Network attacks, especially APT attacks, generally use the captured devices as a springboard, and use the subordinate controlled devices to carry out attacks, while the attacker’s identity is hidden in the network. Botnets led by Mirai usually use C&C servers to control bots. There are often multilevel control relations among bots, so the anomaly detection of a single node is often difficult to solve the problem. This paper proposes a botnet visualization analysis system of multilevel control relations, which filtrates the control nodes through the flow characteristics, sorts out the control behaviors, and exports the relational data through the graph database to realize visualization, so as to intuitively find the multilevel control relations between nodes, find out the springboard nodes, so as to trace the botnet and find out the hidden botmaster nodes.Key words botnet; network flow; behavior analysis; multilevel control relations; visualization