Fix decode TCP flags with u32

Fixes #946

Author: jotak

pkg/pipeline/transform/transform_network.go

@@ -144,7 +144,10 @@ func (n *Network) Transform(inputEntry config.GenericMap) (config.GenericMap, bo
 		case api.NetworkDecodeTCPFlags:
 			if anyFlags, ok := outputEntry[rule.DecodeTCPFlags.Input]; ok && anyFlags != nil {
 				if flags, ok := anyFlags.(uint16); ok {
-					flags := util.DecodeTCPFlags(flags)
+					flags := util.DecodeTCPFlagsU16(flags)
+					outputEntry[rule.DecodeTCPFlags.Output] = flags
+				} else if flags, ok := anyFlags.(uint32); ok {
+					flags := util.DecodeTCPFlagsU32(flags)
 					outputEntry[rule.DecodeTCPFlags.Output] = flags
 				}
 			}

pkg/pipeline/transform/transform_network_test.go

@@ -521,3 +521,38 @@ func Test_ValidateReinterpretDirection(t *testing.T) {
 		"FlowDirection": 1,
 	}, output)
 }
+
+func Test_DecodeTCPFlags(t *testing.T) {
+	tr, err := NewTransformNetwork(config.StageParam{
+		Transform: &config.Transform{
+			Network: &api.TransformNetwork{
+				Rules: []api.NetworkTransformRule{{
+					Type: "decode_tcp_flags",
+					DecodeTCPFlags: &api.NetworkGenericRule{
+						Input:  "TcpFlags",
+						Output: "TcpFlagsString",
+					},
+				}},
+			},
+		},
+	}, nil)
+	require.NoError(t, err)
+
+	output, ok := tr.Transform(config.GenericMap{
+		"TcpFlags": uint16(17),
+	})
+	require.True(t, ok)
+	require.Equal(t, config.GenericMap{
+		"TcpFlags":       uint16(17),
+		"TcpFlagsString": []string{"FIN", "ACK"},
+	}, output)
+
+	output, ok = tr.Transform(config.GenericMap{
+		"TcpFlags": uint32(17),
+	})
+	require.True(t, ok)
+	require.Equal(t, config.GenericMap{
+		"TcpFlags":       uint32(17),
+		"TcpFlagsString": []string{"FIN", "ACK"},
+	}, output)
+}

pkg/utils/tcp_flags.go

@@ -1,28 +1,39 @@
 package utils
 
 type tcpFlag struct {
-	value uint16
-	name  string
+	value16 uint16
+	value32 uint32
+	name    string
 }
 
 var tcpFlags = []tcpFlag{
-	{value: 1, name: "FIN"},
-	{value: 2, name: "SYN"},
-	{value: 4, name: "RST"},
-	{value: 8, name: "PSH"},
-	{value: 16, name: "ACK"},
-	{value: 32, name: "URG"},
-	{value: 64, name: "ECE"},
-	{value: 128, name: "CWR"},
-	{value: 256, name: "SYN_ACK"},
-	{value: 512, name: "FIN_ACK"},
-	{value: 1024, name: "RST_ACK"},
+	{value16: 1, value32: 1, name: "FIN"},
+	{value16: 2, value32: 2, name: "SYN"},
+	{value16: 4, value32: 4, name: "RST"},
+	{value16: 8, value32: 8, name: "PSH"},
+	{value16: 16, value32: 16, name: "ACK"},
+	{value16: 32, value32: 32, name: "URG"},
+	{value16: 64, value32: 64, name: "ECE"},
+	{value16: 128, value32: 128, name: "CWR"},
+	{value16: 256, value32: 256, name: "SYN_ACK"},
+	{value16: 512, value32: 512, name: "FIN_ACK"},
+	{value16: 1024, value32: 1024, name: "RST_ACK"},
 }
 
-func DecodeTCPFlags(bitfield uint16) []string {
+func DecodeTCPFlagsU16(bitfield uint16) []string {
 	var values []string
 	for _, flag := range tcpFlags {
-		if bitfield&flag.value != 0 {
+		if bitfield&flag.value16 != 0 {
+			values = append(values, flag.name)
+		}
+	}
+	return values
+}
+
+func DecodeTCPFlagsU32(bitfield uint32) []string {
+	var values []string
+	for _, flag := range tcpFlags {
+		if bitfield&flag.value32 != 0 {
 			values = append(values, flag.name)
 		}
 	}

pkg/utils/tcp_flags_test.go

@@ -7,12 +7,12 @@ import (
 )
 
 func TestDecodeFlags(t *testing.T) {
-	flags528 := DecodeTCPFlags(528)
+	flags528 := DecodeTCPFlagsU16(528)
 	assert.Equal(t, []string{"ACK", "FIN_ACK"}, flags528)
 
-	flags256 := DecodeTCPFlags(256)
+	flags256 := DecodeTCPFlagsU32(256)
 	assert.Equal(t, []string{"SYN_ACK"}, flags256)
 
-	flags666 := DecodeTCPFlags(666)
+	flags666 := DecodeTCPFlagsU16(666)
 	assert.Equal(t, []string{"SYN", "PSH", "ACK", "CWR", "FIN_ACK"}, flags666)
 }