https://www.herbiez.com/?p=784 One thing to note is that the traffic mentioned above is while my VM was still up and running with this fresh infection. This is most likely why we have a long list of IP addresses that are using port 8080. As for the traffic from the PCAP that is using port 443, I used the following tshark command to get all the traffic that was going to TCP port 443: 1
tshark -r -T fields -e ip.dst -e tcp.dstport -Y "tcp.dstport eq 443"
Once I had that, I then simply cut out the extra space in front of 443 along with 443. That gave me just the raw IP addresses. From here I saved it to a new file and proceeded to use cat and some other pipes to give me the unique IP addresses which gives me the following IP addresses.