How to Analyze Network Protocols, Learn More >>

Being able to support more than 300 protocols in the latest version, Capsa Network Sniffer make it easy to analyze protocols in network and understand what is happening.

Recommend Network Analysis Software >>

RFC 854
RFC 855
RFC 857

TELNET is the terminal emulation protocol of TCP/IP. Modern TELNET is a versatile terminal emulation due to the many options that have evolved over the past twenty years. Options give TELNET the ability to transfer binary data, support byte macros, emulate graphics terminals, and convey information to support centralized terminal management.

TELNET uses the TCP transport protocol to achieve a virtual connection between server and client. After connecting, TELNET server and client enter a phase of option negotiation that determines the options that each side can support for the connection. Each connected system can negotiate new options or renegotiate old options at any time. In general, each end of the TELNET connection attempts to implement all options that maximize performance for the systems involved.

In a typical implementation, the TELNET client sends single keystrokes, while the TELNET server can send one or more lines of characters in response. Where the Echo option is in use, the TELNET server echoes all keystrokes back to the TELNET client.

Dynamic Mode Negotiation

During the connection, enhanced characteristics other than those offered by the NVT may be negotiated either by the user or the application. This task is accomplished by embedded commands in the data stream. TELNET command codes are one or more octets in length and are preceded by an interpret as command (IAC) character, which is an octet with each bit set equal to one (FF hex). The following are the TELNET command codes:

Commands Code No.
Dec Hex
data     All terminal input/output data.
End subNeg 240 FO End of option subnegotiation command.
No Operation 241 F1 No operation command.
Data Mark 242 F2 End of urgent data stream.
Break 243 F3 Operator pressed the Break key or the Attention key.
Int process 244 F4 Interrupt current process.
Abort output 245 F5 Cancel output from current process.
You there? 246 F6 Request acknowledgment.
Erase char 247 F7 Request that operator erase the previous character.
Erase line 248 F8 Request that operator erase the previous line.
Go ahead! 249 F9 End of input for half-duplex connections.
SubNegotiate 250 FA Begin option subnegotiation.
Will Use 251 FB Agreement to use the specified option.
Won’t Use 252 FC Reject the proposed option.
Start use 253 FD Request to start using specified option.
Stop Use 254 FE Demand to stop using specified option.
IAC 255 FF Interpret as command.

Each negotiable option has an ID, which immediately follows the command for option negotiation, that is, IAC, command, option code. Following is a list of TELNET option codes:

Option ID
Dec Hex
Option Codes Description
0 0 Binary Xmit Allows transmission of binary data.
1 1 Echo Data Causes server to echo back all keystrokes.
2 2 Reconnect Reconnects to another TELNET host.
3 3 Suppress GA Disables Go Ahead! command.
4 4 Message Sz Conveys approximate message size.
5 5 Opt Status Lists status of options.
6 6 Timing Mark Marks a data stream position for reference.
7 7 R/C XmtEcho Allows remote control of terminal printers.
8 8 Line Width Sets output line width.
9 9 Page Length Sets page length in lines.
10 A CR Use Determines handling of carriage returns.
11 B Horiz Tabs Sets horizontal tabs.
12 C Hor Tab Use Determines handling of horizontal tabs.
13 D FF Use Determines handling of form feeds.
14 E Vert Tabs Sets vertical tabs.
15 F Ver Tab Use Determines handling of vertical tabs.
16 10 Lf Use Determines handling of line feeds.
17 11 Ext ASCII Defines extended ASCII characters.
18 12 Logout Allows for forced log-off.
19 13 Byte Macro Defines byte macros.
20 14 Data Term Allows subcommands for Data Entry to be sent.
21 15 SUPDUP Allows use of SUPDUP display protocol.
22 16 SUPDUP Outp Allows sending of SUPDUP output.
23 17 Send Locate Allows terminal location to be sent.
24 18 Term Type Allows exchange of terminal type information.
25 19 End Record Allows use of the End of record code (0xEF).
26 1A TACACS ID User ID exchange used to avoid more than 1 log-in.
27 1B Output Mark Allows banner markings to be sent on output.
28 1C Term Loc# A numeric ID used to identify terminals.
29 1D 3270 Regime Allows emulation of 3270 family terminals.
30 1E X.3 PAD Allows use of X.3 protocol emulation.
31 1F Window Size Conveys window size for emulation screen.
32 20 Term Speed Conveys baud rate information.
33 21 Remote Flow Provides flow control (XON, XOFF).
34 22 Linemode Provides linemode bulk character transactions.
255 FF Extended options list Extended options list.

Vulnerabilities for this protocol (from CVE)

CVE ID Protocol Source Port Targetport
Description: Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access.
Description: Telnet allows a remote client to specify environment variables including LD_LIBRARY_PATH, allowing an attacker to bypass the normal system libraries and gain root access.

TCP/IP Protocols: