought that those boxes were 192.168.0.0/24 addresses, and if your host machine sends a packet to 192.168.255.255, then the host must think it is in a /16, and therefore the server must be forwarding it to its default gateway. Either way something seems odd there..........

Well check the router arp tables and maybe you just have a lost box....but if its a true vmhost, I think you won't see anything....but have known to be wrong from time to time. ;-)

In an ARP request, which is a layer 2 broadcast, the requester does include its IP address in the ARP request. If you could sniff the traffic and see the ARP requests then you could see the requester's IP.