There is a desktop computer in our LAN that keeps booting almost every time seconds after it has been turned off manually.
I suspected it was a Wake-on-LAN issue since the beginning, and it looks like it: the problem disappears if the ethernet cable is disconnected before turning the computer off. Also, although the BIOS does not have an specific option to disable WOL, it has a power saving option that switches off the network card when the computer is not running, and this solves the problem too.
The thing is I cannot find who is sending WOL packets. I am sniffing the whole LAN with Wireshark using the capture filter "ether proto 0x0842 or udp", as suggested in http://wiki.wireshark.org/WakeOnLAN and it does not detect anything. But when I manually send WOL packets from different computers on the network Wireshark does catch these packets.
I don't see anything weird when capturing all traffic to and from this computer either.
UPDATE
This "Wake on Pattern Match" option is enabled on the computer. According to https://superuser.com/questions/560175/what-is-wake-on-pattern-match-in-network-card-preferences the default patterns are: magic packet, NetBIOS name query, TCPv4 SYN, TCPv6 SYN, IPv6 Neighbour Solicitation.
The other PCs have this option enable too, but they do not randomly wake up. I am going to check if this computer is receiving any of these.
Best Answer
Mystery solved.
The Windows 7 computer was continuously receiving TCP SYN packets to the 9100 port from another computer in the same LAN, waking up as a result when "Wake on Pattern Match" was activated.
This port is used by network printers. The IP of the Windows 7 computer belonged before to a long-time discarded HP printer.
The computer sending the packets is old, and it is always on as it is used sometimes to run software that only works in Windows XP. This computer still had the old network printer configured, pointing to the local IP address that now belongs to the Windows 7 computer having the problems. There were still documents in the printing queue, so the Windows XP computer was continuously sending TCP SYN packets to the Windows 7 computer, thinking it was the network printer. Removing the old printer from Windows XP and its associated TCP/IP Printer Port solved the problem.
I could not catch this traffic between both computers from mine using Wireshark. I had to install it on the affected computer and run it with promiscuous mode disabled.