What to Look for? Unexpected Traffic

The obvious thing to do is monitor the network for unexpected traffic. Most network managers know the types of application that they expect to see and can point out anything unusual. If anything unexpected is spotted then a capture of some of the traffic is usually sufficient to pinpoint the machines involved.
Unnecessary Traffic
It is common for machines to be set by default to run protocols that may not be required. Many printers broadcast using Novell's IPX protocol. Fine if you are using NetWare, but not always necessary. It's good housekeeping to remove any protocols that you do not need. You may be concerned about how your users are using the available bandwidth. A good analyzer will allow you to filter specific types of traffic so that you can keep an eye on any traffic that may cause you a problem.
Unauthorized Program Use
Likewise it is useful to check the specific port numbers for services on your Servers. They may be offering services that you do not need, or unauthorized users may be accessing them. Most common services operate on defined port numbers, a packet capture on a Server will soon reveal what services are running. You can disable any services that you do not need. This has two benefits, one, it avoids unnecessary traffic on the network, and two it means that no unauthorized user can take advantage of that service. If anyone is using a service a packet capture will show you the address. Most analyzers allow filtering on specified port numbers so it is possible to monitor continuously for specified port numbers.