The MATCHSTREAM command inspects network traffic for activity on the specified ports which matches a regular expression. The payload will be paused until matching traffic is found.

Options

The MATCHSTREAM command expects several options:

  MATCHSTREAM [interface] [direction] [expression] [port] ... [portN]

Interface

MATCHSTREAM requires a network interface. Typically on the Packet Squirrel this is br-lan, the virtual interface which connects the Ethernet ports.

Direction

MATCHSTREAM requires a direction: It can match on CLIENT requests, SERVER responses, or packets in ANY direction.

Expression

MATCHSTREAM matches on a basic regular expression.

This expression can be as simple as the text to match, such as "Authorization: Basic", or a complex match such as "[0-9]{4}-[0-9]{4}-[0-9]{4}-[0-9]{4}"to match four groups of four digits.

Ports

MATCHSTREAM can match any number of ports.

Return values

MATCHSTREAM will exit when a packet is seen on the monitored ports.

MATCHSTREAM will print the port pairs which caused the match (source and destination of the packet).

Experimenting

You can experiment using the MATCHSTREAM command live, either in the Web Shell in the web UI, or via ssh!

Demonstration of the MATCHSTREAM command

To experiment with traffic from a Target device (such as your computer plugged into the Target port in Arming mode), you’ll need to use eth1 as the interface:

Demonstration matching on the Target port

Examples

The most basic use of the MATCHSTREAM command is to halt execution of a payload until traffic is seen. This demonstration payload will disconnect the Target device if it is seen to connect to a web server 

  #!/bin/bash 

#

NETMODE BRIDGE

MATCHSTREAM br-lan ANY 'Authorization: Basic' 80

NETMODE JAIL

LED R VERYFAST