So say Joe is an important person and has been placed under surveillance. All of his connections to node A are timestamped and logged. Given that you know Joe connected to Node A, you really only have to look at 5999 C 2 possible paths = 17,991,001, or about 18 million paths. Very tractable.

So from all exit nodes that are monitored from the traffic bursts in that 5 second window, calculate delta t from Joe's connection to node A at t0 to the first burst of data coming from the 1000 exit nodes. From this calculation 100ms<dt_Joe<400ms

Go to the lookup table for Node A connections to those 1000 exit nodes and cross out any paths that have dt A->C < 100ms and dt A->C > 400ms This should bring your 2 million possible paths down to tens of thousands, then rank them by the distance of dt_joe to dt_model. A -> B_j -> C_k dt_model dt_observed From the top 100 closest rankings ( smallest absolute difference | dt_model - dt_model | , examine the connections from Node A to middle Node B_j and see if any of those node A connections match with the top 100 paths. If so you now have the complete path. If not look at the top 200. This would weed the paths from 10^4 down to maybe 100 or so.

Then from these 100 possible connections observe what they do and correlate this to things you already know about Joe and his habits. This should weed the connections down to 2 or 3. If all three of the connections happened inside of the surveillance grid ( pass through listening posts (logged routers) along their path) then all of this analysis could be performed, probably automated and within a day or two.