Detect telnet credentials from CISCO XE router captured packets

Featured Image
Hasan-Uz-Zaman Ashik

Written by Hasan-Uz-Zaman

October 9, 2021

Telnet is not considered a secure protocol because it sends data, including passwords, in plain text over the network. This means that if an attacker were to intercept the data being sent over a Telnet connection, they would be able to see sensitive information, including usernames and passwords, in plain text.

In addition to the lack of encryption, Telnet also has no mechanism for verifying the identity of the server, making it vulnerable to man-in-the-middle attacks. An attacker could intercept the Telnet connection and pretend to be the server, gaining access to sensitive information.

For these reasons, Telnet is not considered a secure protocol and has largely been replaced by secure alternatives such as Secure Shell (SSH) for remote access to servers. SSH provides encryption for all data transmitted over the network, as well as authentication mechanisms for verifying the identity of the server.

Telnet is still being used in small to large enterprises without any encryption for accessing devices remotely. If an organization runs its network privately and relies on Telnet, there is also a possibility that another worker of that organization can see other colleagues’ login credentials.

In this article, I will demonstrate how one can perform this in a CISCO XE router.

The process of capturing packets and analyzing them is pretty straightforward. First, the packet will be captured from the cisco router using a capture point and stored in a configured buffer, and then passed to a remote FTP server that is reachable from the router.


After that capture point will be associated with the buffer.

mon cap point associate CAP_NAME BUFFER_NAME 

To start it and check whether capture is running and packets are being captured::

mon cap point start TAC show monitor capture buffer BUFFER_NAME parameters

To stop it:

mon cap point stop CAP_NAME 

To transfer file from buffer to FTP server:

mon cap buffer TAC export ftp://your_reachable_server_ip/folder_name/filename.pcap 

Optionally the buffer can be cleared after transferring information from the buffer.

mon cap buffer BUFFER_NAME   clear 

Now from any packet capture and visualizing tool like WireShark one can view the telnet-related TCP stream.

Reading captured packets in Wireshark is a straightforward process. Here are the steps to follow:

  1. Launch Wireshark: Open Wireshark and select the interface you want to capture packets from.
  2. Start Capture: Click the “Start” button in the Wireshark interface to begin capturing packets. Alternatively, you can use the “Capture” menu and select “Start”.
  3. Stop Capture: When you have captured enough packets, stop the capture by clicking the “Stop” button or selecting “Stop” from the “Capture” menu.
  4. Browse Packets: Once you have stopped the capture, you will see a list of all the captured packets in the Wireshark interface. You can browse through the packets by clicking on them one by one.
  5. Analyze Packets: To analyze a packet, select it from the list and Wireshark will display the packet details in the lower half of the interface. The details include the packet header and its contents in both hexadecimal and ASCII.
  6. Filter Packets: If you are looking for specific information, you can use Wireshark’s filter capabilities to search for packets based on various criteria. For example, you can filter by IP address, port number, or protocol.
  7. Save and Load Captures: You can save your captures to a file for later analysis. Wireshark supports a variety of file formats, including PCAP, PCAP-NG, and JSON. To load a saved capture, use the “File” menu and select “Open”.

With these steps, you should be able to read and analyze captured packets in Wireshark effectively.


Secure Shell (SSH) is a preferred protocol for secure communication over a network, especially when compared to Telnet. One of the main reasons for this is the security that SSH provides. Unlike Telnet, which sends all data, including passwords, in plain text over the network, SSH encrypts all communication, making it much more secure. This means that even if someone intercepts the data being transmitted, they will not be able to read it as it will be encrypted.

Another reason to use SSH instead of Telnet is the authentication process. Telnet relies on a username and password for authentication, which is not very secure. On the other hand, SSH supports a variety of authentication methods, including the use of public-private key pairs. This provides a much more secure method of authentication, as the private key is not transmitted over the network and cannot be intercepted.

In addition to security and authentication, SSH also provides additional functionality not available in Telnet. For example, SSH supports forward tunneling, which allows you to securely forward traffic from one network to another. It also provides secure file transfers using the SCP (Secure Copy) or SFTP (Secure File Transfer Protocol) protocols.

In conclusion, SSH is a much more secure and functional protocol than Telnet, and should be used whenever possible for secure communication over a network.

You May Also Like…



Network Engineer

Zaman is an aspiring Technical Writer and passionate about software-defined networking (SDN), Network Automation, Ansible, Log data management (Syslog-ng), Python tools, Web Application development (django) etc.

Let's start talking!


Submit a Comment

Your email address will not be published. Required fields are marked *