Surprisingly measuring legitimate Telnet usage may be even harder than measuring attacks! Getting representative metrics of benign src-dst endpoint pairs while controlling neither approaches impossibility, especially since at global scale it’d be mixed with (I suspect) orders of magnitude more attack traffic. Best you could probably do is measure on a clean-ish ISP like a university network.