From de52d84e82df6d8c5e2416c6bc44e59c41c685da Mon Sep 17 00:00:00 2001
From: Kelly Brazil <kellyjonbrazil@gmail.com>
Date: Wed, 20 May 2020 12:02:32 -0700
Subject: [PATCH] fix udp state and udp46 entries

---
 jc/parsers/netstat_osx.py | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/jc/parsers/netstat_osx.py b/jc/parsers/netstat_osx.py
index 8f435789..2cde8c21 100644
--- a/jc/parsers/netstat_osx.py
+++ b/jc/parsers/netstat_osx.py
@@ -15,15 +15,11 @@ def normalize_headers(header):
 def parse_item(headers, entry, kind):
     entry = entry.split(maxsplit=len(headers) - 1)
 
-    #   TODO: Fix this area
     # fixup udp records with no state field entry
-    if entry[0].startswith('udp'):
-        entry.insert(-1, None)
-    # if len(entry) == len(headers) - 1:
-    #     if len(headers) == 6:
-    #         entry.insert(5, None)
-    #     else:
-    #         entry.insert(7, None)
+    if kind == 'network' and entry[0].startswith('udp'):
+        entry.insert(5, None)
+    if kind == 'network' and 'socket' in headers and 'udp' in str(entry):
+        entry.insert(7, None)
 
     output_line = dict(zip(headers, entry))
     output_line['kind'] = kind
@@ -50,7 +46,10 @@ def parse_post(raw_data):
 
         if 'proto' in entry and 'kind' in entry:
             if entry['kind'] == 'network':
-                entry['transport_protocol'] = entry['proto'][:-1]
+                if entry['proto'] == 'udp46':
+                    entry['transport_protocol'] = entry['proto'][:-2]
+                else:
+                    entry['transport_protocol'] = entry['proto'][:-1]
 
                 if '6' in entry['proto']:
                     entry['network_protocol'] = 'ipv6'