Online TCP traffic identification using features in the head of the data flow wherein parameters of a number of packets in the head of the data flow such as packet length are extended with modified packet interval time and so on to establish the protocol features library according to the joint probability distribution. The protocol type of the data flow is obtained through comparing the packets features in the head of the data flow with the protocol features library. Data flow separation module, features extraction module, classification arbitration module and protocol features library module are included. The present invention weakens the impact that the round-trip delay has significantly on the protocol features, can accurately identify various TCP-based application-layer services and support online traffic identification. The identification process is suitable for hardware devices implementation and can be used in devices and systems that need online traffic identification in high-speed backbone network.