Some liquid answers were given to you. Malware does not use any specific protocols, they use everything that is available to legitimate software, with the exception of those animals that use data exchange based on OSCAR, IRC, and so on.
The most logical move is to use intrusion detection systems. Snort, Suricata, Bro. Snort, for example, is already old, the community is huge + long and hard development = easy to use, easy to configure, a lot of manuals and guides. A big plus of Snort is a huge rule base for detecting malicious packets in traffic, there are rules that are freely distributed, there are commercial rules that you need to buy, but in most cases, if you do not protect state secrets, then those that are published in the public domain will suffice (they must be timely update). For details google IDS or IPS and read on.
Since detection systems work on rules, they have a drawback - if the rule is not written for something specific, then this something will float by the SOA. Therefore, it makes sense to periodically look through traffic analyzers to see what is happening on the network. There is such a thing as IOC (indicator of compromise), based on them you can generate rules for detection systems yourself, these indicators are published in the public domain on many resources, for example https://www.threatminer.org/ . You catch traffic - check for IOC entry into it, generate the corresponding rule.

You take the IP, do a reverse lookup - you get a list of DNS names, all long names from unknown domains are malicious traffic.

Install a host with SNORT and wrap your mirrored traffic on it.