Do not write decoded tcp flags field when empty (#1033)

jotak · jpinsonneau · web-flow · commit 7b28ea14c83c · 2025-07-21T08:48:37.000+02:00
* Do not write decoded tcp flags field when empty Fixes part of #1031 * Update pkg/pipeline/transform/transform_network_test.go Co-authored-by: Julien Pinsonneau <91894519+jpinsonneau@users.noreply.github.com> --------- Co-authored-by: Julien Pinsonneau <91894519+jpinsonneau@users.noreply.github.com>
diff --git a/pkg/pipeline/transform/transform_network.go b/pkg/pipeline/transform/transform_network.go
@@ -141,8 +141,9 @@ func (n *Network) Transform(inputEntry config.GenericMap) (config.GenericMap, bo
 		case api.NetworkDecodeTCPFlags:
 			if anyFlags, ok := outputEntry[rule.DecodeTCPFlags.Input]; ok && anyFlags != nil {
 				if flags, err := util.ConvertToUint(anyFlags); err == nil {
-					flags := util.DecodeTCPFlags(flags)
-					outputEntry[rule.DecodeTCPFlags.Output] = flags
+					if flags := util.DecodeTCPFlags(flags); len(flags) > 0 {
+						outputEntry[rule.DecodeTCPFlags.Output] = flags
+					}
 				}
 			}
 
diff --git a/pkg/pipeline/transform/transform_network_test.go b/pkg/pipeline/transform/transform_network_test.go
@@ -581,3 +581,46 @@ func Test_DecodeTCPFlags(t *testing.T) {
 		"TcpFlagsU32String": []string{"SYN", "ACK"},
 	}, output)
 }
+
+func Test_DecodeTCPFlagsDefaultValue(t *testing.T) {
+	dec, err := NewTransformNetwork(config.StageParam{
+		Transform: &config.Transform{
+			Network: &api.TransformNetwork{
+				Rules: []api.NetworkTransformRule{
+					{
+						Type: "decode_tcp_flags",
+						DecodeTCPFlags: &api.NetworkGenericRule{
+							Input:  "TcpFlags",
+							Output: "TcpFlagsString",
+						},
+					},
+				},
+			},
+		},
+	}, nil)
+	require.NoError(t, err)
+	add, err := NewTransformFilter(config.StageParam{
+		Transform: &config.Transform{
+			Filter: &api.TransformFilter{
+				Rules: []api.TransformFilterRule{
+					{
+						Type: "add_field_if_doesnt_exist",
+						AddFieldIfDoesntExist: &api.TransformFilterGenericRule{
+							Input: "TcpFlagsString",
+							Value: "unknown",
+						},
+					},
+				},
+			},
+		},
+	})
+	require.NoError(t, err)
+
+	var ok bool
+	flow := config.GenericMap{"TcpFlags": uint(0)}
+	flow, ok = dec.Transform(flow)
+	require.True(t, ok)
+	flow, ok = add.Transform(flow)
+	require.True(t, ok)
+	require.Equal(t, config.GenericMap{"TcpFlags": uint(0), "TcpFlagsString": "unknown"}, flow)
+}

Original file line number	Diff line number	Diff line change
`@@ -141,8 +141,9 @@ func (n *Network) Transform(inputEntry config.GenericMap) (config.GenericMap, bo`
`141`	`141`	`case api.NetworkDecodeTCPFlags:`
`142`	`142`	`if anyFlags, ok := outputEntry[rule.DecodeTCPFlags.Input]; ok && anyFlags != nil {`
`143`	`143`	`if flags, err := util.ConvertToUint(anyFlags); err == nil {`
`144`		`- flags := util.DecodeTCPFlags(flags)`
`145`		`- outputEntry[rule.DecodeTCPFlags.Output] = flags`
	`144`	`+ if flags := util.DecodeTCPFlags(flags); len(flags) > 0 {`
	`145`	`+ outputEntry[rule.DecodeTCPFlags.Output] = flags`
	`146`	`+ }`
`146`	`147`	`}`
`147`	`148`	`}`
`148`	`149`