Hello Shisa,

tcp_status=1 means that the server (dest_ip) sent RST packet in response to the SYN packet during TCP handshake

tcp_status=2 means that the TCP handshake request (SYN packet) was ignored, i.e. the SYN packet wasn't answered and the flow timed out

When you use source=“stream:tcp”, “refused” is not appeared? In my test environment, "refused" is only appeared on app protocol like "stream:http".

This is a bug: you're correct, the "refused" field is only set for HTTP protocol (oops..) I created STREAM-2529 ticket to track this bug. Is it critical for you to get the "refused" field working? BTW, the field description is also incorrect - it should read "1 if the flow was terminated with RST, 0 if not"

Is it right that “time_taken” means how long a Stream flow takes to complete?

Depends on the protocol: generally it means "how long an event has taken to complete" where an event can be a HTTP/DNS request/response, MySql query/server response, etc. or the whole flow (stream:tcp and stream:udp source types)

How do you calculate “missing_packets_out” and “missing_packets_in” values from the packet data

We increment missing_packets_in/out counts every time Stream's TCP reassembly engine encounters a gap in TCP sequence it cannot reassemble (i.e. too many packets with higher TCP sequence have arrived, etc.) in the corresponding (ingress/egress) TCP stream.