Botnet has become one of the primary threats to the security of cyberspace. Comprised computers implanted with bot malwares are controlled by bot herders to launch all kinds of cyber attack. In recent years, the operation model of botnet control has evolved from the centralized IRC or HTTP botnets to the decentralized P2P botnet. Botnets adopting the new P2P communication model allow bot herders the capability to deliver attack command from any node in a P2P botnet. Hence, the existing botnet detection or defense mechanisms based on the centralized operation model are not effective in deterring the threats resulted from P2P botnet. New detection mehtod for P2P botnet is in demand. With the assistance of the existing mechanism capable of recognizing P2P network flows from other types of network traffic, the remaining task of distinguishing P2P botnet communication from legitimate P2P applications can be carry out by establishing network flow models of legitimate P2P applications and conduct a runtime verification against all P2P communication flows. In this study, the set of characteristic descriptors which can be used to serve the purpose are idetified. Model values of the characteristic descriptors of legitimate P2P applications are obtained through analysis of network flows.