1

Can anyone guide me in converting the KDD 99 dataset,consisting of ip packets in the following format to TCP dump format?

0,udp,private,SF,105,146,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0.00,0.00,0.00,0.00,1.00,0.00,0.00,255,254,1.00,0.01,0.00,0.00,0.00,0.00,0.00,0.00,normal.
0,udp,private,SF,105,146,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0.00,0.00,0.00,0.00,1.00,0.00,0.00,255,254,1.00,0.01,0.00,0.00,0.00,0.00,0.00,0.00,normal.
0,udp,private,SF,105,146,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0.00,0.00,0.00,0.00,1.00,0.00,0.00,255,254,1.00,0.01,0.00,0.00,0.00,0.00,0.00,0.00,normal.
Soner Gönül
  • 97,193
  • 102
  • 206
  • 364
soma sekhar
  • 484
  • 1
  • 8
  • 19

1 Answers1

1

From the KDD99 homepage:

The 1998 DARPA Intrusion Detection Evaluation Program was prepared and managed by MIT Lincoln Labs. ... The 1999 KDD intrusion detection contest uses a version of this dataset.

Being somewhat familiar with the original DARPA dataset and with the information contained in a PCAP network capture file, I can tell you that the KDD99 data files contain nowhere near enough information to reconstruct a proper network capture file.

It seems that KDD99 is a boiled-down version of the DARPA IDEVAL98 data set, where only high-level operations, such as connections, are retained, instead of individual packets. If you need the actual network capture files, you should probably get the original DARPA IDEVAL data sets.

thkala
  • 84,049
  • 23
  • 157
  • 201
  • Would it be possible to map the DARPA 1998 tcpdump with the KDD 99 feature values? Furthermore, does the 99 KDD represent all the packets within the 1998 tcpdump files as connections or just a subset? Thanks – Goaler444 Dec 15 '12 at 17:55