With Torch, I don't see a way.
Plan B: Use /tool/sniffer instead, with which you can stream to Wireshark.
how do i know who initiated the connection? Is it always SRC ?
For a SYN-only attack, the source IP could be spoofed. Only once the connection is established can you trust that the source IP is real.
For UDP and other datagram protocols, it's always possible to spoof the source address. This is in these protocols' nature.
there was more traffic going on than just an attemp to establish a connection.
In that case, it may be justifiable to class it as a SYN flood, not as an actual attack on Telnet. The actual port number isn't important in this case.
i tried to set up dns DoH and still see port 53 coming up on the SRC. Does that mean DoH does not work?
You should bring that up in a separate thread. Let's not get side-tracked here.