nowadays using tor by botnet developers is bringing risk to tor network. the use hidden service feature in tor network ,install their IRC server and by hiding behind relays,packet encryption and  layers of tor, control and command botnets and use them for attacks.

1.i am researching about any possibility if i can differentiate between botnet traffic and normal tor network traffic by sniffing and analysing network traffic at gateway of my campus.

2.any idea about this technique: i run a botnet in my computer (sandbox) attach a script to it(developed by myself) ang let botneet works. the botmaster (hacker) receives botnet report( after it pass by 2 relays) and my script runs in his computer and sends me his system information.

3. have a question about tor network structure: how many nodes are between user A 9 outside tor) and user B( in internet but outside tor) ? i dont their communication will pass by two nodes(relay) but what other node? how does hidden service provide service to them? any authentication stuff?

sorry if its not related to this mailing list.