The MATCHSTREAM command inspects network traffic for activity on the specified ports which matches a regular expression. The payload will be paused until matching traffic is found.

Regular expressions can be difficult, but powerful. They allow searching for complex patterns in a stream. Sites such as can help explore the power of regular expressions.

MATCHSTREAM uses the ECMASCRIPT regular expression flavor.


The MATCHSTREAM command expects several options:

MATCHSTREAM [interface] [direction] [expression] [port] ... [portN]


MATCHSTREAM requires a network interface. Typically on the Packet Squirrel this is br-lan, the virtual interface which connects the Ethernet ports.


MATCHSTREAM requires a direction: It can match on CLIENT requests, SERVER responses, or packets in ANY direction.


MATCHSTREAM matches on a basic regular expression.

This expression can be as simple as the text to match, such as "Authorization: Basic", or a complex match such as "[0-9]{4}-[0-9]{4}-[0-9]{4}-[0-9]{4}"to match four groups of four digits.


MATCHSTREAM can match any number of ports.

Return values

MATCHSTREAM will exit when a packet is seen on the monitored ports.

MATCHSTREAM will print the port pairs which caused the match (source and destination of the packet).


You can experiment using the MATCHSTREAM command live, either in the Web Shell in the web UI, or via ssh!

To experiment with traffic from a Target device (such as your computer plugged into the Target port in Arming mode), you'll need to use eth1 as the interface:


The most basic use of the MATCHSTREAM command is to halt execution of a payload until traffic is seen. This demonstration payload will disconnect the Target device if it is seen to connect to a web server


# Title: Matchstream example
# Description: Disconnect the Target device if there is a login attempt on an unencrypted port

# Set bridge mode

# Wait for any basic-auth on port 80
MATCHSTREAM br-lan ANY 'Authorization: Basic' 80

# Jail the target

# Set the LED

Last updated