Meaning of Various Acronyms in State Field of Packet

Hi All,

I am looking at a dataset of features that was generated using Bro-IDS. Can someone please explain the meaning of the various acronyms that could be sent in a state field? I can guess some of them.

CON … Connected?
FIN … Finished?
TIM … ??
ECO … ??
INT … Interrupted?
RST … Reset?
ECR … Echo Reply?
URP … ??
CLO … ??
STA … ??

ACC … ??

Thanks much,


Are you sure those came from Bro? Bro doesn't have a state field.. it does have a conn_state field, however
the possible values of that field are completely different from what you listed.

A google search for "CON FIN TIM ECO INT RST ECR URP CLO STA ACC" finds
which points to your data set being generated from Argus, not Bro.

Hi Justin,

Thanks for the prompt response. I was looking at the UNSW-NB15 Network Data Set within a journal article titled “UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set).”

According to the paper, there are some matched features for both Argus and Bro-IDS tools. One of these features is called “state”, and is described as the state and its dependent protocol, e.g. ACC, CLO. Maybe the authors made a mistake in the paper and this feature is only generated by Argus. Or maybe I am misinterpreting what the authors meant to convey.


Lionel describes what all those fields mean..

Bro does have a similar feature, but the data is represented differently and those specific state abbreviations are
an argus thing.

In bro logs, the different ICMP codes are logged this way:

##! host/port to a destination host/port). Further, ICMP "ports" are to
##! be interpreted as the source port meaning the ICMP message type and
##! the destination port being the ICMP message code.

so while argus has URF as a state meaning 'Unreachable need fragmentation' in bro that would just be logged as
type 3 code 4 in bro under the port columns.

For some of the other fields the information is either in the conn_state or history fields. The documentation for those is

in bro ACC would show up as an h or H in history and a conn_state of SF, S1,S2, or S3 (i think?)

CLO would show up as f or F in history and a conn_sate of SF

Awesome, thanks!