In this paper we propose a hierarchical framework for detecting and characterizing any types of botnets on a large-scale WiFi ISP network. In particular, we first analyze and classify the network traffic into different applications by using payload signatures and the cross-associations for IP addresses and ports. Then based on specific application community (e.g. IRC, HTTP, or Peer-to-Peer), we present a novel temporal-frequent characteristic of flows that leads the differentiation of malicious behaviors created by bots from normal network traffic generated by human beings. We evaluate our approach with over 160 million flows collected over five consecutive days on a large-scale network and preliminary results show the proposed approach successfully detects the IRC botnet flows from over 160 million flows with a high detection rate and an acceptable low false alarm rate.