When you use tstat or tcptrace, you can only elicit some information about TCP protocol. So what other protocols such as UDP and ICMP... and others in the application layers that exploited by flooding DDoS attacks.
In fact, you should use any intelligent tools such as BRO-IDS, ARGUS, Netflow to develop the code by yourself or generate some essential features and then you can create more features from them using the connection flows 10,100,..etc