Botnet is a collection of software agents, or robots, that run autonomously and automatically. Unfortunately it is often associated with malicious software and becoming one of the main threats of information security. The attacker usually installs via drive-by-downloads exploiting web browser vulnerabilities, worms, Trojan horses, or backdoors, under a common command-and-control infrastructure. One of the botnet types, the P2P botnet, imitates the behavior of P2P software. It makes use of multiple controller to avoid single point failure. In addition, the command it delivers is encrypted to evade signature detection. Though the operation of P2P botnet is different from common network behavior, it is characterized by massive connecting without bringing up heavy traffic flow. Consequently, this can be identified by anomaly detection. We are able to apply to clustering technique of data mining to detect the existence of a botnet and find its host. The main idea is to differentiate the botnet behavior from usual network behaviors. We achieve satisfactory precision without decrypting botnet message circulating in the network. The result of the experiment shows the applicability of the proposed method.