# MATCHSTREAM

The `MATCHSTREAM` command inspects network traffic for activity on the specified ports which matches a [regular expression](https://regex101.com/).  The payload will be paused until matching traffic is found.

{% hint style="info" %}
Regular expressions can be difficult, but powerful.  They allow searching for complex patterns in a stream.  Sites such as <https://regex101.com/> can help explore the power of regular expressions.

`MATCHSTREAM` uses the `ECMASCRIPT` regular expression flavor.
{% endhint %}

## Options

The `MATCHSTREAM` command expects several options:

```
MATCHSTREAM [interface] [direction] [expression] [port] ... [portN]
```

### Interface

`MATCHSTREAM` requires a network interface.  Typically on the Packet Squirrel this is `br-lan`, the virtual interface which connects the Ethernet ports.

### Direction

`MATCHSTREAM` requires a direction:  It can match on `CLIENT` requests, `SERVER` responses, or packets in `ANY` direction.

### Expression

`MATCHSTREAM` matches on a basic [regular expression](https://en.wikipedia.org/wiki/Regular_expression).

This expression can be as simple as the text to match, such as `"Authorization: Basic"`, or a complex match such as `"[0-9]{4}-[0-9]{4}-[0-9]{4}-[0-9]{4}"`to match four groups of four digits.

### Ports

`MATCHSTREAM` can match any number of ports.

## Return values

`MATCHSTREAM` will exit when a packet is seen on the monitored ports.

`MATCHSTREAM` will print the port pairs which caused the match (source and destination of the packet).

## Experimenting

You can experiment using the `MATCHSTREAM` command live, either in the Web Shell in the web UI, or via `ssh`!

<figure><img src="https://932701053-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F520JUF2JxB2RMXztRVAV%2Fuploads%2FaG6k8Inb16W14lanME5u%2FScreenshot%20from%202023-02-14%2013-44-15.png?alt=media&#x26;token=fa8188a0-05f5-4a9b-969f-2d465ffb195c" alt=""><figcaption><p>Demonstration of the MATCHSTREAM command</p></figcaption></figure>

To experiment with traffic from a Target device (such as your computer plugged into the Target port in Arming mode), you'll need to use `eth1` as the interface:

<figure><img src="https://932701053-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F520JUF2JxB2RMXztRVAV%2Fuploads%2F2aOsD8S6xjYskUV4tGD2%2FScreenshot%20from%202023-02-21%2017-50-58.png?alt=media&#x26;token=cc9ddb81-30d4-4345-9d08-da604304e646" alt=""><figcaption><p>Demonstration matching on the Target port</p></figcaption></figure>

## Examples

The most basic use of the `MATCHSTREAM` command is to halt execution of a payload until traffic is seen.  This demonstration payload will disconnect the Target device if it is seen to connect to a web server&#x20;

```bash
#!/bin/bash 

# Title: Matchstream example
#
# Description: Disconnect the Target device if there is a login attempt on an unencrypted port

# Set bridge mode
NETMODE BRIDGE

# Wait for any basic-auth on port 80
MATCHSTREAM br-lan ANY 'Authorization: Basic' 80

# Jail the target
NETMODE JAIL

# Set the LED
LED R VERYFAST

```