Embodiments locate a botmaster on a network. A honeynet host is configured to join a botnet and generate a watermarked packet flow by applying a watermark to an outgoing packet flow in response to commands from the botmaster. The watermark is applied to the outgoing packet flow by: choosing distinct packets from the outgoing packet flow; forming packet pair(s) from the distinct packets, that include a reference packet and an encoding packet; and encoding bits in the watermark to the packet pair(s) by increasing the length of the encoding packet when watermark bits have a predetermined value. The cooperating node(s) are configured to: inspect passing packet flows for the watermarked packet flow and generate tracking information related to detection of the watermarked packet flow. The path determination processor is configured to analyze the tracking information to locate a path taken by the watermarked packet flow.