Utility for extraction of subset of KDD '99 features from realtime network traffic or .pcap file
Switch branches/tags
Nothing to show
Clone or download
bittomix Merge pull request #7 from huoyuanliao/master
compatible with gcc 4.9 version
Latest commit f3d40e3 Jan 6, 2018
Failed to load latest commit information.
cmake cmake makefiles added Nov 28, 2015
doc added TCP state diagram May 4, 2017
src fix macros error Nov 27, 2017
.gitignore Initial commit Nov 22, 2015
CMakeLists.txt cmake makefiles added Nov 28, 2015
LICENSE Initial commit Nov 22, 2015
README.md changes to compile on Linux (gcc 4.6.3) Dec 13, 2015



Utility for extraction of subset of KDD '99 features [1] from realtime network traffic or .pcap file This utility is a part of our project at University of Bergen.

Some feature might not be calculated exactly same way as in KDD, because there was no documentation explaining the details of KDD implementation found. Algorithms are based on some articles [2][3] and observation of values in KDD dataset.

Features in KDD should be the same as features introduced by Lee & Stolfo in their work [2].


  • Current version is not 100% guarenteed to be perfect in sense that some features might be calculated bit different algorighms than KDD '99 dataset a Lee & Stolfo used. Hovewer, it is suitable for educational purposes.
  • Compiled & tested in following environments:
    • Windows 7 x64, MSCV 2015 (14), WinPcap 4.1.3
    • Windows 7 x64, MSCV 2013 (12), WinPcap 4.1.3
    • Ubuntu 12.04 x64, gcc 4.6.3, libpcap 4.2


  • Subset of KDD '99 features [1]
    • Content features (columns 10-22 of KDD) are not included
  • Optional extra features - IP addresses, ports, timestamp of last packet (option -e)

Main components

  1. Sniffer
  • Network traffic sniffer & frame parser
  1. IP reassembler
  • Only IP header "summaries"
  • Payload not reassembled (content features not extracted, it is not needed)
  1. Connection/Conversation reconstructor
  • Reconstructs conversations
  • Computes intrinsic features (columns 1-9 of KDD)
  1. Statistical engine
  • Computes derived features (columns 23-41 of KDD)

Planned sections in this readme

  • TODOs (e.g. IP checksum checking not implemented)
  • Known/possible problems, bugs & limitations
  • Build instructions

Main sources of feature documentation

[1] KDD Cup 1999 Data, http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html

[2] Lee, W. & Stolfo, S. J. (2000), 'A framework for onstructing features and models for intrusion detection systems', Information and System Security 3 (4) , 227-261.

[3] Dybey, D. & Dubey, J. (2014), 'A Survey Intrusion Detection with KDD99 Cup Dataset', International Journal of Computer Science and Information Technology Research 2 (3), 146-157.