Network architecture is more and more complicated day by day, in addition, the flourishing development of the internet and network activity are frequent, it is a serious threat to network security for the hostile package hidden in the network . Data mining is a hot topic today, it can find out the useful knowledge and differences analyzing between normal and abnormal packages from log, and update defending mechanism dynamically, there are many researches using the neural network and decision tree methodology for internet package analysis, but there is no any research to combine these two methodologies for packages distinguished research. This research combines both the characteristics of neural learns high and decision tree summing up the rules to apply distinguishing behavior of attach of packet. We compare the false positive rate and false negative rate to each kind of package in the experiment to evaluate accurate rate of every kind of attacking package prediction. The result of tree models in our experiment show that false positive rate for R2L and Probe are over 90% ,false negative rate for R2L is over 99%,So the effect is not good for distinguishing R2L and Probe for these models in the research.