Operator On The Wire· OOTW · 2026 ·

← Back to Knowledge Base

BLUE TEAM / SOC / FILTERING / ATTACKS / APPLICATION LAYER / TELNET

TELNET Tunneling

Telnet used for covert communication, tunneling, or data exfiltration — often on non-standard ports or IPv6

Hunting

Statistics → Conversations → TCP
Statistics → Endpoints → IPv4
Statistics → Endpoints → IPv6
Statistics → Protocol Hierarchy

Red Flags

Telnet observed in modern environment
Telnet running on non-standard port (e.g. 9999)
Large data transfer over Telnet
Human-readable or encoded blobs inside session
IPv6 Telnet where IPv6 is not deployed
Long-lived interactive sessions

Filters

# All Telnet traffic
telnet

# Traditional Telnet port
tcp.port == 23

# Telnet on suspicious high port
tcp.port == 9999

# Telnet not on 23 (broad hunt)
tcp.port != 23 && tcp contains "telnet"

# IPv6 Telnet
ipv6 && telnet

# Host scoped Telnet
telnet && ip.addr == <suspect_ip>