Capturing and Analyzing Telnet Traffic
A Description of Telnet a Text Based Computer Protocol
Telnet is a network protocol used in LAN or via the web to provide bi-directional interactive text-oriented communication framework using virtual terminal connection. Data is interspersed in-band with Telnet control information, usually in an 8-byte oriented data communication over TCP. Telnet program runs on a computer and connects you PC to a server on the network. Commands are entered into Telnet program and can execute them as if they were entering them directly on the server console. This implies that you can control the server and communicate with other servers on the network (Sloan, 2001).
Telnet traffic refers to a user command and an underlying TCP/IP protocol used for accessing remote computers. Actually, telnet is a mechanism of gaining access to remote computers using command prompts. Through the use of Telnet, an administrator can access someone’s computers remotely permitting access of his data or applications. On the web, HTTP and FTP protocols allow a remote user to request specific files from the remote computer other than being logged on as that computers user. By using Telnet, you log on as a regular user with whatever privileges granted to access specific data and applications. A Telnet command that requests user information over the net may look like this: telnet. Smithspc.t. Com. The result is an invitation to log on with a username and password prompt, of which if accepted, you will be logged on as any other valid user on that computer. Telnet find its applications in computer programming and any other user who find it necessary to use data and applications located at a particular host computer. These uses may be genuine or intruders (Wikipedia, 2013).
A Brief History in Telnet and why it no Longer Thrives
Telnet was initially developed in 1969 to serve as a sharing protocol for academic institutions and large private and government facilities. Security at that time was not a concern but after bandwidth explosion of the 1990s, it became apparent that telnet could not be utilized in the same way anymore. The increase in the number of people accessing the internet, as well as the number of users and hackers with ulterior motives necessitated encryption mechanism. As a matter of fact, computer security experts such as SANS Institute have recommended discontinuation of Telnet for remote logins under all circumstances. This can be attributed to the following reasons:
Telnet, by default, do not employ any encryption mechanism and data sent over its networks can be accessed by third parties through eavesdropping methods. Any user accessing a router, switch, hub, or gateway located on the network between the two hosts where Telnet is utilized can intercept the packets in transit and obtain login details using a packet analyzer such as Wireshark. Usernames and passwords obtained can be utilized for malicious purposes.
Second, most Telnet implementations have no authentication that ensures communication is mutually carried out between the two desired hosts and that no interception can be guaranteed midway. Third, over the years, several security loopholes have been discovered in widely used Telnet daemons (Wikipedia, 2013).
Telnet a thing of the past while SSH is Reigned King
These security shortcomings have provided a leeway for the rapid abandonment of Telnet protocol especially over the public internet. In my opinion Telnet has been abandoned in favour of SSH due to its lack of extensions to support Transport Layer Security (TLS) and Simple Authentication and Security Layer (SASL) that addresses security issues. Most of Telnet implementation lacks sufficient extensions to solve security issues, thereby, making SSH the de facto protocol for most purposes.

Telnet, Navigation and Configuration via Administrator Command Line
In order to discuss how Telnet traffic is captured and analyzed, there is need to understand how Telnet is used to perform tasks. Telnet has various command lines and interactive features to access it. Launching Telnet for example can be done by typing <server name> + Enter. Because of the way Telnet works, it is advisable to launch it using Administrator command line. This may request passwords to gain entry (Learning, 2011).
Telnet has an interactive terminal that is suitable for quite a number of needs. Typing ? + Enter can be used to see a list of available commands in Microsoft command prompt. The advantage of using the interactive command prompt is that it is easy to configure Telnet options, you can type Set? +Enter to explore the options. For instance, to make Telnet session secure the following command prompts is used: Set NTLM +Enter. To remove NTLM authentication, you type Unset NTLM +Enter. The ability to reset settings is nice and to explore how Telnet is configured the command D + Enter is used. Many configuration settings are based on the type of Windows version used and the particular settings i.e. settings is not configured or is in toggled off mode.
To create a connection in interactive mode, you use O<Server Name> +Enter> . There may be a warning message concerning sending your password in the clear. Typing Y + Enter affirms it and navigates you to the standard Telnet prompt at the server. Regaining access to the client side prompt is achieved by pressing Ctrl+ (Sanders, 2007).
Capturing and Analyzing Network Traffic via Wireshark
Going to the security section of Telnet, network administrators sometimes prefer to manage their network hardware such as switches and routers using Telnet, while others would rather not. In order to view security issues associated with Telnet a utility network that sniffs the packets on the network is required. Wireshark utility is the perfect choice for this task because it does the job efficiently while at the same time enjoys support from different platforms. Wireshark is downloaded and installed together with WinPcap utility.
In order to sniff Telnet traffic with Wireshark, Wireshark needs to be configured at the outset so that it knows what traffic to capture. Configuring Wireshark to local interface and inserting the name of the network adapter to monitor will allow it to monitor and capture anticipated traffic. The type of traffic to sniff on the interface should be specified as Telnet under Filter Name and port 23 in the Filter string option (Sloan, 2001).
When a server connection is initiated, Wireshark is able to generate and monitor packets. The issue with Telnet is that usernames and passwords used by the remote user are exposed to sniffers. Wireshark can determine the direction of flow of Telnet information. For instance in the screen shot below, information is flowing from the client 192.168.137.131 and clicking on the first entries will display information about the Telnet data (Sanders, 2007). Telnet has an interactive terminal that is suitable for quite a number of needs. Typing ? + Enter can be used to see a list of available commands in Microsoft command prompt

However, in this case, the option entry tells the server that the client won’t forward authentication credentials. This is because with this system, the server already has my authentication credentials and in other scenarios Telnet requests and exposes user authentication including passwords and usernames. By using command prompts numerous packets are generated even with a single letter as displayed in Wireshark. Each action in Telnet creates more packets each of which can be easily sniffed by anyone using Wireshark or any other sniffing application. With this approach any intruder can precisely learn what a user is up to at any instance (Orzach, 2013).
On the part of a network administrator, Telnet provides better mechanisms to manage network traffic and determine how employees are using the company’s network. This is beneficial in utilizing network resources and at the same time preventing rogue employees from conducting unauthorized activities on the network. For instance, employees tend to waste a lot of time on unproductive activities which drive the organization to losses. Thus, Wireshark is an important tool for network administrators in capturing and analysing traffic especially, bandwidth, and other user activities.
On the part of the user, however, Telnet traffic analysis and monitoring is not a good practice because of the security vulnerabilities it exposes to users. User credentials can be retrieved and used to institute attacks and other unfavourable activities. Most organizations and business like to keep customer and employee data confidential and secret. If Telnet protocol is used, it makes it hard to guarantee safety of these parameters (Sloan, 2001).
Telnet and SSH are two protocols that serve the same purpose. Both of them are used for interactive access to Unix accounts. The only difference is that telnet traffic is transmitted without any kind of encryption while data in SSH is encrypted before transmission. It, therefore, becomes of concern transmitting personal information such as credit card number to an online retailer that does not employ SSL encryption. In the same way, it is highly recommended that telnet should not be used to access FAS accounts. By using Telnet, passwords and usernames are transmitted in plain text meaning that any malicious party or hacker can access it. FAS accounts are a major risk to networks and are always the prime sources of network intrusions and denial of service attacks (Learning, 2011).
Capturing and Analyzing Network Traffic via Tcdump
Another tool used to capture and analysis Telnet traffic is tcpdump. Tcpdump is a program developed at the University of California Berkely and was originally used to analyze TCP/IP performance issues. The universality of tcpdump makes it a compelling choice because it works on a variety of platforms. Its capture software lipcap is utilized by many programs including proprietary programs and the capability to use the same program on all or most programs present unparalleled benefits. Tcpdump is text based and is run remotely using a Telnet connection. It biggest demerit is it’s lacks of an analysis capability. Nevertheless, a user can capture traffic, move it to a local machine and analyze it using another tool (O'Reilley's, 2002).
Tcpdump can be run on a number of ways. The problem arises from planning phase where the user has to decide whether to use the host on which tcpdump is running to generate traffic in addition to capturing it, how much traffic to be accommodated and how to determine that the traffic captured is the required one. Solutions have been crafted around the issue of dealing with overwhelming Telnet traffic. Using tee and script, a user can view and record output from a Unix session (O'Reilley's, 2002). In a Windows platform, using multiple Telnet connections to a host or window allows the user to record in one window and takes actions to generate traffic in another window. Telnet and SSH are two protocols that serve the same purpose. Both of them are used for interactive access to Unix accounts. The only difference is that telnet traffic is transmitted without any kind of encryption while data in SSH is encrypted before transmission.
An alternative is the use of a probe computer connected using telnet. The sessions could be logged with many of the telnet versions known. However, Telnet connections generate sizeable traffic which in essence becomes the log files. Without a filtering tool, it becomes difficult to deal with it. Additional traffic also results in overloaded connections and subsequent loss of some packets. This can introduce a big problem especially when monitoring and capturing was intended to improve security and prevent intrusions and denial of service attacks.
Although tcpdump presents another option for capturing traffic, it requires secondary programs for analysis phase. Filtering devices can be used to determine what kind of traffic to be monitored and captured. However, filters are not adequate. Some filters exclude Telnet sessions between two hosts (O'Reilley's, 2002). In compound filters for instance, in order to capture all Telnet traffic between lnxl and bsdl, a fourth term in the negation detailing the ephemeral port to be assigned by telnet should be specified.