Fix decode TCP flags with u32 (#968)

jotak · web-flow · commit c73b7ad8bee3 · 2025-06-12T14:10:45.000+02:00
* Fix decode TCP flags with u32 Fixes #946 * new uint conversion func * simplify test
diff --git a/pkg/pipeline/transform/transform_network.go b/pkg/pipeline/transform/transform_network.go
@@ -139,7 +139,7 @@ func (n *Network) Transform(inputEntry config.GenericMap) (config.GenericMap, bo
 			}
 		case api.NetworkDecodeTCPFlags:
 			if anyFlags, ok := outputEntry[rule.DecodeTCPFlags.Input]; ok && anyFlags != nil {
-				if flags, ok := anyFlags.(uint16); ok {
+				if flags, err := util.ConvertToUint(anyFlags); err == nil {
 					flags := util.DecodeTCPFlags(flags)
 					outputEntry[rule.DecodeTCPFlags.Output] = flags
 				}
diff --git a/pkg/pipeline/transform/transform_network_test.go b/pkg/pipeline/transform/transform_network_test.go
@@ -543,3 +543,41 @@ func Test_ValidateReinterpretDirection(t *testing.T) {
 		"FlowDirection": 1,
 	}, output)
 }
+
+func Test_DecodeTCPFlags(t *testing.T) {
+	tr, err := NewTransformNetwork(config.StageParam{
+		Transform: &config.Transform{
+			Network: &api.TransformNetwork{
+				Rules: []api.NetworkTransformRule{
+					{
+						Type: "decode_tcp_flags",
+						DecodeTCPFlags: &api.NetworkGenericRule{
+							Input:  "TcpFlagsU16",
+							Output: "TcpFlagsU16String",
+						},
+					},
+					{
+						Type: "decode_tcp_flags",
+						DecodeTCPFlags: &api.NetworkGenericRule{
+							Input:  "TcpFlagsU32",
+							Output: "TcpFlagsU32String",
+						},
+					},
+				},
+			},
+		},
+	}, nil)
+	require.NoError(t, err)
+
+	output, ok := tr.Transform(config.GenericMap{
+		"TcpFlagsU16": uint16(17),
+		"TcpFlagsU32": uint32(18),
+	})
+	require.True(t, ok)
+	require.Equal(t, config.GenericMap{
+		"TcpFlagsU16":       uint16(17),
+		"TcpFlagsU16String": []string{"FIN", "ACK"},
+		"TcpFlagsU32":       uint32(18),
+		"TcpFlagsU32String": []string{"SYN", "ACK"},
+	}, output)
+}
diff --git a/pkg/utils/convert.go b/pkg/utils/convert.go
@@ -217,6 +217,21 @@ func ConvertToInt(unk interface{}) (int, error) {
 	}
 }
 
+func ConvertToUint(unk interface{}) (uint, error) {
+	switch i := unk.(type) {
+	case uint64:
+		return uint(i), nil
+	case uint32:
+		return uint(i), nil
+	case uint16:
+		return uint(i), nil
+	case uint:
+		return uint(i), nil
+	default:
+		return 0, fmt.Errorf("can't convert %v to uint", i)
+	}
+}
+
 func ConvertToBool(unk interface{}) (bool, error) {
 	switch i := unk.(type) {
 	case string:
diff --git a/pkg/utils/tcp_flags.go b/pkg/utils/tcp_flags.go
@@ -1,7 +1,7 @@
 package utils
 
 type tcpFlag struct {
-	value uint16
+	value uint
 	name  string
 }
 
@@ -19,7 +19,7 @@ var tcpFlags = []tcpFlag{
 	{value: 1024, name: "RST_ACK"},
 }
 
-func DecodeTCPFlags(bitfield uint16) []string {
+func DecodeTCPFlags(bitfield uint) []string {
 	var values []string
 	for _, flag := range tcpFlags {
 		if bitfield&flag.value != 0 {

Original file line number	Diff line number	Diff line change
`@@ -139,7 +139,7 @@ func (n *Network) Transform(inputEntry config.GenericMap) (config.GenericMap, bo`
`139`	`139`	`}`
`140`	`140`	`case api.NetworkDecodeTCPFlags:`
`141`	`141`	`if anyFlags, ok := outputEntry[rule.DecodeTCPFlags.Input]; ok && anyFlags != nil {`
`142`		`- if flags, ok := anyFlags.(uint16); ok {`
	`142`	`+ if flags, err := util.ConvertToUint(anyFlags); err == nil {`
`143`	`143`	`flags := util.DecodeTCPFlags(flags)`
`144`	`144`	`outputEntry[rule.DecodeTCPFlags.Output] = flags`
`145`	`145`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`package utils`
`2`	`2`
`3`	`3`	`type tcpFlag struct {`
`4`		`- value uint16`
	`4`	`+ value uint`
`5`	`5`	`name string`
`6`	`6`	`}`
`7`	`7`
`@@ -19,7 +19,7 @@ var tcpFlags = []tcpFlag{`
`19`	`19`	`{value: 1024, name: "RST_ACK"},`
`20`	`20`	`}`
`21`	`21`
`22`		`-func DecodeTCPFlags(bitfield uint16) []string {`
	`22`	`+func DecodeTCPFlags(bitfield uint) []string {`
`23`	`23`	`var values []string`
`24`	`24`	`for _, flag := range tcpFlags {`
`25`	`25`	`if bitfield&flag.value != 0 {`