I can almost safely say that I don't think the traffic will look any different from normal traffic. There will be a higher volume of traffic but in terms of what it would actually look like, it's going to look the same.
Obviously if it's a DDoS the traffic will be coming from different source IP addresses meaning it will be quite hard to distinguish between real requests vs false ones especially if you have A LOT of REAL traffic passing through the firewall. Also the issue you will face is the fact that in a SYN flood you purposely keep the connection open...
I suggest you read this - https://www.incapsula.com/ddos/attack-glossary/syn-flood.html
It shows a few methods of stopping such attacks but at the end of the day the traffic will look the same. I guess if you see sessions that have been open for an usually large amount of time that would indicate but again if it's a busy firewall then you should expect such connections that are actually legitimate.