We host Game Servers off of Windows Server 2008 machines, and we just received a report that one of our customers is using their server to do some type of UDP attack. The person being attacked provided us with the IP address, but do to IPv4 restrictions, we have 5 Game Servers running off that IP address.
What would be the best way to figure out which game server is sending these packets? One of our other techs installed an an application a long time ago that showed live network traffic, but it isn't on this machine and I can't find it.
Ask the victim to give you the source port of the datagrams he identified as belonging to the attack.
If you run 5 different game servers on that IP, each of them will run on a different port and therefore you will know which one is the culprit by cross-checking the game server "listening port" to the source port on the UDP datagrams the victim received.
Overall, if you're interested about this kind of traffic inspection in the long run, you want to get yourself familiar with Wireshark and especially its scriptable component: Tshark. Used smartly, these tools can provide extreme insight into any kind of network issues.
You can install Microsoft Network Monitor on the servers and start a capture when you suspect the activity is ocurring. Netmon will track the processes involved in the traffic so you'll be able to narrow it down to a specific process.
As for the traffic history, you'll need something like Netflow configured on your switch or router exporting flows to a Netflow collector.