This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to capture telnet traffic in “cooked” (per-line) mode?

0

Hi Experts,

I found these two captures: http://wiki.wireshark.org/SampleCaptures#Telnet

telnet-cooked.pcap (libpcap) A telnet session in "cooked" (per-line) mode. telnet-raw.pcap (libpcap) A telnet session in "raw" (per-character) mode.

How can I capture traffic just in "cooked" mode?

asked 14 Aug '13, 10:48

jomajo's gravatar image

jomajo
1335
accept rate: 100%


One Answer:

1

How can I capture traffic just in "cooked" mode?

"Cooked" mode is called linemode, so you'd need to use a Telnet client that supports linemode, talking to a server that supports linemode, with the client configured, if necessary, to use linemode, and capture while those clients are communicating.

z/OS's Telnet server apparently supports linemode and advertises it when you connect to it. The OS X telnetd man page implies that it can be compiled with linemode support; it's probably a fairly standard BSD Telnet server, so that probably applies to many other UN*Xes as well, but I don't know whether that's the way it's compiled on OS X or any other UN*Xes. I don't know what other servers do.

The OS X telnet man page says

 Once a connection has been opened, telnet will attempt to enable the
 TELNET LINEMODE option.  If this fails, then telnet will revert to one of
 two input modes: either ``character at a time'' or ``old line by line''
 depending on what the remote system supports.

and it's probably just a fairly standard BSD Telnet client, so recent Telnet clients on other UN*Xes probably also support it. I don't know what other clients do.

answered 14 Aug '13, 13:35

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

thanks Guy,

I would like to use Putty telnet client with Cisco IOS devices. I can see "double-characters" (client-to-server, and server-to-client).

That is not very nice to read :)

(15 Aug '13, 05:53) jomajo

Sounds like a job for, err, umm, Wireshark. Perhaps Putty and IOS are negotiating linemode on, and Putty's doing local echo, but they're not negotiating echo off, so that IOS is doing remote echo.

(15 Aug '13, 09:36) Guy Harris ♦♦