Skip to content

Commit

Permalink
fix(inputs.netflow): Decode flags in TCP and IP headers correctly (#1…
Browse files Browse the repository at this point in the history 
…6248)

Co-authored-by: jlgonzalez <[email protected]>
  • Loading branch information
@joseluisgonzalezca
joseluisgonzalezca and jlgonzalez authored Dec 3, 2024
1 parent f26decb commit 9cff0ce
Showing 1 changed file with 20 additions and 13 deletions.
33 changes: 20 additions & 13 deletions plugins/inputs/netflow/sflow_v5.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -391,12 +391,13 @@ func (d *sflowv5Decoder) decodeRawHeaderSample(record *sflow.SampledHeader) (map
fields["dst"] = l.DstIP.String()

flags := []byte("........")
switch {
case l.Flags&layers.IPv4EvilBit > 0:
if l.Flags&layers.IPv4EvilBit > 0 {
flags[7] = byte('E')
case l.Flags&layers.IPv4DontFragment > 0:
}
if l.Flags&layers.IPv4DontFragment > 0 {
flags[6] = byte('D')
case l.Flags&layers.IPv4MoreFragments > 0:
}
if l.Flags&layers.IPv4MoreFragments > 0 {
flags[5] = byte('M')
}
fields["fragment_flags"] = string(flags)
Expand All @@ -418,22 +419,28 @@ func (d *sflowv5Decoder) decodeRawHeaderSample(record *sflow.SampledHeader) (map
fields["tcp_window_size"] = l.Window
fields["tcp_urgent_ptr"] = l.Urgent
flags := []byte("........")
switch {
case l.FIN:
if l.FIN {
flags[7] = byte('F')
case l.SYN:
}
if l.SYN {
flags[6] = byte('S')
case l.RST:
}
if l.RST {
flags[5] = byte('R')
case l.PSH:
}
if l.PSH {
flags[4] = byte('P')
case l.ACK:
}
if l.ACK {
flags[3] = byte('A')
case l.URG:
}
if l.URG {
flags[2] = byte('U')
case l.ECE:
}
if l.ECE {
flags[1] = byte('E')
case l.CWR:
}
if l.CWR {
flags[0] = byte('C')
}
fields["tcp_flags"] = string(flags)
Expand Down

0 comments on commit 9cff0ce

Please sign in to comment.