Add filter autocomplete for matchy.level field

Change matchy.level from FT_STRING to FT_UINT8 with value_string,
which enables Wireshark's filter autocomplete to suggest level names.

Users can now filter by:
- String: matchy.level == "High"
- Numeric: matchy.level == 3
- Comparison: matchy.level >= 2 (Medium or higher)

The packet details pane shows the text representation (High, Critical, etc.)
while the underlying value is numeric, enabling rich filter expressions.

Also adds integration tests for numeric and comparison filters.

Author: sethhall

src/lib.rs

@@ -126,6 +126,18 @@ unsafe extern "C" fn proto_register_matchy() {
     register_toolbar();
 }
 
+/// Value strings for threat level field (enables filter autocomplete)
+/// Must be null-terminated array
+static THREAT_LEVEL_VALS: [wireshark_ffi::value_string; 6] = [
+    wireshark_ffi::value_string { value: 4, strptr: c"Critical".as_ptr() },
+    wireshark_ffi::value_string { value: 3, strptr: c"High".as_ptr() },
+    wireshark_ffi::value_string { value: 2, strptr: c"Medium".as_ptr() },
+    wireshark_ffi::value_string { value: 1, strptr: c"Low".as_ptr() },
+    wireshark_ffi::value_string { value: 0, strptr: c"Unknown".as_ptr() },
+    // Null terminator
+    wireshark_ffi::value_string { value: 0, strptr: std::ptr::null() },
+];
+
 /// Static storage for header field registration info
 /// These MUST be static because Wireshark keeps pointers to them
 static mut HF_ARRAY: [wireshark_ffi::hf_register_info; 9] = {
@@ -153,8 +165,10 @@ static mut HF_ARRAY: [wireshark_ffi::hf_register_info; 9] = {
             hfinfo: header_field_info {
                 name: c"Threat Level".as_ptr(),
                 abbrev: c"matchy.level".as_ptr(),
-                type_: FT_STRING,
-                display: BASE_NONE,
+                type_: FT_UINT8,
+                display: BASE_DEC,
+                // Note: strings pointer is set at runtime in proto_register_matchy
+                // because we can't reference THREAT_LEVEL_VALS in const context
                 strings: std::ptr::null(),
                 bitmask: 0,
                 blurb: c"Severity level of the threat".as_ptr(),
@@ -355,6 +369,10 @@ unsafe fn register_fields() {
     HF_ARRAY[7].p_id = std::ptr::addr_of_mut!(HF_THREAT_TLP);
     HF_ARRAY[8].p_id = std::ptr::addr_of_mut!(HF_THREAT_LAST_SEEN);
 
+    // Set the value_string pointer for threat level field (enables filter autocomplete)
+    // This must be done at runtime because we can't reference static data in const context
+    HF_ARRAY[1].hfinfo.strings = THREAT_LEVEL_VALS.as_ptr() as *const libc::c_void;
+
     proto_register_field_array(PROTO_MATCHY, HF_ARRAY.as_mut_ptr(), HF_ARRAY.len() as c_int);
 
     // Register subtree

src/postdissector.rs

@@ -495,9 +495,8 @@ unsafe fn add_threat_to_tree(
         return;
     }
 
-    // Add threat details (Wireshark copies string values for FT_STRINGZ)
-    let level_str = to_c_string(threat.level.display_str());
-    proto_tree_add_string(subtree, hf.level, tvb, 0, 0, level_str.as_ptr());
+    // Add threat level as uint8 (value_string provides display text and autocomplete)
+    proto_tree_add_uint(subtree, hf.level, tvb, 0, 0, threat.level.as_u8() as libc::c_uint);
 
     let category_str = to_c_string(&threat.category);
     proto_tree_add_string(subtree, hf.category, tvb, 0, 0, category_str.as_ptr());

src/threats.rs

@@ -3,13 +3,15 @@
 //! Handles IP/domain lookups and visual threat indicators.
 
 /// Threat level representation
+/// Integer values are used for Wireshark field encoding (enables autocomplete)
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
+#[repr(u8)]
 pub enum ThreatLevel {
-    Critical,
-    High,
-    Medium,
-    Low,
-    Unknown,
+    Critical = 4,
+    High = 3,
+    Medium = 2,
+    Low = 1,
+    Unknown = 0,
 }
 
 impl ThreatLevel {
@@ -37,15 +39,9 @@ impl ThreatLevel {
         }
     }
 
-    /// Get display string
-    pub fn display_str(&self) -> &'static str {
-        match self {
-            ThreatLevel::Critical => "Critical",
-            ThreatLevel::High => "High",
-            ThreatLevel::Medium => "Medium",
-            ThreatLevel::Low => "Low",
-            ThreatLevel::Unknown => "Unknown",
-        }
+    /// Get numeric value for Wireshark field encoding
+    pub fn as_u8(&self) -> u8 {
+        *self as u8
     }
 }
 

src/wireshark_ffi.rs

@@ -102,6 +102,22 @@ pub const FT_UINT32: c_int = 7;
 pub const FT_STRING: c_int = 26;
 pub const FT_STRINGZ: c_int = 27;
 
+// ============================================================================
+// Value Strings (for enum-like field autocomplete)
+// ============================================================================
+
+/// Value string entry - maps integer value to display string
+/// Used for Wireshark filter autocomplete
+#[repr(C)]
+pub struct value_string {
+    pub value: u32,
+    pub strptr: *const c_char,
+}
+
+// Safety: value_string contains only a u32 and a pointer to static string data.
+// The pointer is only read by Wireshark, never written, so this is safe to share.
+unsafe impl Sync for value_string {}
+
 // ============================================================================
 // Field Display
 // ============================================================================

tests/integration.rs

@@ -291,6 +291,7 @@ fn test_plugin_integration() {
     assert_eq!(results.len(), 4, "Expected 4 packets in test pcap");
 
     // Frame 1: dst=192.168.1.1 (exact match) -> high threat, malware
+    // Note: threat level is now FT_UINT8 with value_string, so raw output shows "3" for High
     let pkt1 = &results[0];
     assert_eq!(pkt1.frame_number, 1);
     assert_eq!(pkt1.dst_ip, "192.168.1.1");
@@ -300,7 +301,7 @@ fn test_plugin_integration() {
     );
     assert_eq!(
         pkt1.threat_level.as_deref(),
-        Some("High"),
+        Some("3"), // High = 3
         "Frame 1 threat level"
     );
     assert_eq!(
@@ -319,7 +320,7 @@ fn test_plugin_integration() {
     );
     assert_eq!(
         pkt2.threat_level.as_deref(),
-        Some("Medium"),
+        Some("2"), // Medium = 2
         "Frame 2 threat level"
     );
     assert_eq!(
@@ -338,7 +339,7 @@ fn test_plugin_integration() {
     );
     assert_eq!(
         pkt3.threat_level.as_deref(),
-        Some("High"),
+        Some("3"), // High = 3
         "Frame 3 threat level"
     );
     assert_eq!(
@@ -500,5 +501,51 @@ fn test_display_filter() {
         "Two-pass filter 'matchy.level == \"High\"' should match 2 frames, got: {:?}", frames
     );
 
+    // Test 6: Numeric filter for threat level (value_string allows both)
+    // High = 3 in the ThreatLevel enum
+    let output = Command::new("tshark")
+        .env("WIRESHARK_PLUGIN_DIR", &plugin_dir)
+        .args([
+            "-o", &db_pref,
+            "-r", pcap_path.to_str().unwrap(),
+            "-Y", "matchy.level == 3",
+            "-T", "fields",
+            "-e", "frame.number",
+        ])
+        .output()
+        .expect("Failed to run tshark with numeric filter");
+
+    assert!(output.status.success(), "tshark numeric filter command failed");
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    let frames: Vec<&str> = stdout.lines().filter(|l| !l.is_empty()).collect();
+    
+    assert_eq!(
+        frames.len(), 2,
+        "Numeric filter 'matchy.level == 3' should match 2 frames (same as High), got: {:?}", frames
+    );
+
+    // Test 7: Comparison operators (threat level >= Medium)
+    // Medium = 2, so this should match frames with High (3) and Medium (2)
+    let output = Command::new("tshark")
+        .env("WIRESHARK_PLUGIN_DIR", &plugin_dir)
+        .args([
+            "-o", &db_pref,
+            "-r", pcap_path.to_str().unwrap(),
+            "-Y", "matchy.level >= 2",
+            "-T", "fields",
+            "-e", "frame.number",
+        ])
+        .output()
+        .expect("Failed to run tshark with comparison filter");
+
+    assert!(output.status.success(), "tshark comparison filter command failed");
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    let frames: Vec<&str> = stdout.lines().filter(|l| !l.is_empty()).collect();
+    
+    assert_eq!(
+        frames.len(), 3,
+        "Comparison filter 'matchy.level >= 2' should match 3 frames (High + Medium), got: {:?}", frames
+    );
+
     eprintln!("All display filter tests passed!");
 }