What is an syn error in TCP Protocol?

Question

How to check SYN errors in a connection using JnetPcap (JNETPCAP is java wrapper for libpcap)? Also how to check REJ error in connection?

I am building Intrusion detection System. At present extracting attributes of KDD CUP 99 Dataset for live system.

Any reference will be helpful to me.

Answer 1

You can use Bro to find out the status of a connection/flow. To this end, run Bro as follows:

bro -r trace.pcap

This generates a file conn.log, which contains a column conn_state that reflects the connection status. Here are some relevant values of the field, for details please refer to the documentation:

• S0: Connection attempt seen, no reply.
• S1: Connection established, not terminated.
• SF: Normal establishment and termination. Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts in the summary, while for SF there will be.
• REJ: Connection attempt rejected.
• RSTO: Connection established, originator aborted (sent a RST).
• RSTR: Established, responder aborted.

As a side note, the IDS research community vehemently discourages the use the DARPA dataset (and the derived KDD Cup dataset) despite it's appealing availability.