Who really knows what are the protocols used in the local network? Usually with netflow you can distinguish traffic per l4 port (80=http,443=https,..) but this is no more sufficient. Some applications use dynamic ports (see nfs, ftp, routed sap, …), several applications use the same ports, how can we distinguish them?
Applications grow and change really fast (like all stuff in IT world) and it is not easy to keep your netflow analysis tool aligned with this evolution.
Ntopng is able to automatically detect the applications that are generating the traffic without having to define and use filters.